Addressing only one type of fraud
When the card networks got together in the mid-1990s, they were concerned with various kinds of payment fraud. The EMV standard emerged in order to address a specific type: "card not present" fraud. This refers to criminals stealing account and customer information stored on the cards' magnetic stripes to create counterfeit or cloned cards. The three-digit code on credit cards was originally introduced to verify the person actually had the card at the time of the transaction.
Card-not-present fraud accounts for between 10 and 15 percent of overall fraud, estimated Gary McGraw, CTO of Cigital.
It's fairly inexpensive to create counterfeit cards with stolen data in the magnetic stripe; it's much more expensive to try to do that with chips. Because the switchover is not complete, however, there's still room for counterfeit fraud. If card data is stolen, that data can still be used to create cloned cards to withdraw money from ATMs, Baxley said.
There are two ways to implement the EMV standard: chip-and-PIN and chip-and-signature. Chip-and-PIN, used by most countries who've adopted EMV, requires users to dip the card through the reader and enter a secret code to verify the transaction. With chip-and-signature, there is no change in user behavior except for the fact consumer dips the card instead of swiping, before signing for the transaction. The United States is the last of the G20 countries to adopt the EMV standard, and while most of the countries picked chip-and-PIN, the United States and a handful of other countries opted for chip-and-signature.
"For whatever reason, [they've] decided the American public is too stupid to do chip-and-PIN," said McGraw. The switchover is a "baby step" toward making payments a little more secure, but "chip-and-PIN is way, way, way, better for payment security."
By going with chip-and-signature, the United States is addressing only the cloning problem. Consider physical theft. Under chip-and-PIN, a thief with a stolen -- and real -- card would not be able to use it without also knowing the secret code. With chip-and-signature, the thief in the possession of the stolen card could conceivably use a fake signature.
Additional controls needed
EMV will "take counterfeit fraud off the table," said Stephen Orfei, general manager of Payment Card Industry (PCI) Security Standards Council (SSC). However, the PCI Council has emphasized repeatedly that EMV is not a silver bullet, and retailers and merchants need additional security controls, such as point-to-point encryption and tokenization, to secure cardholder data. Point-to-point encryption will ensure the information read off the credit card is immediately encrypted and transferred via a secure tunnel to the point-of-sale system. This would make it harder for memory-scraping malware on infected PoS terminals from harvesting card data.
Sign up for CIO Asia eNewsletters.