Direct News from Direct

I found this article at money.usnews.com that talks about the EMV issue in greater detail.

Coming Next Fall: More Chip and PIN Cards in the U.S.

When fraud liability shifts to merchants next October, expect more EMV cards and new payment terminals.

Starting next October, payment terminals will likely be required to accept chip-based cards.

By Susan Johnston Oct. 28, 2014 | 9:21 a.m. EDT + More

Americans traveling in other parts of the world are sometimes bewildered to discover that their debit or credit cards don’t work at automated kiosks that use new chip and PIN technology rather than magnetic stripes. (The technology is also referred to as EMV, which stands for Europay, MasterCard and Visa, the three card brands that created the chip in Europe and Canada.)

EMV cards have been the standard in Canada, Europe and other parts of the world for several years now, but they’re not as widely used in the U.S. That’s likely to change next October, when liability for fraud shifts from U.S. card issuers to merchants if merchants don’t upgrade their payment terminals to properly accept chip-based cards. (Some smaller merchants may be slow to adopt the new technology if they feel it’s less expensive to assume the fraud risk than update their payment terminals.) President Barack Obama also recently signed an executive order to embed this technology in all government-issued credit and debit cards.

Instead of swiping a magnetic stripe, consumers insert their EMV card into a payment terminal until the transaction is completed. This reduces the risk of fraud for in-person transactions. “Magnetic stripes contain data that is simply read by a swipe terminal as the card passes through, similar to reading a very short piece of a VCR or tape cassette,” explains Chris Camejo, director of assessment services for NTT Com Security, an information security and risk management company. “The data on a magnetic stripe can also be overwritten, just like a tape cassette. The devices to rewrite magnetic stripes can be bought online for a few hundred dollars, so it makes cloning cards cheap and easy.”

Chip-based cards also contain cryptographic keys, Camejo adds. “Rather than just reading data off of the card, the terminal sends transaction data to the chip, which processes it with the cryptographic keys and then returns the data to the terminal.” Cloning these cards is much more expensive and complicated, so fraudsters tend to exploit the lower-paying fruit, like older magnetic stripe cards.

Chip and PIN cards also require a second authentication factor: the customer’s personal identification number. “This means that an attacker who just steals the card number can’t use it unless he manages to get the PIN as well,” Camejo says. “Theoretically, our current magnetic stripe cards have a second authentication factor as well – the signature – but those signatures are rarely subjected to much scrutiny, especially in the age of self-checkout lanes.”

As U.S. customer cards expire, some banks and financial institutions have already begun replacing the old magnetic stripe cards with chip-based cards. (The cards also have a magnetic stripe as a back-up option in case you visit a country or a merchant that doesn’t accept chip-based cards.) Often, though, these are chip and sign cards rather than chip and PIN cards. “These have the anti-cloning benefits of the chip but lose the strong second authentication factor of the PIN,” Camejo says. “These cards can also be very difficult to use at automated kiosks in European countries that utilize chip and PIN almost exclusively.”

Nick Clements, a former banker and co-founder of MagnifyMoney.com, a comparison website for financial products, predicts that while chip and sign cards are the first wave of chip-based cards in the U.S., issuers will eventually shift to cards that require a PIN. “Card issuers don’t have to issue the chips, but they very much want to, because it’s better for security and consumers want it more and more,” he says. As countries shifted to chip and PIN cards, he adds, their fraud losses decreased. “The United States right now is really the weakest from a fraud protection standpoint,” he says.

If PINs become de rigueur, restaurants will need to adopt the portable card readers used in Canada and Europe so patrons can pay their bill at the table rather than handing over their credit cards – a move Clements feels will ultimately benefit consumers. “It’s shocking how often you give your credit card in a restaurant,” he says, “but this way, you never lose sight of your card.”

 

If chip and PIN cards are more secure than magnetic stripe cards, why aren’t they more common in the U.S.?

Cost is a major concern for card issuers and merchants. “EMV cards are significantly more expensive to manufacture than traditional magnetic stripe cards, which may explain why many banks are still not offering them despite the fact that the credit card brands are expecting them to be fully deployed by October of 2015,” says Dave Oder, president and CEO of Shift4, an independent payment gateway. In fact, TSYS Acquiring Solutions, which offers payments solutions to financial institutions and businesses, estimates that replacing magnetic stripe cards will cost issuers $3 billion, and merchants will collectively spend $2.5 billion to replace their payment terminals.

And even after issuers and merchants pay billions of dollars to transition to the newer technology, it’s not a cure-all for fraud. “It will likely reduce instances of card-present fraud because it makes it much more difficult – though not impossible – to use duplicated cards,” Oder says. “Will it stop breaches like the ones we’ve been plagued by recently? Absolutely not.” Chip and PIN cards can help prevent fraud for in-person purchases, but they don’t prevent fraudulent purchases online. E-commerce is a multitrillion dollar business, and growing, so merchants and card issuers will need to find other ways to address that issue.

As Clements sums up EMV technology, “it’s not invincible, but it’s better than a magnetic stripe.”