Why The Push For EMV Adoption In The United States?

Monday, February 20, 2012

PCI Guru


Have you noticed all of the press lately regarding the Europay, MasterCard and Visa (EMV) card coming out of Visa?  It has been very hard to miss.  As a result, I started wondering about the purpose of this full court press for EMV.

Before getting into my post, I need to be clear that EMV only refers to the chip in the EMV card.  In the past I have gotten a lot of feedback from Visa when I referred to EMV as “chip and PIN” even though the world almost universally refers to EMV as “chip and PIN.”

With that disclaimer, since last August, Visa USA has been making a concerted effort to get merchants to adopt EMV.  Just a week or so ago, there was another push by Visa USA to entice merchants to support EMV.  So what is the driver behind this push?  That is the $64,000 question and the more you talk to processors and merchants, the more confusing it gets.

Merchants are just as puzzled as I am regarding Visa USA’s EMV push.  In the case of a number of large merchants I have spoken with, they do not get it as they refreshed their card terminals and POS equipment over the last three years and there is no way they are going to swap all of that new gear for EMV-capable equipment.  These merchants are not even looking at contactless terminals.  Such an equipment swap this soon would not be cost effective.

But merchants question what EMV would do for them.  EMV was developed in response to the fall of the Iron Curtain when fraud ran rampant in Europe.  Credit cards were being cloned at an obscene rate and card present fraud was huge. 

When EMV was fully implemented, card present fraud in Europe went to levels close to or a little lower than in the United States and EMV card present fraud has remained around those rates since. 

Given where card present fraud rates are currently in the United States, introducing EMV would have a limited effect on card present fraud and that would not be enough to offset the costs of implementing EMV or contactless terminals.

So if it is not card present fraud, it must be card not present fraud that Visa USA wants to address right?  Card not present fraud, particularly on eCommerce Web sites is running almost out of control.  I would like to say that this increasing fraud rate that is the reason for Visa USA’s push. 

However, EMV does nothing to address the rapidly rising rates of card not present fraud.  The reason is that in order for EMV to address card not present fraud, there would have to be some sort of interface written that would produce codes, single use transaction numbers or similar that could be used by the consumer online.  But no such solution exists, so card not present fraud cannot be the driver either.

Back in August Visa USA announced that merchants using EMV or contactless could avoid filing a PCI Report On Compliance (ROC) with Visa USA, so that must be the reason for the push.  At this year’s PCI Community Meeting in Phoenix, Arizona, PCI SSC General Manager Bob Russo made it very clear that regardless of what Visa USA was saying about filing a ROC; all merchants were still required to prove that they are in compliance with the PCI DSS. 

Other card brands also reinforced this statement by reaffirming that they still required the merchant’s ROC and/or AOC as proof of compliance.  As a result, merchants save themselves very little by not having to file a ROC/AOC with only Visa USA.

What about EMV being more secure?  While that is typically true for small and mid-sized merchants, large merchants that switch their own credit card transactions would still likely have card data in their switch systems if not elsewhere in their computer systems.  So claims by some, including at times Visa USA, that PCI compliance is easier with EMV are not totally true.  Large merchants in Europe will back this up.

So after 15 years of EMV, what is Visa USA trying to prove with this push of EMV?  Apparently only Visa USA can tell us because, for the rest of us, there are no business cases we can construct to justify the switch to EMV.  Obviously, Visa USA knows something that the rest of us do not.  Or do they?  I have consistently said that without any card not present fraud solution; EMV is just a solution looking for a problem.

But wait, maybe there is something here that we have been missing.  Is it possible that Google Wallet and similar current and future applications make Visa USA feel threatened?  There may be some factual basis in that statement.

At the PCI Community Meeting last fall, I spoke with a number of processors that seemed to have an idea of why Visa USA was finally pushing EMV.  These processors indicated that the EMV push was being driven by Visa USA to get EMV into the United States market before Google Wallet and similar applications could take the advantages of EMV away. 

After all, the United States is the largest credit card transaction market in the world and if EMV was not in the United States, there is no driver to get worldwide adoption pushed.

When I quizzed these processors about the supposed “advantages” of EMV, they said that was the real problem.  With the advent of smartphones and applications such as Google Wallet, EMV has no advantages.  As a result, merchants and banks have no incentive to implement EMV with these new technologies just on the horizon.

When I went back and talked to a couple of key merchants, they all said that they are waiting out the technology race to see what wins from a smartphone perspective.  If Google Wallet and the contactless approach win, then that is where they will head. 

