How EMV hopes to chip away at fraud
For nearly 15 years, the United States was the lone major economic holdout in making the switch from magnetic stripe systems to chip cards. But now that it’s finally investing in—and rolling out—the necessary technology, it might be a little beside the point in confronting today’s biggest fraud risks.
Developed in 1994, EMV—which stands for Europay, MasterCard, and Visa—became the global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions. EMV became widely available in the early 2000s, and that’s when many European countries started using it.
Of course, those countries’ need for EMV was acute. Before the switch, merchants in Europe used batch processing and stored card transactions at the point-of-sale terminal, mostly because the telecommunications infrastructure was too slow to pass on information in real-time. This meant that there was no instant, online mechanism to authorize payments, thereby giving criminals ample opportunity to commit lost or stolen card fraud at the POS level. The introduction of EMV thwarted such attacks, because now cardholders had to enter PINs, which were linked to their individual cards. The POS would read the chip data to authorize the purchase. It wasn’t necessary to connect with the card-issuing bank, so an update of the telecommunications system wasn’t necessary, either.
The United States, on the other hand, has always had “real-time transactions,” meaning that merchants immediately send off credit card information to the issuer for verification. The idea was to eliminate any risk at the POS system.
What’s more, the U.S. market is larger than all of Europe’s payments markets combined. And with more than 1.2 billion cards on the market and 12 million POS terminals, the complexity and cost of an upgrade is considerable—by some estimates, around $4 billion. New chip cards can cost $4 each, compared to less than $0.50 for magnetic stripe cards, and new card readers can cost hundreds of dollars, compared with less than $100 for the old version.
“The reason we’ve lagged behind is because we were ahead,” Georgetown law professor Adam Levitin told The New Republic. “Everyone else had to upgrade, while our card system networks were making money.”
For a long time, in other words, the United States’ payment problems just weren’t bad enough to warrant such an upgrade. There were no regulations in place mandating swift change, which led to an elaborate game of finger-pointing between merchants and banks. But in the wake of large-scale data breaches and rising rates of card fraud—in 2014, counterfeit, lost, or stolen card costs reached $3.8 billion—U.S. card issuers are finally making the move. Nearly half of all card losses in 2012 occurred in the U.S., according to the trade journal the Nilson Report.
“Like Willie Sutton says, bank robbers go where the money is,” Levitin said, referring to the prolific criminal. “Fraud will always find the weakest link. Now that the rest of world has gone to chip-and-PIN, we’re the weakest link.”
What makes chips more secure?
The magnetic stripes on traditional credit and debit cards store unchanging data. Whoever accesses that data gains the sensitive card and cardholder information necessary to make purchases.
If someone copies a magnetic stripe, they can easily replicate that data over and over again because it’s static information.
Hackers can use card skimmers to read a card's magnetic stripe or they can penetrate retailers' corporate information systems to copy card numbers, as they have recently with Target, Home Depot, Neiman Marcus, and many others.
Data contained in EMV cards, on the other hand, is dynamic. Each time an EMV card is used for payment, the card chip—a microprocessor—validates the authenticity of the card and creates a unique security code that cannot be used for another transaction.
If a hacker stole the chip information from one specific point of sale, typical card duplication wouldn’t work. While EMV technology won’t prevent data breaches, it will make them much harder. And when it comes to managing fraud, making things harder is usually the goal. After all, fraud is a game of least resistance: If something is difficult, time-consuming, or expensive enough, fraudsters will move on to something else. That’s why fraud moved from Europe to the United States over the years, and will now, hopefully, start to decline here, too.
How does EMV card processing work?
When an EMV card is dipped (or, if it supports near field communication, tapped) data flows between the card chip and the issuing financial institution to verify the card's legitimacy and create the unique transaction data. This process isn't as quick as a magnetic-stripe swipe, which has made it the source of widespread consumer scorn.
There are a couple of reasons why EMV takes about 15 seconds compared to a swipe’s two.
