October 1st ushers in a significant shift for merchants, banks, and consumers. It is deadline day for merchants in the United States to switch to EMV technology. EMV stands for Europay, MasterCard, and Visa, the three companies that created the EMV consortium in 1994 to develop new technologies to counteract payment card fraud.
With this deadline, consumers are expected to receive credit cards that contain an embedded chip in addition to the magnetic stripe typically found in the back of the card. The deadline also bears significance for liabilities. After deadline day, merchants who don’t support EMV payments will be liable for fraud that occurs at point-of-sale (PoS) terminals. Gas stations have until 2016 to make the switch.
EMV versus regular credit cards
EMV or Chip-and-PIN credit cards are widely used in Canada, Mexico, South America, Europe, and Asia. Unlike the rest of the world who uses Chip-and-PIN cards, the US has primarily relied on magnetic stripe credit cards. But what is the difference between these two?
Magnetic stripe cards (as the name implies) contain a magnetic stripe at the back of the card. This stripe stores data on three tracks. Track 1 contains bank information such as account number and the holder’s name. Track 2 contains account information plus a Card Verification Value (PIN) number, and Track 3 is generally not used. The data found in the magnetic stripe is static, which makes it easy for criminals to skim the information off the card.
EMV cards, on the other hand, store encrypted Tracks 1 and 2 data on the chip. Additionally, the chip stores a cryptogram that allows the banks to determine if the card or the transaction has been modified. The chip also stores a counter that gets incremented with each transaction; a duplicate counter value or skipped counter value indicates potential fraudulent activities.
EMV: better security?
The move to EMV credit cards is a step towards better security. EMV credit cards make it harder for criminals to physically counterfeit the cards. A unique transaction code is created each time a payment is made and compromised transaction codes cannot be used to make fraudulent purchases. NBC’s article aptly puts it as, using an expired password to login to an account.
But while the move to EMV is a positive step, it doesn’t address all the issues regarding credit card security. The EMV chip-on-card makes it extremely difficult for criminals to create counterfeit credit cards using stolen data thus reducing counterfeit and lost or stolen card fraud. The reality is EMV credit cards cannot prevent PoS RAM Scraper attacks. EMV was developed to prevent credit card counterfeiting and not RAM scraping. If the EMV credit card’s Tracks 1 and 2 data are sent to the PoS system for processing, it will become susceptible to RAM scraper attacks because the decrypted data resides in RAM.
While a fixed deadline has been set, experts aren’t too optimistic about the speed of implementation. There are reports that there are 12 million card readers in the US that need to be converted, but only half have made the change. Furthermore, the implementation can be hindered by the cost. For affected industries implementation costs can reach up to several billion dollars.
Consumers are also unprepared for the change. A survey from ACI Worldwide revealed that nearly three in five consumers haven’t received a new chip-enabled card. 67% of consumers have not received information about what EMV is and how it will impact them. Furthermore, only a third were aware that the US was adopting EMV credit cards.
Going beyond EMV
Beyond EMV, there are other existing payment technologies that could soon gain popularity. Examples of these would include mobile wallets, cloud based PoS systems, and contactless RFID credit cards.
These payment technologies each have their pros and cons, especially when from a security perspective. Our series of research articles, Next-Generation Payment Technologies, takes a look at some of the new and next-generation payment technologies being deployed that aim to make transaction processing fast and secure.