However, a lot of merchants are betting on one-time use transaction codes displayed as bar codes to win out as they do not typically require any technology changes at their POS.  American Express went down the one-time use transaction code (15 digit number that appears like a credit card number) around five years ago, but only had limited success with it for online transactions.  However, maybe the time has come for another try.

In the end, it is the consensus of merchants and processors that Visa USA has missed the window for EMV in the United States.  Most organizations believe that if Visa USA wanted EMV in the United States, they should have pushed it long ago.

Cross-posted from PCI Guru

Possibly Related Articles:
Information Security
fraud PCI DSS Compliance Visa Retail Security Credit Cards Chip and Pin Merchants EMV Contactless Payment
Post Rating I Like this!
Arjen de Landgraaf Good article and some comments from Europe :-))
The biggest issue here is/was that a magnetic strip is a lot easier to copy than a chip.
CP problem #1 ATM Skimming
With Card present, skimming has become a mainstay crime, mainly performed by Eastern European gangs. They place MS (Magnetic Stripe) reading equipment and a camera to record the PIN, at ATMs.
However, for now the European cards need to retain both EMV chip AND MS, for as long as there are any other ATM units out in the world only reading MS. Otherwise the new cards could not be used at those older units. So for EMV adoption not only US is a hold-up, but also all the south European, African, Asian countries where Europeans love to spend their holidays. Bacause in all those countries EMV had not been adopted as in western/northern Europe. And that means the European cards can still be skimmed on the MS, even while containing an EMV Chip. Data collected is sent to their partners in crime in countries where EMV is not yet implemented, data copied onto blanks, and used as the original card to pilfer the victims bank accounts.
Having EMV reading only, this problem can be avoided, until such time the Crims have adapted and manager their way around EMV skimming too (as has already been proven to be possible) , so EMV is only a temporary solution.
Another solution today could be to monitor the actual transfers out of the account a lot closer. Requiring better multi-factor authentication for any payment to an out-of-pattern- destination, or any unusual amount, or frequency. Plus a cool-down period of weeks, where payments can be reversed.
But this would require a massive investment of banks in both additional software and transaction costs. Seen the current losses on skimming tha banks will prefer to just take them as a – necessary evil – loss and compensate victims.What they forget though, is the serious disturbance of the victims normal life-process, as cards, with associated accounts need to be blocked, and victim is left without access to their own funds.
CP problem #2 EFTPOST Skimming
Crims either switch MS EFTPOS units in a retail shop or restaurant, or lock themselves in for the weekend, and rebuild existing MS eftpos readers by placing a memory chip and accociated hw inside, reading the mag stripe and each entered pin code, saving it on the chip, or, using mobile phone components, sending the details out, either as a data stream, or sms. In the case of only placing a mem chip, they need to come back after some weeks and retrieve the units. With mobile phone technology they keep on harvesting until it is found out the unit has been doctored with.
As the card is only pushed in partly in most EMV Capably EFTPOS readers, the old problem in retail shops adopting the new unit is largely avoided; the ability to directly read the Magnetic Stripe (MS) However, old problems remain and new ones will no doubt show up.
What is more serious, - as we all know, IT-Security is on average some two years behind in building good defences against new cyber crim tricks. No doubt that the EMV will also (and is already partly) be circumvented . Only 3-way – multi-channel authentication and very strong encryption can limit the next crimwave. With Card not Present the above will also be of benefit, but attack technology such as Man in the Middle and Man in the Browser will increase the call for a next generation (beyond EMV) protective technology. Using mandatory additional mobile feedback authentication makes the authentication process increasingly complex, adding to frustration of (especially older generation) customers.
What that will be, I do not know yet. Perhaps biometric thin-film thumb-readers for CP. And that does not solve the authentication data transfer issue. So, also strong encryption at the heart of the source – building nano-processors into the card itself, steering both biometric recognition and strong next generation encryption. That also might be solving the CNP issue, but this sort of technology will not be here within the next five to ten years.
That will also mean again a whole new round of worldwide replacing of millions and millions of ATMs (now still in EU mainly MS readers) and retail EFTPOS units with new technology that has not yet been invented and built. Until then the cybercrooks can continue to go where the money is, using current tricks, and no doubt will continue to look for ways to get to the digital vault. Now and in the foreseeable future, so no new technology will be foolproof.
Melissa Wood I think this is a perfect summation of what is going on in the US. Merchants of all size do not want to have to upgrade their equipment until they know the true advantages to EMV or NFC. Once the tech war has been won, the migration will begin.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.