The Chip and PIN Debate Part 4

Tuesday, September 28, 2010

PCI Guru


This is my last post on EMV which I am sure will please a number of people.  Although I know this debate will only continue. There are a lot of people out there that have taken large swigs of the Kool Aid and blindly believe that EMV is nothing but good and perfect with no bad side.

After all of these posts bashing EMV you probably believe that I despise EMV, but I do not. What I despise is that EMV is portrayed as the savior and it is not. This is no different than how the card brands portray the PCI DSS as “the be all to end all” of security standards which it is not. 

Just like the PCI DSS will never eliminate all breaches, EMV will never eliminate all fraud.  However, in both cases, they will reduce their number of respective incidents that occur to a more manageable and acceptable level.

In part 2 I pointed out that from a card present fraud perspective; EMV really brings no incentive to change.  In part 3 I pointed out that EMV has security issues, so it is not a perfect solution.  So what can be done to give EMV a feature or attribute that would improve its adoption through the rest of the world?

I stated in my original post that EMV can be used to also secure on-line transactions, but are not used to secure on-line transactions because the banks, card brands and Web developers could never agree on a standard for such functionality. 

Not that the banks, card brands and Web developers really tried to come together and create a standard.  However, without such a standard, it is impossible for Web sites to cost effectively implement their end of the EMV on-line security solution.

Card not present fraud is out of control.  It is growing at 25% to 30% annually around the world, even in those places that have EMV.  No one seems to be doing much about it.  However, EMV could provide a solution to a tremendous reduction in card not present fraud if such an on-line security standard were developed. 

The beauty of this solution is that the hardware and software already exist for the most part on the client end.  What is missing is the standard between the client and the Web site that would create an authentication between the card and the Web site that would be nearly impossible to replicate.

The bottom line is that EMV could be used to take a lot of the risk and threat out of on-line transactions with little effort.  So let us lobby the banks, card brands and e-Commerce vendors to come together and create something good of EMV.

Cross-posted from PCI Guru

Possibly Related Articles:
Post Rating I Like this!
JustAskGemalto Appreciate all your posts on EMV - we agree that the debate will continue. We'd love for our VP of Secure Transactions to provide perspective as well. Possibly a guest blog post?

In addition, we have set up a website (more consumer focused) to collect travel stories from those who have been declined with the magnetic stripe technology abroad. Would appreciate support:
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.