According to a mid-March 2014 report issued by the Nilson Report, which covers the financial payments industry, the United States accounts for nearly half of the world’s credit card fraud and this fraud is pervasive from credit cards to debit cards to prepaid cards. The amounts lost to this theft is dramatic — $11.27 billion in 2012 which represents a nearly 15 percent increase over 2011.
While the issuers of those cards pay nearly two thirds of the loss, the reality is consumers and commercial customers pay for this fraud in the form of higher fees, lower interest rates and lost time and money when fraud is detected. The vast majority of the fraud occurs at the point of sale. In California, if a credit card is signed, merchants cannot legally ask to see identification.
The vast majority of fraud is due to “skimming.” Thieves extract data from the magnetic stripe off a card using a skimming device where the data is easily transferred to a fake card. The solution seems simple: move to a secure card that employs EMV technology which requires a four digit PIN to be entered at the time of purchase. But EMV security doesn’t work as well for online transactions, where most of those are made in the United States.
EMVCo, an organization driven by Visa and Mastercard, has defined a roadmap for EMV adoption in the US that considers the unique requirements for everyone involved in the transaction network from ATM providers, Merchants, Payment Processors, Automated Fuel Dispensers, and others. New liability for fraud shifts are defined at each stage to hold whichever part of the network fails to comply on time. The entire schedule is due to be completed by 2017.
REALSEC has tremendous experience with EMV is Europe and we’re poised to help our US banking customers comply with this new technology for US card transactions. But it’s important to understand, there is no federal requirement to deploy this technology so there’s no enforcement. Market forces are driving it and we think it’s about time.
EMV is an open-standard for secure payments and acceptance devices, developed to ensure interoperability between chip-based smart payment cards and secure payment terminals. Embedded chips provide powerful transaction security technology not available on traditional magnetic stripe cards. When EMV is fully deployed for US issuers and customers, there should be a dramatic reduction in card fraud. Additionally, EMV cards will be fully interoperable with the international payments infrastructure, which today’s mag-stripe cardholders have trouble with when traveling abroad. Simply stated, EMV technology enhances cardholder verification methods and can be used for secure online transactions.
Walmart has already begun using EMV terminals at the point of sale for fast acceptance of EMV chip-and-PIN cards, but most major US retailers are slow to use EMV technology because it will not show a rapid return on investment. That said, EMV deployments are underway in at least 80 nations. EMVCo reports about 1.3 billion cards have been issued and there are nearly 21 million POS terminals that use these cards.
EMV cards go beyond these elements to include a third dimension: storing payment information in a secure chip. All cryptographically secure personalization is performed using issuer-specific keys so that it is virtually impossible to create a counterfeit EMV card that can be used to successfully conduct an EMV payment transaction.
Today’s next generation EMV dynamic cards behave exactly like multi-application cards, by including additional applications in the chip itself. For example applications for product loyalty, physical and logical access control, transportation, education cards, insurance and many more are easily programmed directly into the chipset. This could bring new business opportunities for banks who adopt this technology, and could help fund some or all of the significant investment required for EMV adoption.
Besides reducing fraud, EMV allows users to conduct off-line transactions at terminals and can easily become the top technology used for mobile payments (Visa is linking EMV and NFC) as its simply more secure. With greater security, financial institutions can market this function and obtain greater cardholder retention.
As EMVCo explains, the biggest benefit of EMV is the reduction in card fraud resulting from counterfeit, lost and stolen cards. EMV also provides interoperability with the global payments infrastructure, ensuring that consumers with EMV chip payment cards can use their card on any EMV-compatible payment terminal. EMVCo cites the ability to support enhanced cardholder verification methods as an additional benefit of EMV technology, along with its ability to be used for secure online payment transactions.
The enhanced functionality for card authentication, verification and transaction authorization are three key security benefits of EMV. By storing payment information on a secure chip instead of a magnetic stripe, and leveraging issuer-specific keys for all personalization, we believe it’s almost impossible to create a fake EMV card as fake mag-stipe cards are made.
Sebastian Munoz is CEO of Realsec Inc., a leading technology company providing cryptographic solutions in the fields of encryption, digital signature, PKI and time stamping for banking and payment systems, government and large enterprise. Visit his blog at
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.