Chip and PIN: No panacea, but worth the effort – and the cost
- 23 September, 2014 00:42
Relief is in sight for the beleaguered US Payment Card Industry (PCI). By October 2015, chances are that America will no longer have the dubious distinction of leading the world in credit card fraud.
A year from next month, the 1960s-vintage "swipe-and-signature" magnetic stripe card system is expected to be yielding in a serious way to EMV (named for its original developers, Europay, MasterCard and Visa), also known as "chip and PIN" a smart-card system that has been in broad use in Europe and other parts of the world for nearly two decades.
The much-anticipated, and debated, shift will not be because of a mandate. But next October marks the so-called "liability shift" a clear incentive for merchants and banks to make the transition if they haven't already.
As MasterCard's Carolyn Balfany explained it to the Wall Street Journal earlier this year, "what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability."
So, if a customer has a chip card but a merchant has the old, swipe-and-signature technology, the transaction will still work, but if it is fraudulent, the merchant will bear the cost. Or, if the merchant has a new terminal but the bank has not issued an EMV card to the customer, the bank eats the cost of any fraud.
The intent of EMV is to prevent skimming by replacing the magnetic strip with an embedded microchip. It also requires the user to enter a PIN, much like a debit card, to authenticate a purchase.
According to advocates of the change, it should dramatically improve credit card security in the U.S., now home to about half the world's credit card fraud, even though only about a quarter of all transactions take place here.
According to EMV Connection, the UK Card Association reports that, "losses at U.K. retailers have fallen by 67% since 2004; lost and stolen card fraud fell by 58% between 2004 and 2009; and mail non-receipt fraud has fallen by 91% since 2004."
It said Canada saw similar improvements after rolling out EMV in 2008.
But critics say that doesn't tell the whole story. Security blogger Brian Krebs noted last May that EMV terminals would not have prevented the catastrophic breach at Target late last fall. "Without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions," he wrote.
Also, a UK research firm at the University of Cambridge released a paper earlier this year titled, "Chip and Skim: cloning EMV cards with the pre-play attack," in which they said they had discovered serious vulnerabilities that would allow criminals to clone EMV cards even if they did not have physical possession of the cards.
They agreed that EMV had made, "using counterfeit and stolen cards ... more difcult," but noted that "criminals adapted," by turning their attention to attacking "card-not-present" (CNP) transactions, which are beyond the scope of EMV.
The bottom line: "EMV did not cut fraud as its proponents predicted," the team wrote.
EMV Connection acknowledges that attackers have migrated to CNP transactions although it points to the MasterCard Chip Authentication Program (CAP) and the Visa Dynamic Passcode Authentication (DPA) as improvements to security for EMV cards in online transactions.
But the recent announcement by Apple of its Apple Pay system, which will come with the iPhone 6, would bypass the need for the card entirely, by having the user load the card information into the phone (where it is then encrypted) and then authenticating a purchase with a fingerprint and by placing the phone next to the near-field-communication (NFC) receiver at participating merchants. Reportedly, Visa, MasterCard and American Express have already agreed to participate with it.
While Apple Pay has not yet been tested in the real world, that and other advances like My PinPad in the UK have had people like David Froud, blogger and founder of Core Concept Security, declaring that it makes sense for the U.S. to save itself the billions it will cost to move to EMV and simply move directly to more secure mobile payment options. Estimates of the cost to make the shift, for credit cards, point-of-sale (POS) devices and ATMs ranges from $6 billion to more than $8.6 billion.
"Why would the banks make this expense when the main driving factor behind EMV is being negated on a daily basis by innovations in payment technology?" Froud wondered in a July post, noting that EMV is not exactly cutting edge, since it was introduced in France 21 years ago.
But a number of other security experts, while they agree that EMV is not perfect, say it is demonstrably better than the mag stripe, and well worth the expense.
"For some weird reason, a lot of people in security equate not a panacea' and these don't exist in infosec with has no value,'" said Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals. "What if AV catches just 30% of viruses? Would you rather deal with a third more of them? It's the same with EMV there is reliable data from the EU that EMV has reduced card-present fraud."
That is the argument Jacob Ansari, director of technical services at Sikich LLP, makes as well, that while EMV is effective only with "card-present" transactions, that is the major kind of fraud now happening in the U.S.
"Attackers looking to perpetrate card-present fraud in the U.S. can do it ridiculously easily," he said, adding that the results in countries that have adopted EMV indicate that its adoption in the U.S., "would lead to a marked decrease in card-present fraud."
Julie Conroy, analyst at Aite Group, said, "there is no technology that will wipe out all fraud," and that while EMV would not have prevented the Target breach, "it would have significantly impeded the criminals' ability to monetize the breach, by making it very difficult to use the stolen data at the point of sale."
Regarding the findings of the British research team, Conroy said EMV, "has not been compromised outside of a university lab environment."
The cost to make the transition, she said, is more than worth it. "The credit card fraud problem alone is $3 billion, and growing rapidly," she said. "Debit card fraud is also into nine-figures, and growing at an equally rapid clip."
Conroy also contends that it will be less expensive than some estimates that put the cost of issuing EMV replacement cards at $3-$5. "For the largest issuers, who represent over 80% of our card market, the cost is around $1.30 per plastic," she said.
Adrian Lane, analyst and CTO at Securosis, said while Internet purchase fraud rates, "continue to climb everywhere," that does not mean EMV isn't worth it. The cost, he said, "is not such a big issues, as the major point-of-sale terminals have been updated to accept smart cards and NFC by the large retailers already."
Chuvakin calls the cost of the transition, "incredibly cheap, given that the current system with a magstripe reader at almost every merchant took nearly half a century to build."
Still, why spend all that money if better, more secure alternatives are either here already or on the horizon?
Lane said he thinks it will take considerable time four to 10 years for that technology to become commonplace. In the interim, there are billions to be saved with EMV credit cards.
"Chip and PIN or Smartphone/secure element payment both require NFC terminals," he said. And while merchants are already installing NFC technology, "on the consumer side, how many years will it be before every user has a smartphone with a secure element?"
Lane said consumer habits may play a major role in how EMV deployment plays out. He said Visa and MasterCard announced earlier this year that they will market EMV cards, but ones that will still use a signature, not a PIN, because otherwise consumers won't use them.
"The issuers argue that setting a PIN is too much hassle so people won't use the cards at all. They believe overall transaction volume would fall off a no-no for the card brands," he wrote in a blog post.
Conroy agreed. "We have yet to see consumers embrace mobile payments," she said. "They are very comfortable with their plastic cards, and we've seen time and again that it takes powerful incentives to get them to change that behavior."
There is general agreement among experts that there should be no expectation that EMV will magically solve the problem, but that it can play a significant role in reducing fraud losses.
"Card fraud is a war with many fronts," Conroy said, and besides EMV will require tokenization and point-to-point encryption (P2PE), more robust fraud analytics into the CNP channel and possibly more intrusive authentication methods.
Ansari agreed. It will take, "a mix of controls: technical, operational, legal and regulatory," he said.