Opinion & Analysis: We Want EMV 2.0

n

A payments executive for Sinclair Oil outlines her frustrations with data security—and argues for a major upgrade to EMV.

by Trinette Huber

We’ve all been hearing a lot about EMV, or chip card technology, lately as some banks and merchants actually issue chip cards and install the terminals that can read them at the point of sale. The idea seems to be that EMV is establishing itself around the world, and the United States can’t afford to lag behind.

There’s just one problem with that idea: as a technology, EMV is 18 years old, and in today’s payments business, that makes it old news. What’s worse, to adopt it for the United States is to use old technology to fight a 21st-century problem.

The payments business got excited last year when Visa Inc. announced it will push EMV in the United States (box). But Visa’s incentive program does not address today’s real security and fraud problems. Retailers are being asked to spend large sums of money to implement 20th-century technology, while 21st-century problems are being ignored.

Merchants should be demanding that Visa upgrade EMV to put an end to the requirements of the Payment Card Industry data-security standard (PCI), make card skimming impossible, and accommodate secure online credit card transactions.

Right after World War I, France built a heavily fortified border between itself and Germany, called the Maginot Line. At the beginning of World War II, it took German forces only five days to go around that fortified border and overrun the French defenses. In the same way, Visa’s EMV announcement for the U.S. is presenting a Maginot Line of defense against fraud.

Where are the solutions that address today’s security problems? In short, where is EMV 2.0?

Less Protection

The current EMV solution does have some benefits when all parties are looking at the chip. EMV, developed in 1994 by Europay, MasterCard Inc., and Visa, was initially put in place to help authenticate a card in areas with poor communication. European merchants saw a reduction in fraud because they were able to verify the card and the person.

A chip-to-chip transaction (a card with a chip, a terminal that can read the chip, and a bank that can verify the chip) authenticates that the card is legitimate, so the retailer can feel good it is accepting a real card. In Europe, where chip-and-PIN is predominant, the person using the card is also authenticated, and again the retailer and the bank feel good that the transaction is legitimate.

In the U.S., however, it’s becoming clear that even if you adopt EMV, the PIN part of the transaction is not going to be required as banks issue chip-and-signature cards or cards that offer a choice of signature or PIN. On top of that, Visa is going to be shifting liability off the shoulders of compliant merchants only for counterfeit cards, not for lost or stolen cards or those used without permission by family.

This means even the EMV technology that’s being announced for the U.S. isn’t going to provide retailers adequate fraud protection. Already, this “chip-and-choice” trend provides less protection than is the case in Europe. And it has other holes that need to be addressed.

As Sinclair’s manager for information security and PCI compliance, I’ve worked over the last six years with our distributors and retailers to understand and address PCI compliance.

PCI compliance, which is really data security for credit card numbers, became necessary because technology changed and card numbers became easy to obtain, cheap to fraudulently recreate, and easy to misuse to get money or goods.

Retailers have spent a lot of time, money, and effort to work with security assessors to secure their networks, update their point-of-sale systems, and basically eliminate card data where it’s not necessary to protect the integrity of payment systems.

To keep everyone motivated, we pass around stories of merchants that are on the hook for $25,000 in fines because their point of sale was compromised with malicious software and they hadn’t even heard of PCI. How much do you suppose these small retailers worry about fraud costs when they are trying to absorb that blow? Retailers want to see a payment solution that protects the data at the card level so we can eliminate PCI.

Does Visa’s EMV announcement do this? No. EMV still passes card data in the clear—unencrypted. So, with this old technology, PCI compliance is still necessary. Even if a retailer adopts EMV 100%, it will have to continue protecting card data because the data are still valuable and easy to obtain. In fact, point-of-sale tampering is a big problem in countries that have adopted chip-and-PIN. When card data transmit unencrypted, they are being compromised and used fraudulently.

Slow Adoption

This leads to another big concern that needs to be addressed—card skimming. Convenience stores and their gas dispensers see a lot of daily traffic and can be a tempting target to scoop up hundreds to thousands of credit card numbers and PINs when the dispenser isn’t adequately protected. Card skimming also happens at restaurants with complicit employees and at ATMs.

For c-stores, protecting against skimming can be a simple matter of providing better lighting, upgrading locks and video systems, and routinely checking for suspicious behavior and devices. According to Verizon’s 2011 Data Breach Investigations Report, gas-dispenser skimming is still very low, but as other avenues for fraud and data theft tighten up, we may see more.

Does Visa’s EMV announcement do anything to make card skimming impossible? No, again, full track data are still sent with every transaction and this information can be stolen and used at other retail locations, including online.

Online, or retail on the Internet, is another area that Visa’s EMV announcement does not address. This old EMV technology does not provide for better validation methods for online transactions. Online retail transactions need to be addressed in any type of 21st-century solution to prevent fraudulent transactions from moving to e-commerce, especially as many consumers prefer online transactions when they are available.

