Adrian Lane, CTO and security analyst, Securosis
“The U.S. version of EMV is not really EMV – it's chip and signature,” Sweet said. “Signatures are a very poor method to authenticate the cardholder, especially when compared to the use of a secret PIN that's centrally stored.
“So, right out of the gate, the type of implementation we typically see in the U.S. has less potential for reducing fraud than the common European implementation,” he said.
While others agree that a signature is less secure than a PIN, they don’t think it undermines EMV much. Pascual said the most significant benefit of EMV is the chip, “which renders card counterfeiting nearly impossible. If PINs were the solution for what ailed the market we would have switched from signatures long ago,” he said.
Some merchants do require a PIN, said Chris Strand, the resident expert on EMV and CNP at Bit9+Carbon Black. But he said a mix of requirements – some taking a signature and some requiring a PIN, “creates an environment of confusion for both merchants and consumers.”
However it is implemented, Pascual and others agree that EMV is not a “silver bullet” that will essentially end POS fraud. Criminals, he said, will increasingly try to defeat it through options including, “fraudulent applications, account takeovers, mail interception, and direct theft from consumers.”
Strand agreed. “Even with full adoption, EMV is only going to minimize the threat window on the front end and will not protect the entire payment transaction process.”
That means curbing credit-card fraud is going to take major security improvements in both POS and CNP environments.
And experts say the good news is that growth in e-commerce means CNP security is getting more attention. “There will be a lot more CNP fraud attempts, but there is already a lot of anti-fraud and fraud analytics going on for CNP transactions,” said Adrian Lane, CTO and security analyst at Securosis.
Fabens agreed. “No single technology is a silver bullet,” he said “but there are really effective ways to attack CNP fraud,” including end-to-end encryption, biometric authentication (such as fingerprints) and tokenization, which “devalues the data” because the data that handles the transaction is not the card number.
Merchants can also implement 3D Secure, a technology in more common use in other countries, which requires a separate password.
The less good news, however, is that all of these measures can create what retailers call “friction” in the buying process. According to Gumbley, the requirement of another password can create, “a notable amount of checkout attrition and shopping cart abandonment as users forget their passwords or lose interest and move on.”
Sweet said that prospect means merchants won’t use it. “Online retailers will resist this to the ends of the earth,” he said, “because it will impact the shopping experience and therefore their revenue. Consumers are used to one-click purchasing, and because consumers aren’t liable, they won't accept what would be seen as a nuisance in order to help minimize their bank's fraud liability.”
Sign up for CIO Asia eNewsletters.