The Limitations of EMVThe Future of Payments Security Is Fraught with Risks
In response to the crisis in trust and the anger of consumers and merchants, the card brands and issuers seem to have finally committed to EMV in the U.S. A colleague suggested that we might experience yet another crisis in trust when consumers and merchants realize that EMV does not solve all their problems. I thought it might be timely to talk about the limitations of EMV.
First, and perhaps foremost, many of the security advantages will take longer than the published schedules. It will be easier to introduce EMV than to get rid of mag-stripe. Since I have a trip to Europe coming up, and because I would like to get rid of mag-stripe, I asked American Express to issue me an EMV card. I explained that I wanted one without a mag-stripe. The agent explained that while she understood, she could not accommodate me. Not only was their standard practice to issue cards with both, but while they could issue mag-stripe only cards, they did not even have a capability to issue EMV-only cards.
Experience demonstrates that EMV moves fraud from where EMV is used to where it is not.
While the issuers have modified their contracts to require merchants who do not have EMV capability by a certain date (currently October 2015) to assume the cost of fraud, they have not announced a date when they will stop issuing the vulnerable mag-stripe. Now to be sure, the mag-stripe is only vulnerable when we use it. As more and more POS devices are equipped to process EMV, mag-stripe use will decline, but the vulnerability will not go away simply because the card has a chip.
The second limitation is the fraudulent use of lost or stolen cards. In a world in which most transactions take place online, the most effective way to resist that is to cancel the card. The Internet and wireless enable us to put even soft drink vending machines online. Therefore, this is the mechanism on which I think the brands and issuers intend to rely most heavily. However, this will leave a small window of vulnerability.
Historically, we used signatures on paper as a mechanism to close part of that gap. The signature also addresses the risk that the consumer will disclaim a transaction that she does not otherwise recognize. The effectiveness of this mechanism relied, in part, upon the merchant to compare the signature on the transaction document to the reference on the back of the card. As we have moved from paper imprinters to online point-of-sale devices, the effectiveness of this mechanism has been reduced, while the cancellation of the card works better.
Chip and PIN
The EMV standard provides a third mechanism, a personal identification number or PIN, modeled after the PIN used with ATM or debit cards. When EMV was introduced in non-U.S. markets, when and where more transactions were offline, this mechanism was so widely used that EMV is known there as "chip and PIN." When I asked the American Express agent about a PIN, she explained that an AmEx EMV card is a "chip and signature" card, a credit card, like mag-stripe and signature; no PIN required. One demonstrates that one originated a transaction by making a unique mark on a piece of paper or, more likely on a screen on the point-of-sale device. Actually, since this "signature" is not reconciled at transaction time, this mechanism offers limited protection against fraudulent use of a lost or stolen card, but is fairly useful for distinguishing fraudulent transactions from legitimate ones.
Of course, I really do have a PIN. My card is enrolled in AmEx's "Express Cash" program that enables me to use my American Express card to withdraw cash from my bank account at most ATMs worldwide. As with mag-stripe, this requires a PIN. My bank automatically issued me an ATM card and PIN, usually in separate mailings. For AmEx Express Cash, I had to give them my bank account number and the bank's routing and transit number, and then they sent me a PIN. When "check" and debit cards are issued with EMV, they will have PINs.
The third and biggest limitation is the so-called "card not present" transaction. While EMV accomplishes its major goals - resisting leakage of the credit card number at the point-of-sale and the counterfeiting of cards using only the number - it would be unreasonable to expect it to resist fraud in applications where it is not even involved.
Experience with use of EMV demonstrates that it moves fraud from where EMV is used to where it is not. It has moved counterfeiting of cards to the U.S. and payment fraud from the point of sale to mail, phone and Internet. We can expect EMV to reduce overall card fraud and to move it.
Of course, there are means for resisting fraud where the use of EMV cards is not practical, but that is a topic for another day. However, just as credit cards involve agreements between consumers and card issuers and card issuers and merchants, resisting card-not-present transactions will involve new parties and new agreements. Think PayPal.
The issue is not whether these limitations of EMV constitute an unacceptable risk; they do not. Rather it is whether the issuers, consumers and merchants have been led to expect more than EMV can deliver. It is whether EMV repairs breach of trust or the limitations exacerbate it. Here I think the jury is still out. However, we still have time to rationalize expectations.
Bill Murray is a management consultant and trainer in Information Assurance specializing in policy, governance and applications. He is Certified Information Security Professional (CISSP) and chairman of the governance and professional Practices committees of (ISC)Â², the certifying body. He has more than 50 years experience in information technology and more than 40 years in security