The October 1 deadline that ushered in the era of EMV cards in the US and saw American retailers begin to face full liability for credit card fraud is a big deal for merchants. The costs of being hacked will now hit them with more immediacy than ever before. But the day didn’t deserve the media hype it received for being a major boost to credit card security. It simply wasn’t. We will only achieve greater credit card security once issuing banks eliminate ancient magnetic stripes and issue full-fledged chip-and-PIN cards (not to be confused with their weaker cousin, chip-and-signature cards, which is what is being implemented in the US). Chip-and-PIN cards are what the US needs to make consumers, retailers, and the entire ‘in person’ payments system safer from counterfeit credit cards; online commerce is a whole different kettle of fish, but a topic for a future blog post.
There are two big problems with the way EMV is being implemented in the US. First, relying on 50-year-old magnetic stripe technology as a backup to the chip embedded in EMV cards is asking for trouble. This is because magnetic stripes contain static information that, if stolen, can easily be used to complete transactions. EMV cards, on the other hand, contain a chip with a dynamic code that changes with each transaction. If this code is stolen, it can’t be used again. But as long as there is a magnetic stripe on a credit card, the information needed to transact with counterfeit versions of the card is readily available to criminals. For instance, when the static data on the stripe is processed by a point-of-sale (POS) system, it’s stored in the POS system’s memory. Major retailer data breaches have involved the theft of this payment data from the memory of the POS system. There have also been countless instances of malicious capture devices installed in non-bank ATMs and other card readers for the purpose of stealing the information on the magnetic strip.
Second and even more concerning, is that in the US, transactions can still be authenticated by a simple signature rather than a PIN code. In practice that means completing a transaction by forging a consumer’s signature with a scribble is as easy as ever. Implemented this way, EMV cards provide little-to-no additional security. In contrast, chip-and-PIN EMV cards require the consumer to type in a code that only they know, just like they would when using a debit card. This is the predominant form of credit card security in G20 counties, and is the current gold standard. Yet it is not being implemented widely in the US.
Today, retailers are spending who-knows-how-much to enable acceptance and processing of chip-enabled cards—cards that still have magnetic stripes and lack critical PIN technology. Strangely, credit card companies are also spending big to re-issue these inadequate pieces of plastic. Why they’ve chosen to do this has been a topic of much debate. The rhetoric suggests this is a monumental step forward, but if you ask me, it’s mostly a monumental cost for retailers and card issuers, with little value to offset the increased liability. The move perpetuates known vulnerabilities and will require another massive credit-card reissuance in the future. One thing for sure: until chip-and-PIN cards without magnetic stripes are delivered to consumers, the US won’t drastically reduce credit card fraud. The payment system in the US will continue to be in the crosshairs of cyber criminals.
The new dynamic that this creates is perhaps the greatest reason to give October 1 attention. It’s the start of a standoff between retailers, on the one hand, and other players in the payments ecosystem, who in my opinion, are not yet delivering what’s needed to bolster payment card security. As I wrote in an op-ed last year for Chain Store Age, retailers consistently take the blame for credit card fraud even though it’s impossible for them to address the problem on their own. When it comes to credit card crimes, retailers tend to take the blame for every party in the payment card value chain, all of whom share in creating the risk.
As a former federal prosecutor, I’m sensitive to how victims are treated. When retailer breaches make national news and the finger is pointed at victim merchants, I wince. October 1 represents a shift in the financial responsibility for credit card risk between payment industry stakeholders, but consumers are no safer until the adoption of chip-and-PIN cards without magnetic stripes becomes universal. We’ve got a long way to go before we rest.