For one thing, it’s because more data is being sent with EMV transactions. Chips have up to 64 kilobytes of storage capacity, compared to 62 bytes available on traditional magnetic stripes, and issuers can embed the customer’s PIN in the chip to enable POS verification, according to a recent FICO whitepaper. The system was also not exactly optimized for speed: Instead, the card is meant to self-authenticate and authorize a transaction without connecting to a separate authorization system.
An EMV transaction requires the EMV payment card to remain in the payment card reader until the transaction is fully complete. The lag is built in so that the merchant’s system can update the chip on the EMV card with transaction data.
Chip-and-PIN vs. chip-and-sign
Chip cards are either verified with a PIN or with a signature, but the verification method is tied to the type of EMV card, not whether the card is debit or credit.
All the major U.S. banks are issuing chip-and-signature cards, meaning users need to sign for their purchases. This places the burden of verification on clerks at the register. Europe, on the other hand, relies on PINs to verify transactions in real-time. Ironically, this disconnect means that American chip cards won’t actually work in Europe. It’s also sparked some debate over the security of the rollout: Signatures are easy to forge, whereas stealing a card and knowing its PIN makes fraud much harder to commit. Because of that, the Obama administration issued an executive order in October requiring that federal agencies migrate to chip-and-PIN based credit cards for federal employees, instead of chip-and-signature.
Julie Conroy, a fraud analyst with The Aite Group, told Brian Krebs of Krebs on Security, however, that the security disconnect has been overstated. The PIN only helps thwart fraud when the card is lost or stolen, which is only a small part of overall card fraud in the U.S. market. (It doesn’t help with card-not-present transactions, for example, and wouldn’t address the counterfeit issue because the magnetic stripe would still be present.) And in the years since EMV’s European rollout, hackers have increased their efforts to capture the static PINs, rendering the chip-and-PIN system’s lauded security far less effective.
Card-issuing banks also tend to favor signatures over PINs. If PINs are stolen, they can be used with the magnetic stripe data—which U.S. cards still feature—to withdraw cash from ATMs, a cost that banks would have to absorb.
“It seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data—even from chip cards,” Krebs said.
A more cynical perspective concerns a misalignment of incentives. Interchange fees, which are set by credit card companies, vary according to perceived security risk. Signature debit interchange fees have been considerably higher than PIN debit interchange fees.
In a press release issued in October, the Merchant Payments Coalition (MPC) advocated for lower interchange fees because fraud will be reduced thanks to the adoption of EMV. At a Congressional Hearing, however, Visa pushed back.
“Criminals continue to invest in strategies to commit fraud as well, so we need to continue to invest in the ability to address that fraud,” Visa Vice President for Risk Products Stephanie Ericksen reportedly told the committee. “Even though EMV is one technology that is going to help drive fraud down, we need to continue to invest in other types of authentication technologies that continue to stay one step ahead of the criminals.”
Who’s liable for EMV fraud?
Today, if an in-store transaction is conducted using a compromised card, consumer losses from that transaction fall back on the payment processor or issuing bank, depending on the card's terms and conditions.
Following an October deadline created by major U.S. credit card issuers MasterCard, Visa, Discover, and American Express, the liability for card-present fraud shifted to whichever party hadn’t updated its systems to be EMV-compliant.
What’s next?
While EMV is widely considered safer for offline purchases, it does not address online purchases. Many therefore anticipate that the shift to EMV will increase card-not-present fraud, according to the Federal Reserve Bank of Chicago – Payments Policy Group.
In 2014, card-not-present fraud accounted for 45 percent of U.S. card fraud, according to Aite Group, and when the U.K. shifted to EMV cards, such fraud rose 79 percent in the first three years.
What’s more, the way the U.S. is rolling out the cards may increase the potential for fraudulent activity. For the foreseeable future, many cards will have both chips and stripes, in part to make things more convenient for consumers while systems continue to be updated.
That means there’s a long road ahead to achieve real security in transactions. For now, as long as there are hybrid payment terminals and ATMs that accept magnetic stripe cards, hackers aren’t going to be beaten. Stolen credit and debit card data is still going to be used to make fake cards, and data breaches are still going to happen. But to the extent that this rollout signals an ecosystem that is more committed to evolution as consumer—and hacker—habits change, this is the first step toward a far more secure payment landscape.