Chip and PIN technology (also known as EMV) may be poised for a breakout year in 2015, thanks to surging interest...
from retailers and an impending deadline that will thrust new liability on merchants that don't implement the technology soon.
SearchSecurity recently spoke with Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based research firm Gartner Inc., about her recent research on the security and compliance ramifications of Chip and PIN technology.
On EMV, give our readers the background on the upcoming October 2015 fraud-liability deadline. What does that deadline mean, and how is it affecting EMV implementations?
Avivah Litanvice president and distinguished analyst, Gartner Inc.
Avivah Litan: Basically the EMV liability-shift deadline, which takes place Oct. 1, 2015, is an indirect incentive from the card brands for merchants and banks to get on the EMV chip bandwagon. In some countries there were mandates, but with the U.S. market and most other markets, it's a liability shift. What that means is whoever has the least amount of security after that date -- the card issuer, the acquiring bank, the transaction processor, and potentially the merchant -- bears the liability should a fraudulent transaction take place. So if someone walks into a retailer with a chip-enabled card and the merchant doesn't have a point-of-sale system to accept the chip, the merchant may be responsible for any fraud that occurs as a result of that transaction.
Similarly, if the merchant has Chip-and-PIN-compatible terminals and the consumer doesn't have a chip-enabled card, then the bank that issued the card has to eat the cost of any fraud that occurs as a result of the mag-stripe transaction. So it's an indirect incentive for banks and merchants to implement Chip-and-PIN-based systems.
The EMV Migration Forum, a smart card advocacy group, estimates that by the end of next year there will be 9 million EMV-enabled payment terminals, and as many as 900 million chip cards. First, do you accept those projections, and how will EMV technology ultimately affect merchants' ability to keep payment data secure?
Litan: I don't have projections of my own, but just look at what's happened around the world. If you go to the EMVCo site, it says less than 30% of transactions are EMV-enabled today, and less than 40% of the payment terminals are EMV-enabled, so it's been a pretty slow haul. Obviously the impending adoption in the U.S. will change the equation quite a bit, but in other countries it's not like it's all hunky dory with EMV chip transactions either. It takes a while for these systems to roll out.
I'd say it'll be another 5 to 7 years until we see 85% of transactions that are "chip on chip," that is a Chip and PIN card on a chip-enabled terminal. Until we get to that point, merchants still have to secure their systems the way they do today. It'll still be mag-stripes being processed, merchants still have to accept those cards, and a lot of criminals will benefit from it. So nothing's really changing in the short term.
An ongoing topic of debate is whether EMV transactions involving cards that aren't PIN-enabled are any more secure than mag-stripe transactions. What's your take, and in the long term do you think the banks will stave off broad implementation of PIN-based credit cards?
Litan: I think EMV without PINs is much more secure than mag-stripe, but EMV with PINs is even more secure. Based on data from the Federal Reserve Board [in a 2013 report], there is a 700% percent reduction in fraud with PIN-based transactions vs. signature-based ones. That's a huge benefit. I don't understand why the U.S. isn't moving to Chip and PIN, but EMV transactions are clearly much more secure than mag-stripe.
So it seems the reduction in transaction fraud represents an obvious incentive for banks to support Chip-and-PIN. Why are they dragging their feet?
Litan: I have two views about it. One, they don't want to disrupt the customer experience. They're afraid that because customers aren't used to PINs on credit cards, they won't remember them, they'll have to reset them, etc. I don't really agree with those arguments. In Canada, the banks there didn't want to support Chip and PIN because they had the same concerns, but they eventually did and consumers had no problems using them and remembering their PINs.
The other issue is that if there are PINs in play, the banks fear those PINs will be stolen and used to commit ATM fraud. The banks worry most about that because they can't reverse ATM fraud to any merchant; the ATM is the bank, it's bank money, so they would have to reimburse consumers for those losses. So because PINs can be stolen in many different ways -- skimming, shoulder surfing, etc. -- I don't think the banks want the ATM fraud liability that widespread use of Chip and PIN technology might bring.
That brings me to your recent research note, in which you mention that attackers have taken advantage of poor implementations of EMV chip-based payment applications, committing extensive fraud that defeats EMV controls. What in particular concerns you?
Litan: EMV itself is a very strong protocol from a security standpoint, but it boils down to the way it's implemented; you're only as strong as your weakest link. There are cases where the banks aren't validating the EMV transaction data coming through to them. They assume it's OK, so they aren't validating the cryptograms and one-time counters, and the criminals are taking advantage of that. They're rewiring the transaction systems and sending dummy, fraudulent transactions.
On the merchant side, it's not possible to "turn off" mag-stripe transaction support until everyone is on board with EMV. In turn, the criminals have created malware that prompts the user, when they attempt a Chip and PIN transaction, to enter their mag-stripe data first, and then prompts the user to put in their PIN.
Keep in mind this malware has nothing to do with "breaking" EMV; it's just breaking the payment applications by exploiting the way they're implemented, compromising them to get them to do what the criminals want them to do, namely steal customers' payment data. Those are just two specific examples, and there are probably going to be more.
What effect does EMV technology have on merchants' PCI DSS compliance efforts? Is there any benefit?
Litan: There's definitely a benefit with EMV when it comes to payment card data security. When there are enough EMV transactions taking place out there, it'll be harder for criminals to find mag-stripe data to create counterfeit cards with. It doesn't do anything to alleviate PCI compliance burdens in short term, but long term it will. Hopefully someday there won't be any more mag-stripe data to protect. Instead there will be EMV data to protect, and that'll be simpler.
In the short term, liability issues aside, for merchants considering additional technology investments to prevent payment card data breaches, does EMV make sense?
Litan: Yes, EMV makes sense for Visa and MasterCard cards. It is a much stronger protocol from a security angle than the protocol used on magnetic stripe cards.
Separately, I have to ask you about Apple Pay. Do you think it's the game-changer for payment data security that some believe it is?
Litan: I don't think it's a game-changer because it just perpetuates the Visa/MasterCard payment ecosystem, but it is a major incremental improvement over mag-stripe cards. The payments are significantly more secure and easy for consumers to use.
Finally what PCI DSS trends are you most closely watching this year?
Litan: In addition to the way criminals have taken advantage of poor implementations of EMV chip payment applications, there are a few other trends I'm watching. EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations. I hope to see more momentum around development of a tokenization standard that works equally well for merchants, card issuers and all payment ecosystem players. I also hope to see more transparency for merchants regarding EMV token protocols and their BIN ranges, as well as a viable method for identifying unique customers so merchants don't have to rely on card numbers.
Learn why experts say Chip and PIN security is no panacea against payment card fraud.