advertisement
advertisement

Target, Wal-Mart On EMV: The Metric System Of Payment

Written by Evan Schuman
April 27th, 2011

EMV may become the metric system of payment, a process that almost everyone in the world adopts, with the U.S. stubbornly refusing. In a panel discussion on Wednesday (April 27), Target and Wal-Mart agreed that EMV Chip-and-PIN is an extremely desirable way to go. But hardly anyone has a concrete plan for making it happen in the U.S.—in a meaningful way—anytime soon. Still, both chains were certain of one thing: If magstripes could magically be made to go away tomorrow, the retail world would be a happier place.

“If we can envision a world where magstripe doesn’t exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs,” said Mike Cook, Wal-Mart’s VP and assistant treasurer. “So you no longer have to have your database encrypted. You no longer need to have the secure lines. You’re no longer storing data that could be used by somebody else. The PCI costs become significant cost savings.”

Panelists agreed that dynamic data is the key, suggesting that static data authentication (SDA) is inherently inferior to today’s dynamic data authentication (DDA) chips.

“We should stop wasting money propping up and trying to secure the existing fraud-prone magstripe and signature system that exists in the U.S. today and move to two-factor authentication,” Cook said, stressing what he did not want one of those factors to be. “I don’t think there’s anyone in this room who would believe that signature is an appropriate form of authentication. We haven’t hired a handwriting expert at Wal-Mart in years.”

Target’s Marc Black, the chain’s guest data security director, was asked what it would take before Target would start purchasing EMV-friendly POS units. “Part of that investment decision will be how terminal manufacturers incorporate smartcard readers in their products. We need a firm roadmap, so we can guide our investment. This is not the only new payment technology out there,” he said, referring to near field communication (NFC), among others.

Wal-Mart’s Cook added that retailers should also refrain from trying to cheap-out on the chip costs too much. “The PIN must be encrypted between the device and the card itself. That means we’ll need slightly more costly chips to accept that encryption,” he said. “We’ll also need offline PIN authentication, so that whenever it is sent up for authorization—through our host, out to the acquirer—the validation of the PIN takes place at the point of sale, not that we have to transmit that PIN and expose it anywhere along the line, even if it is encrypted. Also, two-factor authentication.”

Posted in E-Commerce, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud
advertisement

6 Comments | Read Target, Wal-Mart On EMV: The Metric System Of Payment

  1. Marc Massar Says:
    April 28th, 2011 at 7:33 am

    Mr. Cook doesn’t seem to understand that EMV is not a data protection scheme. It’s an authentication scheme. Using EMV doesn’t mean cardholder data goes away – it’s still there.

  2. Dan Stiel Says:
    April 28th, 2011 at 8:43 am

    A good place for large retailers like WMT and Target who believe in EMV and new authentication schemes is to start with their own private label/co-brand credit and debit card programs.

    More important, to engage the majority of retailers, networks need to create financial rewards for small and large merchants to invest in new technologies. Without the incentives – not to mention a card base, there is little momentum for adoption.

    Retailers stumbling out of a nasty recession are facing many demands for limited investment dollars. Merchants are hesitant to allocate any money on the necessary EMV hardware and deployment. There are just too many other things to spend money on.

    Adding complexity to the decisioning, in the rapidly changing payments landscape, merchants in the U.S. I know are wondering if a better mousetrap is just around the corner.

  3. Ernie Schell Says:
    April 28th, 2011 at 5:00 pm

    Chip-and-pin is not foolproof. According to Ross Anderson, “Chip and Pin Is Broken,” Feb 2011, “the flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature, or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN.” http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ And this is a flaw both offline and online. The root cause, says Anderson, is that no one normalized all the various protocols from banks and processors to assure there were no missing pieces.

  4. Gavin Phillips Says:
    April 28th, 2011 at 7:50 pm

    As Marc Massar says, there seems to be a common misunderstanding in the US about what EMV actually achieves. On a personal basis I come up against this preconception repeatedly. EMV can be a great tool to combat lost & stolen and conterfeit fraud (assuming of course that it is implemented in such a way that fallback to magstripe is eventually let go of), but it’s not going to solve your PCI DSS headache – the sensitive data still exists, and so can still be compromised and used for card not present fraud.

