The 70 million Target credit card breach might be the first time most people ever heard of EMV, if they even noted its mention in the coverage. More secure cards wouldn’t have averted the breach but they would have limited the value of the stored data. News stories have drawn attention to the fact that American credit cards lag behind Europe and Canada when it comes to security. (EMV stands for Europay, MasterCard and Visa, which developed the technology specification for payments which has been adopted by the major card providers.)
“It is interesting that the Target breach happened as discussions about payment security are becoming more intense, driven by the migration in the U.S. to EMV,” wrote James Wester, Research Director for IDC Financial Insights, responsible for the global payments practice. “There will still be contentious discussions on how to make the transition to EMV work in the U.S., and how the technology standard will be implemented at the point of sale.”
“EMV would not have prevented the breach,” said Randy Vanderhoof, executive director of the Smart Card Alliance which is promoting more secure cards with embedded chips, “but it would have made the company a less likely target for a data breach if the data stored in their system were less valuable to criminals.”
Most credit cards in the US operate with a simple magnetic stripe that can be captured and copied relatively easily. Much of the rest of the world uses a small chip on the credit card to validate with a transaction. The chip employs cryptography and a range of other security features and measures that create a multi-layered defense against card fraud. When combined with a Personal Identification Number or PIN code (the sort used on ATM cards), it substantially raises security. Even with just a signature it makes a marked improvement over a simple magnetic stripe.
The United States is one of the last countries to migrate to EMV, according to the Smart Card Alliance. American Express, Discover, MasterCard and Visa have all announced their plans for moving to an EMV-based payments infrastructure in the U.S.
Most of the world is moving to EMV, said Ken Paull, CEO of ROAM, a provider of mobile point-of-sale readers and software, which was founded in 2005 and is majority owned by Ingenico. In Western Europe, more than 84 percent of the cards issued are chip and PIN.
Travelers have probably seen these in operation in European restaurants where a waiter comes to the table with the bill on a handheld card reader. One of the customers will insert a credit card into the reader and enter her PIN. The card never leaves her control and the combination of chip and pin, as the system is more widely known, is highly secure.
Jack Jania, SVP of strategic alliances at Gemalto, a digital security company which makes chip-enabled payment cards and the infrastructure to support them, said the chip embedded in the cards has the same computing power as an X286 computer. The chip has an operating system and several apps, depending on the level of security it provides and whether it works with signatures or with PINs. The company runs an EMV site with more details.
A traditional magnetic stripe card costs about $2 to deliver to customers, a chip card can cost $15 to $20, according to ROAM.
The U.S. has managed with the mag stripe because with its cheap telecommunications networks merchants conducted credit card transactions online, complemented by some pretty sophisticated fraud detection software. In Europe, where more transactions were done off-line, chip and PIN were critical to transaction security.
“EMV’s primary purpose around the world has been fraud prevention, and the US has done a pretty good job of managing fraud through its real-time online network of payment processing,” Vanderhoof explained. Fraud monitoring and fraud mitigation technology that doesn’t exist in other places around the world help keep a lid on fraud. But now that the US offers one of the least secure card markets, fraud is migrating to the American market.
The American card providers are launching EMV, with chip and signature, at least to start and perhaps chip and PIN later.
Visa insists that chip and signature will be plenty secure and downplays the need for chip and PIN cards.
Stephanie Ericksen, head of authentication product integration at Visa, said, “In the US, we can rely on online processing where transactions are transmitted in real time to the issuer for approval. With that in place, there’s no need for the offline authentication that was the genesis of chip and PIN.”
Chip and signature does offer good protection against counterfeit cards, which is a bigger worry for Visa than lost or stolen cards, said Allen Friedman, associate business development director at TSYS.
“They want to get migration moving and to do that they need issuers to issue cards, but a lot of smaller issuers can’t manage PINs, so they [Visa] are encouraging signature to get it moving.” Many big merchants would prefer chip and PIN, he added.
