He said it would likely take another major retail data breach, such as that at Target in late 2013, “to really light a fire under some of these retailers.”
There are also warnings from security experts that such a major breach remains likely, since the American version of EMV won’t be as secure as that in Europe, because many banks are allowing “chip and signature,” instead of requiring a customer to enter a PIN number.
Ubaghs said such a move, “drastically reduces the effectiveness of EMV, as you remove one of the two factor authentication elements of EMV. A pickpocket could still use your card and forge your signature. It’s a bad move by the U.S. that will weaken security.”
He and others note that consumers in every other market are using PINs, and that U.S. customers do it with debit cards and ATMs.
The main reason, they say, is that card issuers and banks fear that if customers are required to enter a pin, they won’t use their cards as much. “They risk falling into a back-of-wallet position or even consumers abandoning cards,” Ubaghs said. “Remembering a PIN on a card isn’t that difficult, but if you have five or six cards, you might change or abandon some if you have too many PINs floating around.”
Lane warned in his paper that another flaw, at least so far, in EMV is that it, “does not mandate the use of point-to-point encryption (P2PE), much less full end-to-end encryption. PAN (primary account number) data is still transferred in the clear, along with any other data passed, if payment tokens are not being used.”
A lack of encryption was one of the things that made the Target breach so catastrophic.
The token problem is being addressed, Oxman said, with the deployment of, “new, cutting-edge technologies that along with EMV present a multi-layered defense of our complex networks. Tokenization can prevent future data breaches by replacing account information with single-use tokens that cannot be intercepted.”
Still, as many experts have noted, and even EMV advocates acknowledge, EMV offers no security improvement for online, or “card-not-present” transactions.
But its advocates point to evidence that it curbs fraud. “What we do know from EMV chip-mature regions of the world,” said Jeremy King, International Director of PCI Security Standards Council, “is that EMV chip, no matter how it is implemented, results in a significant reduction in counterfeit fraud at the point of sale.”
Lane agrees that better security, not to mention decreased liability for fraud, are good reasons to adopt EMV. But, he argued in his paper that they are both secondary to the benefits of the much more major shift that is coming: Mobile payments.
Sign up for CIO Asia eNewsletters.