So problematic is the EMV migration that there are questions about crossing over at all.
“Is it the solution? Honestly, I don’t think it’s ever going to happen,” said J.D. Oder, chief technology officer at Shift4 Corp., a card processing gateway company he co-founded in Las Vegas.
Is EMV worth the bother?
Retailers are understandably concerned that they are spending huge sums to update their card processing equipment for an EMV implementation that has potential security potholes.
“As long as magstripe is around, there will be major breaches, I don’t care how much EMV is out there,” said Mark Horwedel, a former Wal-Mart executive who heads the Merchant Advisory Group, a Minneapolis group working on payments-industry issues. “Visa and MasterCard, in my view, are preoccupied with making the EMV migration in the U.S. as simple as possible for the banks.”
That’s what bothers Dean Sheaffer, chief compliance officer at Boscov’s Inc. in Reading, Pa. His company is spending “hundreds of thousands of dollars,” he said, to install EMV terminals at its department stores when he’s not convinced that EMV will offer enough fraud protection.
“We don’t feel good about it at all,” Sheaffer said. “I see a number of clear issues that I think have to be vetted and resolved.”
At the top of Sheaffer’s list: PINs and magnetic stripes.
Target, a big proponent of EMV, has been rolling out EMV-enabled point-of-sale terminals at its stores since 2012. It declined to discuss EMV security concerns.
“While the new hardware has the capability to process EMV, the software is still in development,” said Target spokeswoman Molly Snyder.
A multitude of technologies are being promoted to make EMV cards more secure, although they aren’t part of this country’s official EMV rollout. One is to encrypt all card data from the instant it’s read in the store until it’s processed by the bank. Another is tokenization, in which card data in the payment processing network is replaced with a meaningless value the minute the card is authenticated.
Add the end-to-end encryption and tokens to EMV cards and you have a “pretty airtight solution,” said Oder at Shift4 Corp.
Other approaches also are circulating.
Hall, at FishNet Security, advocates a single transaction code. It’s a one-time 15- or 16-character transaction code generated by a smartphone or other smart device at the start of a purchase that replaces the card account number. The code could be displayed as a bar code on the phone that could easily be scanned by bar code equipment that retailers already have at the checkout.
“Once it’s used, it’s done,” Hall said.
Time to do away with plastic?
The cards themselves are the root of the problem, Hall and others say, and it’s time for a paradigm shift.
Richard Crone, head of Crone Consulting in suburban San Francisco, calls for ditching the country’s existing card infrastructure altogether and moving to cloud-based mobile payments, in which everything is stored more securely through the Internet in a server farm somewhere.