  5. Steve Sommers Says:
    May 11th, 2011 at 1:27 pm

    Ummm, “EMV is not a data protection scheme; it’s an authentication scheme” — wait until some EMV fanatic reads this. According to EMV fanatics, if the authentication scheme is as strong as EMV, compromised card data is not an issue because forged cards won’t get through the authentication process. But then you ask where MOTO and ecommerce fit into this panacea, and usually the silence is deafening.

  6. Vlad Sighisoara Says:
    May 19th, 2011 at 5:48 pm

    “If we can envision a world where magstripe doesn’t exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs,” said Mike Cook”

    Mr. Cook is definitely not an expert on this field and has very false assumptions on what EMV is capable of. If his statement were true, then Europe would have less Credit Card fraud than the United States. However, the facts are that EMV has done little to nothing to prevent the amount of fraud in Europe when compared to the United States online systems. This is why the United States has no motivation to adopt EMV as it is costly and many feel is inferior to the Online Systems that the United States uses to combat fraud.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

"Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code." -Marc

Will Warranty Enforcement Be Amazon Marketplace's Achilles' Heel?

Nathan
I buy most of my nerd toys on Amazon and I had never stopped to consider that I may be shooting myself in the foot in terms of warranties. I'll have to make a point of checking the seller's info to confirm they are authorized distributors (at least for high-ticket items). Thanks for the head's up! Read more...

When Replacing NFC, Tech Is Really Not The Issue

A reader
Folk wisdom on the net suggests that if you are given a "free" product, look carefully at the terms because you are no longer the consumer - you are the product. If Google offered free readers to merchants, what would they be getting from those merchants? Data. They would be able to close the loop on when and why customers who research on line buy from a bricks and mortar store. This would enable Google to know retailer price points, which searches are most effective to get those products in front of on line advertisers, and to be able to sell that advice to others. Not every retailer would want to provide such data to their competition. Read more...

Court To Fed: Keep The (Inter)Change

terry
This was an easy way for merchants to effectively directly remove money from a customer’s bank account. The risk of default was low, as was the cost of processing. Merchants had to install new PIN-based POS terminals, but many banks and acquirers helped to subsidize these costs by setting the interchange fees at “par” (no fee) or even reverse fees as a subsidy. Read more...

Walmart Sales Tax Snafu: How Did They Get This So Wrong?

Paula
I've been in the industry for a thousand years and didn't know about these "collection fees". Actually checked with my former boss, a COO of a major multichannel retailer, and neither he nor his CFO knew about it either, even though his company is taking advantage of it in a couple of states. Read more...

PCI's Not-So-Open Global Forum

Marc
I agree with your premise that the PCI SSC needs to do a better job of communicating with POs. I don't agree with your QSAs interpretation of PA-DSS requirements. 4.2.7 is not specific to user accounts with user databases. "4.2 Payment application must provide an audit trail to reconstruct the following events: 4.2.7 Creation and deletion of system-level objects within or by the application." The standard interpretation, in my experience, is that the application must provide an audit trail for system events. Read more...
Stephen Ames, CISA, CISSP
I received confirmation from the PCI Council's director of data security standards that my PA-QSA was not exacly spot on with his guidance. Without getting into too much detail, my application in question is compliant with PA-DSS 4.2 out-of-the-box. I'll be having a conversation with my PA-QSA about this. Read more...

Why Did Gonzales Hackers Like European Cards So Much Better?

David True
I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Marc
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
Biff Matthews
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
Mimi Hart
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
A reader
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Changing Terms of Service? Be Ready For A Class Action Lawsuit

Bernard Regier
Very enlightening article. In regards to policy statements/terms of service, why hasn't Craigslist been sued up the wahoo for not allowing users to cancel their memberships? Of their many uncouth business practices, including complete lack of accountability and doling out strange, arbitrary punishments to out-of-line members(see customerservicescoreboard.com for 8-9 hundred horror stories), disallowing individuals to terminate service seems the most unlawful. I don't know anything about contractual law or online regulations, but If I owned a store, I could refuse or restrict service to anyone or lock them out if necessary; what I CAN'T do is lock them in!Your thoughts? Read more...
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.