The Green Sheet Online Edition
November 24, 2014 • Issue 14:11:02
How secure is EMV, really?
I've heard that EMV terminals have already been compromised by researchers in at least two ways. In one scheme, and I have no idea how they could have done this, but researchers accurately predicted what the "unpredictable" dynamic CVV for a chip card would be for a particular transaction. In another scenario, researchers convinced an EMV reader that a card requiring a chip and PIN was actually a chip and signature card, which totally negated the extra protection providing a PIN offers.
Why are we going to all this trouble to implement EMV when it's already been proven to be vulnerable? Why not go right to some biometric authentication, like the thumb print Apple Pay uses?
Heather Mulvaney,Merchant Level Salesperson
The truth is that no matter what technologies we put in place, no method will ever be 100 percent safe. With card data being so valuable on the black market, criminals are highly motivated to find ways to circumvent protections, and they strive to do so just as soon as, or even before, new protections are implemented. It feels like they are always one step ahead; however, security experts are also highly motivated to continually find new and better ways to protect the payments ecosystem.
No method of payment acceptance is perfect, but it is generally agreed that Europay/MasterCard/Visa (EMV) chip and PIN transactions are significantly more secure than traditional mag stripe transactions.
While EMV technology is susceptible to attack, it has nonetheless been proven to significantly reduce fraud at the POS in regions throughout the world where it has already been implemented. It is expected that we will enjoy the same results here in the United States. Regions using EMV also experienced an increase in card-not-present fraud after EMV's implementation, but knowing that, savvy payment professionals serving the e-commerce sphere are helping their clients strengthen their data security efforts to thwart increased attention from fraudsters.
The fact that Apple Pay is employing consumers' thumb prints as part of the payment process might be the thing that turns biometrics into a mainstream component of payments. Biometric data is already used for identification in certain corporate and government settings (thumb or hand prints, retinal scans, etc.) for access to restricted information or places on campus, but those are environments in which workers, by and large, have to accept its use as part of their employment.
Whether a critical mass of consumers will embrace use of their thumb prints for payments voluntarily remains to be seen. Some folks are highly concerned about their prints being stolen and used fraudulently because, unlike payment card numbers, their prints cannot be replaced. Others feel like it's not a big deal.
As always, our industry is evolving rapidly. We cannot predict what the most convenient and secure payment technologies will be down the road, but we can study the options, and advise our clients about the latest card brand requirements and how best to avoid being an easy target for fraudsters and all the liability typically associated with that.
By asking questions like this one on EMV, you are doing just that, and we hope to continue to contribute to your ongoing education in payments in the years to come.
What's your take on today's payments issues and trends?
What do you think about the looming EMV implementation deadline? Are your merchants prepared? Do you think it's the right solution, or do you favor something else? We'd love to hear your thoughts on this, as well as on other important payments industry issues and trends. And we always welcome your questions and comments. So write that email right now and press Send: firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.