This is page 3 of:
EMV Is Simply Not Worth The Effort. Not Even A Little
Yes, in the U.S. where online shopping on Black Friday surpassed brick-and-mortar sales, we are going to adopt a technology that does nothing to improve the security of credit cards online. Speaking as a consumer now, this old technology has already proven to be susceptible to man-in-the-middle attacks, which is security speak for steal your PIN. As a consumer, this makes me more nervous than having to remember my PIN, because now it’s going to be just that much harder to protest that those are not my charges and that I don’t even live in Estonia.
“Is there any reason we can’t just have technology that secures the card data, removes my costs for data security compliance and protects consumers online?”
Actually, no, there is no reason. The chip in the card is probably capable of fully encrypting card data; in fact, it’s probably capable of doing away with card numbers all together and using the concept of certificates, like computers. It’s probably also capable of knowing the difference between normal EMV and better, encrypted, U.S. EMV 2.0 technology. And, if it doesn’t, we are starting to see solutions from other companies such as iTunes, Google and PayPal that are coming up with ways to protect credit-card data through the use of smartphone apps and online wallets. Mobile payments are just waiting for the spark that starts everyone using their phone to pay for purchases.
U.S. merchants don’t want old technology. U.S. merchants want the next generation of EMV. We want a technology that protects the card number. The U.S. is a clean slate. Where is EMV 2.0? Give us the next-generation approach.
Merchants have spent the last five years spending money to protect the credit-card companies’ even older technology—the magstripe. Now we’re being told to spend even more money on an inadequate technology that doesn’t address these same problems. This must stop. Give merchants a solution that fixes the data security of the cards. Give merchants a solution that eliminates PCI and addresses online fraud.
EMV is old, costly and inadequate. Visa needs to stop dressing this up as a fraud technology for consumers, merchants and banks. Visa, stop pretending this lipstick addresses the data security problem.
What do you think? Have I overstated the case? Please E-mail me at thuber@storefrontbacktalk.com and let me know.
-Marc
November 17th, 2011 at 4:53 pm
Well said. Most of what Visa and MasterCard do is only to improve their profitability. They have virtually no interest in stopping fraud as they just pass the cost on to their customers. When they have to eat the costs of stolen cards and identity theft then they’ll do the right thing.
November 17th, 2011 at 7:58 pm
It’s a good point, but bear in mind that just because the US is beginning to see that there’s other technologies beyond the magstripe, in Europe EMV has been around for a *long* time. In that context, when EMV was created the issues around card data security weren’t of the same scope, and therefore was never the primary focus of the standard.
But life moves on, and as the writer correctly points out, before migrating one of the world’s largest card and POS bases to chip, it’s an opportunity to take EMV to the next level and extend this technology to kill the PCI DSS issues too. Why this isn’t more of a focus for the schemes I don’t know.
Then again, there’s quite a simple way of killing this with the existing technology – issue cards where the PAN is different to the Track 2 Equivalent Data, and stop pulling the latter from the card. If the PAN is only ever authorised by the issuer when the transaction originates as a chip transaction from a chip terminal that’s it’s able to do DDA on, then that PAN is essentially useless to a fraudster – they can’t use it for a card-not-present transaction, nor can they write it to a magstripe and use it on a non-chip terminal.
Correct me if I’m wrong here but isn’t the big goal we’re chasing here to make a card number useless to the fraudster? If the PAN from the chip is useless outside of an EMV terminal then it becomes what POS vendors are busy selling for millions of dollars – a useless token that you can’t write to a magstripe or use for card-not-present.