By Patti Murphy
Widespread implementaion of Europay/MasterCard/Visa (EMV) is expected in 2015, and with it, huge reductions in card fraud. So where is my chip card? Of the five cards I carry in my wallet – one credit, three debit and a prepaid card – not one has been replaced with an EMV-compliant card, even though two have been replaced over the past year due to data breaches that may have compromised the accounts. I know I'm not alone.
EMV is a global standard for the interoperability of chip cards capable of authenticating payment card transactions at POS and ATM locations. It is supposed to replace mag stripe card use at retail POSs. EMV has had broad adoption, though not in the United States. Worldwide, more than 2 billion EMV-compliant chip cards are in circulation, according to EMVCo, the organization behind the standard, which also claims there are over 37 million EMV-compliant POSs around the globe.
U.S. retailers have until October 2015 to become EMV-compliant; gasoline stations with automated fuel dispensers get additional time. Thereafter, if a breach or other fraudulent activity involving debit and credit card data occurs, the liability gets pinned on whichever party isn't EMV compliant: issuers who failed to issue EMV-compliant cards or retailers without EMV terminals.
Target Corp., still smarting from a massive 2013 data breach, is the first big retailer to put significant support behind EMV. It expedited plans to move its proprietary credit and debit cards to EMV-compliant chip and PIN technology, in partnership with MasterCard Worldwide. The giant retailer also said it will have EMV-compliant POS devices in place at all its outlets by September 2014.
Target is an exception, however. Research by First Annapolis Consulting revealed most merchants are unaware of EMV and unprepared for the 2015 deadline. In April, the consultancy surveyed 200 U.S. merchants from a diverse set of verticals, although the restaurant and retail sectors accounted for 28 percent of respondents. The sample was also skewed toward larger merchants, with 40 percent reporting $100 million or more in revenues, First Annapolis noted.
Here are some of the findings:
"Clearly, it is early days for the U.S. EMV migration and, among all the other migration activities, the industry continues to face a significant educational challenge in the merchant market," wrote Marc Abbey, a partner, and Scott DeHaven, a consultant, at First Annapolis.
Nick Holland, Senior Analyst, Payments at Javelin Strategy & Research, echoed that sentiment. "With exactly 18 months to go until the EMV liability shift for merchants and issuers, clearly a great deal of work remains if the U.S. card payment industry is to smoothly transition from magnetic-stripe cards to chip cards," Holland said. "Before the shift can take place, the industry needs to focus on primarily educating consumers and merchants, while in tandem developing a roadmap for retiring the magnetic-stripe from card payments."
The author of a Javelin report titled EMV in USA: Assessment of Merchant and Card Issuer Readiness, Holland predicted that by the end of 2015, more than 166 million EMV credit cards will be in circulation in the United States (about 29 percent of all credit cards). EMV-compliant debit and prepaid cards should number about 105 million (approximately 17 percent of all debit and prepaid cards) by then. Holland expects ubiquity – which he defines as 96 percent of credit and 98 percent of debit and prepaid cards being EMV compliant – will take until the end of 2018.
Cost is a primary reason for lagging card issuance. By most estimates it costs about $3 to produce a chip card compared with less than a dollar to produce a mag stripe card. Terminal upgrades are costly, too.
EMV cards are considered more secure than traditional mag stripe cards, but it's not a cure-all, said Daniel Chatelain, founder and Managing Director of BayPay Forum, an international association of payment professionals. He said most EMV cards have mag stripes in addition to chips and, as a result, can still be cloned and used fraudulently, particularly in card-not-present situations.
That's what happened after EMV took hold in Europe, said Chatelain, a native of France. Some fraudsters skimmed mag stripe data from cards used at ATMs; others simply intercepted new EMV-compliant cards and PIN notices that were being mailed to cardholders. As long as credit and debit cards are manufactured with mag stripes and POS terminals can read mag stripe cards, they can be cloned and used to commit fraud, Chatelain said.
Chatelain considers EMV more a "philosophical argument" than a technology for securing card payments. He believes it's not much more than a set of rules, like the Payment Card Industry Data Security Standard, with consequences only when things go awry, and in a public way. "The payments industry needs to figure out a way to make card payments more secure without putting onerous rules in place," Chatelain said.
One option – Chatelain's preference – would be moving to dynamic mag stripe technology. It seems that every mag stripe has embedded in it biometric-like information that can be likened to fingerprints. It comes from the manufacturing process and has to do with the distribution of particles on the stripe. These unique particle patterns can be identified with a high degree of accuracy as a card is swiped through a reader, industry experts have found. The same goes for swipes: apparently, no two swipes of a mag stripe are precisely the same, which means fraud could be easier to spot if terminals were retrofitted to employ dynamic mag stripe technology.
Just like EMV, dynamic mag stripe technology may not be a panacea; but unlike chip and PIN security, implementing it would be cheaper and easier for everyone involved.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next