Target, Wal-Mart On EMV: The Metric System Of Payment

Written by Evan Schuman
April 27th, 2011

EMV may become the metric system of payment, a process that almost everyone in the world adopts, with the U.S. stubbornly refusing. In a panel discussion on Wednesday (April 27), Target and Wal-Mart agreed that EMV Chip-and-PIN is an extremely desirable way to go. But hardly anyone has a concrete plan for making it happen in the U.S.—in a meaningful way—anytime soon. Still, both chains were certain of one thing: If magstripes could magically be made to go away tomorrow, the retail world would be a happier place.

“If we can envision a world where magstripe doesn’t exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs,” said Mike Cook, Wal-Mart’s VP and assistant treasurer. “So you no longer have to have your database encrypted. You no longer need to have the secure lines. You’re no longer storing data that could be used by somebody else. The PCI costs become significant cost savings.”

Panelists agreed that dynamic data is the key, suggesting that static data authentication (SDA) is inherently inferior to today’s dynamic data authentication (DDA) chips.

“We should stop wasting money propping up and trying to secure the existing fraud-prone magstripe and signature system that exists in the U.S. today and move to two-factor authentication,” Cook said, stressing what he did not want one of those factors to be. “I don’t think there’s anyone in this room who would believe that signature is an appropriate form of authentication. We haven’t hired a handwriting expert at Wal-Mart in years.”

Target’s Marc Black, the chain’s guest data security director, was asked what it would take before Target would start purchasing EMV-friendly POS units. “Part of that investment decision will be how terminal manufacturers incorporate smartcard readers in their products. We need a firm roadmap, so we can guide our investment. This is not the only new payment technology out there,” he said, referring to near field communication (NFC), among others.

Wal-Mart’s Cook added that retailers should also refrain from trying to cheap-out on the chip costs too much. “The PIN must be encrypted between the device and the card itself. That means we’ll need slightly more costly chips to accept that encryption,” he said. “We’ll also need offline PIN authentication, so that whenever it is sent up for authorization—through our host, out to the acquirer—the validation of the PIN takes place at the point of sale, not that we have to transmit that PIN and expose it anywhere along the line, even if it is encrypted. Also, two-factor authentication.”


6 Comments | Read Target, Wal-Mart On EMV: The Metric System Of Payment

  1. Marc Massar Says:

    Mr. Cook doesn’t seem to understand that EMV is not a data protection scheme. It’s an authentication scheme. Using EMV doesn’t mean cardholder data goes away – it’s still there.

  2. Dan Stiel Says:

    A good place for large retailers like WMT and Target who believe in EMV and new authentication schemes is to start with their own private label/co-brand credit and debit card programs.

    More important, to engage the majority of retailers, networks need to create financial rewards for small and large merchants to invest in new technologies. Without the incentives – not to mention a card base, there is little momentum for adoption.

    Retailers stumbling out of a nasty recession are facing many demands for limited investment dollars. Merchants are hesitant to allocate any money on the necessary EMV hardware and deployment. There are just too many other things to spend money on.

    Adding complexity to the decisioning, in the rapidly changing payments landscape, merchants in the U.S. I know are wondering if a better mousetrap is just around the corner.

  3. Ernie Schell Says:

    Chip-and-pin is not foolproof. According to Ross Anderson, “Chip and Pin Is Broken,” Feb 2011, “the flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature, or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN.” And this is a flaw both offline and online. The root cause, says Anderson, is that no one normalized all the various protocols from banks and processors to assure there were no missing pieces.

  4. Gavin Phillips Says:

    As Marc Massar says, there seems to be a common misunderstanding in the US about what EMV actually achieves. On a personal basis I come up against this preconception repeatedly. EMV can be a great tool to combat lost & stolen and conterfeit fraud (assuming of course that it is implemented in such a way that fallback to magstripe is eventually let go of), but it’s not going to solve your PCI DSS headache – the sensitive data still exists, and so can still be compromised and used for card not present fraud.

  5. Steve Sommers Says:

    Ummm, “EMV is not a data protection scheme; it’s an authentication scheme” — wait until some EMV fanatic reads this. According to EMV fanatics, if the authentication scheme is as strong as EMV, compromised card data is not an issue because forged cards won’t get through the authentication process. But then you ask where MOTO and ecommerce fit into this panacea, and usually the silence is deafening.

  6. Vlad Sighisoara Says:

    “If we can envision a world where magstripe doesn’t exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs,” said Mike Cook”

    Mr. Cook is definitely not an expert on this field and has very false assumptions on what EMV is capable of. If his statement were true, then Europe would have less Credit Card fraud than the United States. However, the facts are that EMV has done little to nothing to prevent the amount of fraud in Europe when compared to the United States online systems. This is why the United States has no motivation to adopt EMV as it is costly and many feel is inferior to the Online Systems that the United States uses to combat fraud.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.