EMV Is Simply Not Worth The Effort. Not Even A Little

Written by Trinette Huber
November 16th, 2011

Trinette Huber is the manager of Information Privacy and Security at Sinclair Oil, a $7 billion oil and gasoline company with 2,700 gas stations and convenience stores.

In the months since Visa this summer said it was reversing itself and embracing EMV for the U.S., we have had a few weeks for this to settle in and to listen to a few Webinars and experts. My considered reaction is now: “What?! Why are we buying this?”

Visa wants retailers to spend thousands of dollars and what do we get? EMV is not good enough. We want EMV 2.0. We want something better. This is old technology, being painted and plastered with lipstick and rouge to look like better security. If this is the answer that retailers, consumers and banks have been demanding for better credit-card security, I again say, “not good enough.” This is asking retailers to once again upgrade their point-of-sale equipment to something that is already obsolete; it is just a step along the way to the technology we really want to see: secure payment transactions, more mobile payments and trusted service providers.

For the last five years, I’ve been advising, cajoling, arguing and sometimes arm-twisting when it comes to PCI compliance for our distributors and c-store operators. We’ve been waiting for technology that protects credit-card data. Stop coming back to the trough to get retailers to pay for something that doesn’t remove PCI compliance requirements and protect online transactions.

EMV—generally deployed as Chip-and-PIN—is being sold to retailers as a way for banks to authenticate that a card is legit and, if a PIN is used, that the consumer is legit. The idea is no more counterfeit cards and no more friendly fraud when everyone finally migrates to the same platform. Sounds good?

And, just so you understand the value proposition, Visa is willing to waive your requirement to report to it your PCI compliance status if you’ve upgraded at least 75 percent of your point-of-sale equipment to accept Chip-and-PIN. Imagine the response I’ll hear from our c-stores.

“Great! No more PCI compliance? This means I spend money to upgrade all of my point-of-sale equipment—about $20,000 for an average c-store—and I can offset that expense by not having the fear of a breach or the cost of compliance?”

Ah, no. Chip-and-PIN doesn’t eliminate your requirement to be PCI compliant. You still have to do that. If we adopt Europe’s old technology, the card data will still pass in the clear. You still need to spend all of that money securing your point-of-sales, auditing your network and reporting on your compliance status. Well, maybe not reporting to Visa—if you meet its requirements—but there’s still MasterCard, American Express and Discover.


2 Comments | Read EMV Is Simply Not Worth The Effort. Not Even A Little

  1. Howie Brecher Says:

    Well said. Most of what Visa and MasterCard do is only to improve their profitability. They have virtually no interest in stopping fraud as they just pass the cost on to their customers. When they have to eat the costs of stolen cards and identity theft then they’ll do the right thing.

  2. Gavin Phillips Says:

    It’s a good point, but bear in mind that just because the US is beginning to see that there’s other technologies beyond the magstripe, in Europe EMV has been around for a *long* time. In that context, when EMV was created the issues around card data security weren’t of the same scope, and therefore was never the primary focus of the standard.

    But life moves on, and as the writer correctly points out, before migrating one of the world’s largest card and POS bases to chip, it’s an opportunity to take EMV to the next level and extend this technology to kill the PCI DSS issues too. Why this isn’t more of a focus for the schemes I don’t know.

    Then again, there’s quite a simple way of killing this with the existing technology – issue cards where the PAN is different to the Track 2 Equivalent Data, and stop pulling the latter from the card. If the PAN is only ever authorised by the issuer when the transaction originates as a chip transaction from a chip terminal that’s it’s able to do DDA on, then that PAN is essentially useless to a fraudster – they can’t use it for a card-not-present transaction, nor can they write it to a magstripe and use it on a non-chip terminal.

    Correct me if I’m wrong here but isn’t the big goal we’re chasing here to make a card number useless to the fraudster? If the PAN from the chip is useless outside of an EMV terminal then it becomes what POS vendors are busy selling for millions of dollars – a useless token that you can’t write to a magstripe or use for card-not-present.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.