EMV Is Simply Not Worth The Effort. Not Even A LittleWritten by Trinette Huber
Trinette Huber is the manager of Information Privacy and Security at Sinclair Oil, a $7 billion oil and gasoline company with 2,700 gas stations and convenience stores.
In the months since Visa this summer said it was reversing itself and embracing EMV for the U.S., we have had a few weeks for this to settle in and to listen to a few Webinars and experts. My considered reaction is now: “What?! Why are we buying this?”
Visa wants retailers to spend thousands of dollars and what do we get? EMV is not good enough. We want EMV 2.0. We want something better. This is old technology, being painted and plastered with lipstick and rouge to look like better security. If this is the answer that retailers, consumers and banks have been demanding for better credit-card security, I again say, “not good enough.” This is asking retailers to once again upgrade their point-of-sale equipment to something that is already obsolete; it is just a step along the way to the technology we really want to see: secure payment transactions, more mobile payments and trusted service providers.
For the last five years, I’ve been advising, cajoling, arguing and sometimes arm-twisting when it comes to PCI compliance for our distributors and c-store operators. We’ve been waiting for technology that protects credit-card data. Stop coming back to the trough to get retailers to pay for something that doesn’t remove PCI compliance requirements and protect online transactions.
EMV—generally deployed as Chip-and-PIN—is being sold to retailers as a way for banks to authenticate that a card is legit and, if a PIN is used, that the consumer is legit. The idea is no more counterfeit cards and no more friendly fraud when everyone finally migrates to the same platform. Sounds good?
And, just so you understand the value proposition, Visa is willing to waive your requirement to report to it your PCI compliance status if you’ve upgraded at least 75 percent of your point-of-sale equipment to accept Chip-and-PIN. Imagine the response I’ll hear from our c-stores.
“Great! No more PCI compliance? This means I spend money to upgrade all of my point-of-sale equipment—about $20,000 for an average c-store—and I can offset that expense by not having the fear of a breach or the cost of compliance?”
Ah, no. Chip-and-PIN doesn’t eliminate your requirement to be PCI compliant. You still have to do that. If we adopt Europe’s old technology, the card data will still pass in the clear. You still need to spend all of that money securing your point-of-sales, auditing your network and reporting on your compliance status. Well, maybe not reporting to Visa—if you meet its requirements—but there’s still MasterCard, American Express and Discover.