In our industry, the cost of fraudulent transactions is low, about 4 basis points on average. This doesn’t mean we don’t want to get rid of the fraud we do have. It means Visa’s EMV announcement by itself does not translate into a good cost-benefit business case. We at Sinclair Oil have been able to reduce our fraud costs by half over the last year, using methods already available for our industry, including address verification service and velocity testing.

For c-stores with gas dispensers (AFDs or automatic fuel dispensers) the cost-benefit for these types of upgrades must always be reviewed. There are many competing demands for our distributors and retailers to make upgrades, including regulations, customer access, and better security around products.

For a typical c-store, it’s going to cost about $20,000 to upgrade both the inside and outside payment terminals for EMV. On average, and perhaps being a bit on the high side, a c-store sees about a $1,000 year in fraud. With such a small amount of fraud, shouldering this terminal cost doesn’t make sense.

Yes, we want to reduce fraud. But without the benefit of reducing some of these other problems that are both costly and a large administrative drain, EMV will have a very slow adoption.

For c-stores, adoption would be much quicker if the cost of PCI compliance were removed. EMV doesn’t do this, but EMV 2.0 could by providing better support for encrypting and protecting card data. With an upgrade to EMV 2.0 that takes care of the costs associated with PCI, about $3,500 a year, and the reduction in fraud, a generous $1,000 a year, the ROI goes from 20 years to payout, to a little over five years.

Something Better

Visa clearly states that its introduction of EMV in the U.S. does not remove the requirements for PCI compliance. Visa’s EMV focus is “global interoperability” and a shift in liability for counterfeit cards. This is a missed opportunity.

Global interoperability shouldn’t mean global mediocrity. We should be shooting for a solution that addresses today’s real problems—hacking, skimming, online retail, and customer preference on payment method, specifically smart phones. We should be shooting for a global solution.

An update to the EMV software shouldn’t be that much of a stretch. The software should be able to be updated so the card number passes encrypted for authorization, but is still able to provide an abstraction of the card number to the point of sale so next steps in a transaction can still be handled. Examples of such abstraction are the bank identification number, so the point of sale understands the card type, and the last four digits of the card number, so the customer knows which card he used.

This would be true dynamic data. Upgrade the software on the chip so that the data are really only good for that single transaction. Anyone who skims the data has useless data. This would be EMV 2.0. The chip should be smart enough to be able to detect if the reader has been upgraded.

Retailers that want to remove the requirements around PCI and eliminate the possibility of skimming would upgrade to EMV 2.0. Retailers that don’t see this cost-benefit could stick with the old technology.

We want to see better security for card data so that PCI compliance costs can be saved. We want to see better security for card data so that gas dispensers are not targeted for skimming attacks.

It makes no sense to impose this old technology on the U.S. We want something better. We want a solution that addresses fraud, including skimming, counterfeit cards, and friendly fraud. We want EMV 2.0.

Trinette Huber is manager for information privacy and security for the PCI program at Sinclair Oil Corp., Salt Lake City, Utah. Reach her at thuber@sinclairoil.com.

 

How Visa Hopes to Push EMV in the U.S.

Visa Inc. in August announced three initiatives to spur adoption of so-called EMV contact and contactless chip cards and near-field communication (NFC) mobile payments in the United States.

Visa’s announcement raised plenty of questions, especially about cost. The initiatives are aimed at the point of sale and not directly at the booming field of card-not-present payments, and they don’t necessarily mean the U.S. will have the chip-and-PIN model of EMV payments common in other countries.

Still, Aug. 9, 2011, could go down as the most important date yet for the so-called Eurocard-MasterCard-Visa chip card system in the U.S., the only major country that has yet to commit to the technology that is supplanting magnetic-stripe cards. EMV cards effectively thwart card counterfeiting, and they’ll eliminate the increasing problem of U.S. cardholders being unable to use mag-stripe cards in EMV countries.

The three initiatives are:

– Expansion to the U.S. of the Technology Innovation Program (TIP) that Visa announced in February 2011 for international merchants. Under TIP, Visa eliminates the requirement that merchants annually validate their compliance with the Payment Card Industry data-security standard (PCI) provided that 75% of their Visa transactions originate at chip-enabled terminals. To qualify for TIP, which will takes effect in the U.S. Oct. 1, POS terminals must be enabled to accept contact and contactless chip cards as well as NFC contactless payments from mobile devices. Merchants still are expected to meet PCI’s rules.

– U.S. merchant acquirers and sub-processors must be able to support chip transactions no later than April 1, 2013. Acquirers must be able to transmit and process the additional data in chip transactions, including the cryptographic message that makes each transaction unique. This so-called “dynamic authentication” is EMV’s main security advantage over the mag stripe, which relies on static authentication such as signatures and PINs for authorizations.

– A liability shift for domestic and cross-border counterfeit POS transactions effective Oct. 15, 2015. Visa says card issuers today largely absorb the costs of counterfeit fraud, but with the liability shift, if the customer presents a contact chip card to a merchant, that at a minimum has not installed chip card terminals, liability if the transaction proved fraudulent could shift to the merchant’s acquirer. Acquirers will pass the cost to their merchants.

Gasoline retailers have until Oct. 1, 2017, before they’re subject to the liability shift.

n