Payments Security UX

Managing the huge task of keeping EMV card data secure in the US

EMV card and padlock, used to illustrate a story about chip and PIN security by Carron Oswald. Photo: (Flickr Creative Commons)
Written by Carron Oswald

Carron Oswald discusses the status of EMV card security in the US, and what the October 2015 deadline for chip and PIN implementation means for banks and consumers.

2015 is meant to be the year of reckoning for EMV (Europay, MasterCard, and Visa) chip cards in the United States. The October 2015 deadline for chip-embedded credit/debit cards looms before the complicated US payment network of banks, card companies, merchants and consumers.

Aligning with the global standard of chip-embedded EMV cards is critical to make US payment transactions and consumer data more secure. Most nations have adopted this nine-year-old payment technology, so the US is among the last to adopt and truly globally standardize card transactions. As the final process of implementing US EMV cards unfolds, it’s questionable whether consumer card data may be less vulnerable to attack.

For the past 40 years, the American consumption engine has been fueled by the debit/credit card machine. The manual imprint taken by a cashier in the 1970s made it obvious that the contact-details-conscientious consumer could simply hold out their hand and receive the remnants of their transaction, the somewhat messy carbon imprints. Security was forfeited for speed as the payment transaction was automated. The fraction of a second-card-authentication swipe leaves one’s digitized data behind, stored in POS terminals, e-commerce websites and mobile payment apps for every non-cash payment made.

The magnetic stripe is a vulnerable method of exchanging information and makes it easy for hackers to obtain details to either create counterfeit cards or use the details in online purchases. In fact, 47% of global fraud card originates in the US. Recent data breaches from the merchant side at Target, Sony, Kmart, Staples and now Anthem Insurance is bringing more urgency to this issue.

Merchants and consumers have responded with low-tech solutions, such as a piece of aluminum foil in a wallet (an effective method of blocking a manual scanner from reading card data from a magnetic stripe). You can leave the tinfoil hat at home, as passwords cannot be scanned out of consumers’ heads. Hackers know consumers’ minds well enough to know online passwords are seldom updated. The big box merchants and firms have sent out emails to consumers whose data has been stolen to encourage them to change their passwords and monitor for abuse.

EMV card transaction responsibility

An EMV transaction transmits users a unique token – a numeric code – for each transaction. The token is matched to the user’s data by the card-issuing bank, rather than stored at the point of sale, or by an e-commerce website.

The 1 October 2015 deadline shifts the liability when there’s a card payment at a point of sale to whichever party is least EMV (chip) compliant. As Europay merged with MasterCard in 2002, Visa is the last to make this shift. The bank or merchant that’s least EMV-compliant will be responsible to rectify a fraudulent transaction.

Outside of the US, card users, merchants and card-issuing financial institutions have been successful in reducing fraud. Card issuers have even used chip-embedded cards to launch different products, such as paying for parking, or smaller purchases.

65% of all POS terminals in the US so far are opting for a choice of mag-stripe swipe or chip-dip transactions. The consumer will have to be informed by the merchant and bank of the benefits of the EMV transaction by the end of 2015 (at the latest).

This is an important first step and a massive undertaking to keep US card data secure. Hackers will likely shift their efforts to target banks, who will be the sole stewards of card authentication data. Yet, with the recent spate of hacks in 2014, there’s enough stolen information to create fraudulent cards and transactions to keep them in business.

Sources: EMV Connection. For suggestions to implement an EMV Card Program for banks and merchants, see EMV Connection–Best Practices Guide (PDF).

About the author

Carron Oswald

Carron Oswald is a digital product consultant and writer based in San Francisco. She has managed new product and technology infrastructure for Wells Fargo, Restoration Hardware, Visa and Delphi Automotive in the US, Germany and The Netherlands. Carron earned a BA from San Francisco State University in Drama and an MBA from Thunderbird Global School of Management.

Leave a Comment