Visa isn’t losing money on fraud; the issuers are, he added. A lost or stolen card is likely to be refused at the point of sale within a few days because the cardholders would have reported it. The holder of a card that has been counterfeited might never know that someone else is using his account, until they receive the bill.
PINs require more work than signature cards. The PINs have to be sent out separately from the cards and the number and owner recorded. The issuer also needs a way to allow owners to change their PINs, and a way to replace the cards and PINs when a card is lost or stolen.
Another problem with improving card security is that new cards will require new readers, and that presents a big expense for merchants. Mag card readers typically cost about $20 in volume purchases while a chip reader costs about $40; with a PIN keypad, it can run about $100.
Scott Holt, vice president for marketing at ROAM, said that new point of sale solutions at merchants will be able to take magnetic swipes, chip and signature and chip and PIN. Several major retailers, including the Home Depot and Best Buy, are preparing for EMV cards. The overall rollout has been slow, but that is typical for the industry which often waits until the last minute, as it did with updating ATMs some years ago.
Merchants in the U.S. face an October 2015 deadline for moving to chip cards — after that, the liability for fraudulent transactions on a mag card will shift to the stores.
Dan Heimann, consulting manager for back office banking solutions at ACI (NASDAQ:ACIW), said that some banks are issuing chip cards as they replace expiring credit cards.
Fraud reduction won’t fully justify the expense of going to chip cards, he added, although he thinks some banks will offer chip cards as a competitive advantage.
International Travelers Short-Changed By American Credit Card Companies
When I first looked into chip and PIN cards a few months ago, the only bank offering in the U.S. was BMO’s Diners Club, not too surprising since the Bank of Montreal is headquartered in Canada where chip and PIN is pretty standard. A couple of credit unions — the UN, State Department and Andrews (as in Air Force Base) also offered them. BMO said that chip and PIN cards make up only a small fraction of the cards it issues in the US.
Apparently some banks are now offering them to top corporate accounts, but they certainly don’t promote the cards, or even explain them to their call center reps, to the frustration of some travelers.
Troll around some traveler Web sites and you come across stories of Americans in Europe who couldn’t use their credit cards because they weren’t chip and PIN.
“Merchants, especially in France where they have had EMV the longest, are very resistant to taking a card that isn’t chip and PIN,” said one technology vendor. Restaurants sometimes don’t want to accept cards with just a mag stripe, and train stations often require PIN cards for kiosks, with the alternative being to wait in a long line for a teller to process a mag stripe card, as I learned for myself in Amsterdam.
For a list of US issuers offering chip cards, and the few that offer chip and pin see NerdWallet.
Read through the comments too…Citi offers several chip and PIN cards, including HHonors Reserve Visa Signature, said one reader. Amex is beginning to send out replacement cards with chips, and may offer them to customers who request them. From travelers’ comments on various Web sites it looks as if you may have to reach a supervisor at a bank call center to get an informed answer about the cards on offer.
Customer service reps often seem clueless, wrote one traveler.
“Just got back from Iceland. My Chase Hyatt Visa card with chip & PIN worked fine at the unmanned N1 gas stations there. I had to call Chase to get a PIN assigned after I received the card in July. Chase customer service thought that it would only work as a chip and signature card.”
Another commenter wrote:
“I recently returned from a trip to the UK this Summer (attended the Olympics – which was sponsored by VISA btw) and was infuriated with all the train ticketing/kiosk payment problems I encountered.
“My card worked in the kiosk at the train station in France, but Italy also required the PIN, so I ended up walking a few miles back to my hotel since the ticket office was closed.”
An American dining in Brussels recounted being unable to use his card in a restaurant so he had to dash out to an ATM and get cash to settle the bill.
Vanderhoof said the US has about 1.2 billion credit and debit cards in use, and only a small percentage of those users are frequent international travelers who would want a chip and PIN card.
“For most consumers this is just noise because they have little stake in fraud prevention, since credit cards’ advertised zero liability has been promoted so heavily.”