Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

EMV transition will still leave security gaps

Maria Korolov | Sept. 9, 2015
This October, US merchants and payment providers are scheduled to switch to new, more secure, chip-based payments.

EMV transition will still leave security gaps

This October, US merchants and payment providers are scheduled to switch to new, more secure, chip-based payments. But financial transactions aren't going to become safer overnight, since the majority of merchants are still not ready for the switch, magnetic stripes aren't actually going away, some merchants link loyalty programs to payments, and because the new chip technology will do nothing to improve the security of online shopping.

According to a recent report from Javelin Strategy & Research, as many as 75 percent of merchants will miss the October deadlines.

Smaller merchants, in particular, are far behind, with cost cited as the biggest obstacle to migration, according to Javelin.

A similar survey by POS vendor Lightspeed showed that 45 percent of US retailers had no migration plans, or weren't sure about their plans. While in August, Wells Fargo released the results of a nationwide survey conducted with Gallup that showed only 31 percent of small businesses who accept point-of-sale payments were ready for chip cards, and only 29 percent of the rest were going to be able to make the October deadline.

Overall, Aite Group analyst Judy Fishman estimates that only 59 percent of point-of-sale terminals will be ready this year.

Merchants who don't switch in time become liable for any fraud that is made possible by their older systems.

According to Aite Group, counterfeit credit card fraud at the point of sale currently totals about $3 billion a year, a cost now picked up by issuing banks.

The fraud is expected to reach $3.6 billion by the end of this year, according to Aite analyst Thad Peterson, and the banks won't be picking up the full tab anymore.

"When the liability shift occurs, nearly half of all merchants will be vulnerable to counterfeit card fraud, and the liability will be on them," he said in a statement.

No end in sight for mag stripes

Despite the penalties, some merchants will be slow to switch. As a result, payment cards will continue to have magnetic stripes on them, in addition to the chips, for the foreseable future.

"So if someone gets their hands on your card, they can still copy all the information from the card because it's there for backwards compatibility," said Jerry Irvine, CIO at security firm Prescient Solutions.

Once that information is copied, it can be used to create new, cloned, magnetic stripe cards.

And merchants will be able to accept them, as their card readers will still be able to read the magnetic stripe, again for backwards compatibility.

"As long as the cards are still issued with dual modability -- as long as the card issuer is going to include both the stripe and the magstripe -- the magstripe data can still be compromised in the traditional manner," said Owen Wild, global marketing director for security at NCR Corp. "It is important to continue to be vigilant about potential skimming attacks."

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.