EMV Won’t Stop Fraud – But So What?
Much ink has been spilled over the recent major data breaches, in particular Target. I’ve commented on it here and here, and been engaged in lengthy conversations over the implications and costs associated with these breaches. I won’t repeat what I’ve previously said here, I want to take a different look at the challenge.
A number of folks have suggested that converting to EMV is a waste of time since it won’t “eliminate fraud” and I think this is a horrible argument. Most of these arguments run along the lines of “well, EMV won’t stop online/CNP fraud so it is a waste of time.” It is sort of like saying we shouldn’t bother with seat belts because they don’t “eliminate traffic fatalities.” There is no technology in the world that eliminates fraud. Yet we can reduce fraud, reduce costs, and change the attack surface thereby enabling more focus on areas where fraud is more likely to occur.
To understand this, let’s take a trip down memory lane and recall a bit of the history of our payment card technology. When plastic credit/charge cards first came out in the mid-20th century they had numbers and a name embossed in raised letters on them. Many cards still do. The reason was that using these cards meant putting them in a little machine that used carbon paper to copy the raised numbers and the slips were submitted for processing. I suspect a lot of people have forgotten about this, and younger folks might never have seen this mechanism. When these cards were designed the internet was not even a twinkle Berners-Lee’s eye (or Al Gore’s). No one was even considering what online purchases would be like. The technology was designed around the problem scope that existed, and the problem scope changed massively beginning in the 1990s.
Fast forward to today, early 2014 – in the US we use payment technology that was standardized in the 1960s and with only a few modifications, has basically stayed the same. It wasn’t designed for security, it wasn’t designed for card not present transactions, it wasn’t designed for mobile or NFC or Facebook or any other new high tech buzzword. I’m not saying old is bad, as will become evident with my argument for EMV in a moment, but design that is old often fails to take in to account the current realities – and this is the case with the mag-stripe based card payment technology in the US (and N Korea).
A quick outline of the failings in the current technology in the US, some of which are “exported” to other markets to provide interoperability:
- Card numbers in the clear on the card – it is entirely trivial for a server at your local restaurant to copy the card number, expiry date and CVV2 off the back.
- Mag-stripe is now easy to skim – it wasn’t back in the 80s so criminals didn’t do it, but it is very cheap today
- The card data is entirely static – there is no facility to tokenize the data, encrypt the data, modify identifiers or authenticate the card holder.
- The same information is used for card present (CP) and card not present (CNP) transactions – with only the small modification of using CVV2 rather than CVV, you use the same information for all types of transactions.
So, the technology was great and a boost in convenience for a few decades until other technologies started making it a risk, a weak spot that criminals could take advantage of. Today’s reality is that costs between $100 and $500 to acquire the equipment to skim card data and encode it on white plastic. That investment can easily return 10x to 100x in ill-gotten gains – much better than the stock market or the casino.
This mag stripe technology is great for lower security applications – hotel room keys, general building access, loyalty schemes, etc – but it is not good for anything requiring security, dependability or authentication.
Here is what I think we need to do in the US to modernize our payments infrastructure. Some of this is underway, but some take things a little further.
- Convert to EMV – yes, this does not stop CNP fraud, and yes, early versions were hacked (under the SDA specification, the DDA portion has not been hacked). Implementing EMV with DDA dramatically reduces POS fraud. Just ask the UK. And every other country except the US and N Korea. Yes the EMV standard is “old” and doesn’t have a cool factor. Old is not bad – it is proven and tested to work and has held up well.
- Implement chip & PIN – the current proposals from Visa and MasterCard in the US allow for “chip & signature” – this is a hack and should be a “fallback” method of cardholder verification rather then the standard. Liability should be shifted if the fallback is used.
- Stop putting mag stripes on cards – there is no point when a chip offers so much more functionality. The stripe is basically a small floppy disk, how many of us still use floppy disks? Yes, there is that one guy in Montana with a bunker and 2 years worth of military rations.
- Stop bothering to put the card number and cardholder name on the plastic – all there needs to be is an identifying mark so people know which one they are pulling out of their wallet/purse. This leaves space for neat things like dynamic codes or multi-purpose cards.
- Stop treating card present and card not present transactions like they are the same – there is absolutely no need to use the same instrument/identifier for both types of transactions. Issue PANs for CNP use – one static for persistent use (e.g. recurring transactions) and dynamic single use ones for most purchases. Update liability policies to be different for the use cases. Or maybe even implement direct payment solutions like Germany’s ELV or have PayPal open up and act more like Red Hat. The point is that online and physical payments are different use cases and we should not shoe-horn a single solution for both.
- Stop claiming that updating the POS infrastructure is a big issue – this one really gets to me, so many people claim the cost of upgrading POS terminals is prohibitive. It is not. The average cycle is about 3 years for retail POS upgrades, a little longer for unattended terminals (e.g. petrol stations). If you don’t believe this liquidate your positions in Ingenico and Verifone and the like now. In my local area most of the retailers’ POS terminals are already chip and EMV compatible, but no one knows it. The incremental cost of adding chip compatibility to the ever increasing functionality of POS terminals is miniscule. The cost of chip compatibility is tiny compared to having a LCD touch screen on the terminal.
I feel a little bit like that guy in a bunker writing a manifesto at this point. Yet I also feel hopeful that we can solve this problem with well proven technology and the US can re-join the global community when it comes to payments. Maybe a bit Quixotic in some sense, but it is an important infrastructure issue for the US both internally and as a part of the global community. As John Lennon said “You may say I’m a dreamer, But I’m not the only one, I hope someday you’ll join us, And the world will be as one””