As the United States lumbers toward a new credit card technology to thwart data thieves like the ones who struck Target Corp., payment security experts say the new system is far from foolproof.
The chip-based smart cards, already in use in much of the world, make it much harder to produce counterfeit cards. But the cards are less effective against the widespread and growing threat of bogus online transactions that require only account information.
EMV, as the technology is known, changes the game but won’t prevent all fraud.
“It’s not a panacea,” said Paul Tomasofsky, an electronic payments expert who heads Two Sparrows Consulting in Montvale, N.J.
EMV, which stands for Europay/MasterCard/Visa, is a fairly old approach rooted in experiments to deter fraud with microprocessor chips embedded in payment cards in France in the 1980s. It spread throughout Europe and became a global standard.
But because of the sheer size of the fragmented U.S. payments system, and the huge cost to convert, the United States is one of the last countries in the world to make the change.
There’s general agreement that EMV alone would not have prevented the Target breach, in which thieves accessed data from as many as 110 million customer accounts. But EMV would have reduced the value of the information by making it almost impossible to clone the cards.
That’s EMV’s biggest boast, that it prevents counterfeit card fraud. “It does that spectacularly,” said Jeff Hall, a security consultant in the Twin Cities for Overland, Kan.-based FishNet Security.
However, that’s only part of the challenge. Online fraud that doesn’t require the presence of an actual card now accounts for nearly half of all credit card fraud in the United States, according to Fair Isaac Corp., and studies show that adopting EMV drives crooks to this card-not-present fraud.
EMV has a vulnerability
EMV has a weakness at the point of sale. While data in the card’s memory chip is encrypted when the card isn’t in use, the data is momentarily vulnerable when customers pay.
Proponents of EMV say this isn’t a big flaw because the chip spits out a unique, one-time-only security code to encrypt the data for transmission.
But critics say that if thieves compromise the card terminal or the register at just the right point, they can access the data before transmission, circumvent the one-time security code and get access to the information they want. The bulk of online merchants don’t ask for the 3- or 4-digit security code on a card, Hall said.
There are other security concerns. In the U.S. rollout, banks issuing EMV cards are not required to put a personal information number, or PIN, on either the debit or credit cards. A PIN, which only the cardholder knows, makes transactions more secure.
More important, magnetic stripes aren’t going away. In an effort to ease the conversion, the new EMV cards will still have magnetic stripes so they will work in stores that lack EMV equipment.
But magnetic stripes are easy to copy and clone. Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research, called the existence of magnetic stripes on EMV cards “a very big security threat.”
U.S. companies are grappling with these issues as the country’s gargantuan payments system undergoes the seismic shift from magnetic stripes to chips. Retailers, banks and myriad other payments players face an October 2015 deadline to be ready.
At that point, Visa, MasterCard, American Express and Discover are shifting the liability for fraud that happens in stores from the card-issuing banks to the merchants, unless the merchant is equipped for EMV.
So problematic is the EMV migration that there are questions about crossing over at all.
“Is it the solution? Honestly, I don’t think it’s ever going to happen,” said J.D. Oder, chief technology officer at Shift4 Corp., a card processing gateway company he co-founded in Las Vegas.
Is EMV worth the bother?
Retailers are understandably concerned that they are spending huge sums to update their card processing equipment for an EMV implementation that has potential security potholes.
“As long as magstripe is around, there will be major breaches, I don’t care how much EMV is out there,” said Mark Horwedel, a former Wal-Mart executive who heads the Merchant Advisory Group, a Minneapolis group working on payments-industry issues. “Visa and MasterCard, in my view, are preoccupied with making the EMV migration in the U.S. as simple as possible for the banks.”
That’s what bothers Dean Sheaffer, chief compliance officer at Boscov’s Inc. in Reading, Pa. His company is spending “hundreds of thousands of dollars,” he said, to install EMV terminals at its department stores when he’s not convinced that EMV will offer enough fraud protection.
“We don’t feel good about it at all,” Sheaffer said. “I see a number of clear issues that I think have to be vetted and resolved.”
At the top of Sheaffer’s list: PINs and magnetic stripes.
Target, a big proponent of EMV, has been rolling out EMV-enabled point-of-sale terminals at its stores since 2012. It declined to discuss EMV security concerns.
“While the new hardware has the capability to process EMV, the software is still in development,” said Target spokeswoman Molly Snyder.
A multitude of technologies are being promoted to make EMV cards more secure, although they aren’t part of this country’s official EMV rollout. One is to encrypt all card data from the instant it’s read in the store until it’s processed by the bank. Another is tokenization, in which card data in the payment processing network is replaced with a meaningless value the minute the card is authenticated.
Add the end-to-end encryption and tokens to EMV cards and you have a “pretty airtight solution,” said Oder at Shift4 Corp.
Other approaches also are circulating.
Hall, at FishNet Security, advocates a single transaction code. It’s a one-time 15- or 16-character transaction code generated by a smartphone or other smart device at the start of a purchase that replaces the card account number. The code could be displayed as a bar code on the phone that could easily be scanned by bar code equipment that retailers already have at the checkout.
“Once it’s used, it’s done,” Hall said.
Time to do away with plastic?
The cards themselves are the root of the problem, Hall and others say, and it’s time for a paradigm shift.
Richard Crone, head of Crone Consulting in suburban San Francisco, calls for ditching the country’s existing card infrastructure altogether and moving to cloud-based mobile payments, in which everything is stored more securely through the Internet in a server farm somewhere.
All payment credentials would be stored behind an encrypted firewall accessible only through strong authentication with only indecipherable tokens provided to the merchant for transaction authorization, Crone said.
“EMV as a fraud deterrent is a complete joke,” Crone said.
Still, proponents say it’s a vast improvement over the magnetic stripe system. Regardless of whatever percentage of fraud EMV doesn’t prevent, it’s better than where we are now, said Madeline Aufseeser, a payments analyst at Boston-based Aite Group.
Litan, at Gartner, agrees. Ultimately, the security arguments over EMV are “a red herring,” she said. It’s not perfect, Litan said, but EMV will significantly improve security compared to magnetic stripes and is the most realistic approach given its widespread adoption everywhere else. Companies will have to layer on other protections to thwart card-not-present fraud.
“It’s crazy to say don’t lock your front door because someone will get in your back door,” she said. “You’ve got to lock both.”
“There really isn’t any better proposal out there.”