As the United States lumbers toward a new credit card technology to thwart data thieves like the ones who struck Target Corp., payment security experts say the new system is far from foolproof.
The chip-based smart cards, already in use in much of the world, make it much harder to produce counterfeit cards. But the cards are less effective against the widespread and growing threat of bogus online transactions that require only account information.
EMV, as the technology is known, changes the game but won’t prevent all fraud.
“It’s not a panacea,” said Paul Tomasofsky, an electronic payments expert who heads Two Sparrows Consulting in Montvale, N.J.
EMV, for Europay/MasterCard/Visa, is a fairly old approach rooted in experiments to deter fraud with microprocessor chips embedded in payment cards in France in the 1980s. It has become a global standard.
But because of the sheer size of the fragmented U.S. payments system, and the huge cost to convert, the United States is one of the last countries in the world to make the change.
There’s general agreement that EMV alone would not have prevented the Target breach, in which thieves accessed data from as many as 110 million customer accounts. But EMV would have reduced the value of the information by making it almost impossible to clone the cards.
That’s EMV’s big boast, that it prevents counterfeit card fraud. “It does that spectacularly,” said Jeff Hall, security consultant for Overland, Kan.-based FishNet Security.
That’s only part of the challenge, however. Online fraud that doesn’t require the presence of an actual card now accounts for nearly half of all credit card fraud in the United States, according to Fair Isaac Corp., and studies show that adopting EMV drives crooks to this card-not-present fraud.
EMV also has a weakness at the point of sale. While data in the card’s memory chip are encrypted when the card isn’t in use, the data are momentarily vulnerable when customers pay.
Proponents of EMV say this isn’t a big flaw because the chip spits out a unique, one-time-only security code to encrypt the data for transmission.
But critics say that if thieves compromise the card terminal or the register at just the right point, they can access the data before transmission and get access to the information to buy from the bulk of online merchants, which don’t ask for the 3- or 4-digit security code on a card, Hall said.
There are other security concerns. In the U.S. rollout, banks issuing EMV cards are not required to put a personal identification number on the cards. A PIN, which only the cardholder knows, makes transactions more secure.
More important, magnetic stripes aren’t going away. To ease the conversion, the new EMV cards will still have magnetic stripes so they will work in stores that lack EMV equipment.
But magnetic stripes are easy to copy and clone.
U.S. companies are grappling with these issues as the country’s gargantuan payments system shifts from magnetic stripes to chips. Retailers, banks and other players face an October 2015 deadline to be ready.
At that point, Visa, MasterCard, American Express and Discover are shifting the liability for fraud that happens in stores from the card-issuing banks to the merchants, unless the merchant is equipped for EMV.
So problematic is the EMV migration that there are questions about crossing over at all.
Retailers are understandably concerned that they are spending huge sums to update their card processing equipment for an EMV implementation that has potential security potholes.
Ultimately, it’s not perfect, said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research, but EMV will significantly improve security compared to magnetic stripes and is the most realistic approach, given its widespread adoption everywhere else. Companies will have to layer on other protections to thwart card-not-present fraud.
“It’s crazy to say, ‘Don’t lock your front door, because someone will get in your back door,'” she said. “You’ve got to lock both.”