EMV Is Simply Not Worth The Effort. Not Even A Little
Written by Trinette HuberTrinette Huber is the manager of Information Privacy and Security at Sinclair Oil, a $7 billion oil and gasoline company with 2,700 gas stations and convenience stores.
In the months since Visa this summer said it was reversing itself and embracing EMV for the U.S., we have had a few weeks for this to settle in and to listen to a few Webinars and experts. My considered reaction is now: “What?! Why are we buying this?”
Visa wants retailers to spend thousands of dollars and what do we get? EMV is not good enough. We want EMV 2.0. We want something better. This is old technology, being painted and plastered with lipstick and rouge to look like better security. If this is the answer that retailers, consumers and banks have been demanding for better credit-card security, I again say, “not good enough.” This is asking retailers to once again upgrade their point-of-sale equipment to something that is already obsolete; it is just a step along the way to the technology we really want to see: secure payment transactions, more mobile payments and trusted service providers.
For the last five years, I’ve been advising, cajoling, arguing and sometimes arm-twisting when it comes to PCI compliance for our distributors and c-store operators. We’ve been waiting for technology that protects credit-card data. Stop coming back to the trough to get retailers to pay for something that doesn’t remove PCI compliance requirements and protect online transactions.
EMV—generally deployed as Chip-and-PIN—is being sold to retailers as a way for banks to authenticate that a card is legit and, if a PIN is used, that the consumer is legit. The idea is no more counterfeit cards and no more friendly fraud when everyone finally migrates to the same platform. Sounds good?
And, just so you understand the value proposition, Visa is willing to waive your requirement to report to it your PCI compliance status if you’ve upgraded at least 75 percent of your point-of-sale equipment to accept Chip-and-PIN. Imagine the response I’ll hear from our c-stores.
“Great! No more PCI compliance? This means I spend money to upgrade all of my point-of-sale equipment—about $20,000 for an average c-store—and I can offset that expense by not having the fear of a breach or the cost of compliance?”
Ah, no. Chip-and-PIN doesn’t eliminate your requirement to be PCI compliant. You still have to do that. If we adopt Europe’s old technology, the card data will still pass in the clear. You still need to spend all of that money securing your point-of-sales, auditing your network and reporting on your compliance status. Well, maybe not reporting to Visa—if you meet its requirements—but there’s still MasterCard, American Express and Discover.
November 17th, 2011 at 4:53 pm
Well said. Most of what Visa and MasterCard do is only to improve their profitability. They have virtually no interest in stopping fraud as they just pass the cost on to their customers. When they have to eat the costs of stolen cards and identity theft then they’ll do the right thing.
November 17th, 2011 at 7:58 pm
It’s a good point, but bear in mind that just because the US is beginning to see that there’s other technologies beyond the magstripe, in Europe EMV has been around for a *long* time. In that context, when EMV was created the issues around card data security weren’t of the same scope, and therefore was never the primary focus of the standard.
But life moves on, and as the writer correctly points out, before migrating one of the world’s largest card and POS bases to chip, it’s an opportunity to take EMV to the next level and extend this technology to kill the PCI DSS issues too. Why this isn’t more of a focus for the schemes I don’t know.
Then again, there’s quite a simple way of killing this with the existing technology – issue cards where the PAN is different to the Track 2 Equivalent Data, and stop pulling the latter from the card. If the PAN is only ever authorised by the issuer when the transaction originates as a chip transaction from a chip terminal that’s it’s able to do DDA on, then that PAN is essentially useless to a fraudster – they can’t use it for a card-not-present transaction, nor can they write it to a magstripe and use it on a non-chip terminal.
Correct me if I’m wrong here but isn’t the big goal we’re chasing here to make a card number useless to the fraudster? If the PAN from the chip is useless outside of an EMV terminal then it becomes what POS vendors are busy selling for millions of dollars – a useless token that you can’t write to a magstripe or use for card-not-present.