This is page 2 of:
EMV Is Simply Not Worth The Effort. Not Even A Little
However, Visa is going to assign you the liability for any fraud traced back to your retail location if you don’t upgrade your equipment. This would be in addition to the chargebacks you already have to deal with. Starting to see why this pretty nifty plan is just lipstick and rouge?
“Please tell me this will at least reduce my risk for being breached because somehow malicious software got onto my point-of-sale?”
I’ve heard people say this, but no, sorry, until your customers stops paying with cards that have a magstripe, you’ve still got the same risk. And, if PCI adoption rates are any indication of how long that is going to be, you’re going to be waiting a few years. Of course, it would help if consumers started using PINs with their credit cards. But I don’t really see that happening. You’re asking every U.S. consumer who hasn’t bothered to learn a PIN when using their credit card for the last 20 years to start memorizing a PIN?
“Why am I doing this? Why am I spending thousands of dollars—again—to upgrade my point-of-sale equipment when I still have to be PCI compliant and I still have to worry about breaches and the fraud I see doesn’t come close to covering this cost?”
I’d like to say “lack of imagination” or “no one is really demanding something better.” Big retailers who have businesses all over the world really like the idea of reducing their fraud. But I bet they’d like the idea of reducing PCI compliance costs and having safe online transactions, too.
There are also consumers. Consumers who travel to Canada and Europe—or come here from there—really like being able to pay for things without having their cards rejected. But I bet they’d also like safe transactions online and not having to worry about having their magstripe data being skimmed.
“But I just spent thousands of dollars upgrading my point-of-sale and my network security! I upgraded my gas pumps so I could accept TDES PINs! Now, I have to upgrade my pumps so I can accept Chip-and-PIN? And after that, what? I’ll need to upgrade my pumps again so I can accept mobile payments?!!”
Yep. Like I said, lipstick and rouge. You get to upgrade all of your equipment with old technology that doesn’t even encrypt credit-card numbers. Hey, it doesn’t protect you online, either. Yes, in the U.S. where online shopping on Black Friday surpassed brick-and-mortar sales, we are going to adopt a technology that does nothing to improve the security of credit cards online.
-Marc
November 17th, 2011 at 4:53 pm
Well said. Most of what Visa and MasterCard do is only to improve their profitability. They have virtually no interest in stopping fraud as they just pass the cost on to their customers. When they have to eat the costs of stolen cards and identity theft then they’ll do the right thing.
November 17th, 2011 at 7:58 pm
It’s a good point, but bear in mind that just because the US is beginning to see that there’s other technologies beyond the magstripe, in Europe EMV has been around for a *long* time. In that context, when EMV was created the issues around card data security weren’t of the same scope, and therefore was never the primary focus of the standard.
But life moves on, and as the writer correctly points out, before migrating one of the world’s largest card and POS bases to chip, it’s an opportunity to take EMV to the next level and extend this technology to kill the PCI DSS issues too. Why this isn’t more of a focus for the schemes I don’t know.
Then again, there’s quite a simple way of killing this with the existing technology – issue cards where the PAN is different to the Track 2 Equivalent Data, and stop pulling the latter from the card. If the PAN is only ever authorised by the issuer when the transaction originates as a chip transaction from a chip terminal that’s it’s able to do DDA on, then that PAN is essentially useless to a fraudster – they can’t use it for a card-not-present transaction, nor can they write it to a magstripe and use it on a non-chip terminal.
Correct me if I’m wrong here but isn’t the big goal we’re chasing here to make a card number useless to the fraudster? If the PAN from the chip is useless outside of an EMV terminal then it becomes what POS vendors are busy selling for millions of dollars – a useless token that you can’t write to a magstripe or use for card-not-present.