This week, Visa announced that it's putting its muscle behind the adoption of "chip and PIN" capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV--for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards--the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).
"By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments as well as improve international interoperability and security," said Jim McCarthy, global head of product for Visa, in a statement.
To help nudge merchants to invest in the required, new point-of-sale equipment, Visa said that starting in October 2012, any merchant that processes at least 75% of its Visa transactions via terminals that are compatible with cards carrying the new chips will be exempt from having to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). By April 2013, meanwhile, Visa will require U.S. service providers and processors to support merchants' chip transactions.
Finally, beginning in October 2017, Visa said that for merchants who sell fuel, it will transfer the liability for fraudulent transactions to the merchant's bank, if the merchant isn't using contact and contactless chip technology at the point of sale. In the United States, credit card companies now mostly absorb those fraud-related costs.
EMV technology is already in wide use in Europe. Why is it only now making it to the United States? "There have been a number of factors that have held back the U.S. market for moving towards EMV," said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry association, in an interview. "Most of them are economic, where the U.S. market has been utilizing the intelligence in the payments networks, and doing risk scoring of online transactions as a way to prevent fraud, and has done a pretty good job of keeping fraud rates down. They also implemented some pretty strict security rules on merchants, to try and harden the networks, to try and protect static data."
But the new push for EMV is a tacit nod to those approaches having failed. "The techniques that fraudsters are applying now, using hacking tools to harvest millions of accounts at a time, and requiring issuers to have to reissue tens of millions of cards, just on the possibility that some of those cards might be counterfeit, has created a lot of pressure to make some changes," he said.
Current estimates are that there are 650 million to 750 million active credit and debit cards in the United States. PCI, of course, was supposed to help secure those credit card details, by protecting how the card data was acquired and stored. But studies suggest that PCI never took off; only one-third of covered companies fully comply, and enforcement actions by companies such as Visa appear to be rare.
At the same time, there's now a burgeoning market in stolen credit card data, which sells for as little as $2 per card, though security researchers have recently said that an oversupply of such data may have further driven down prices. With the wide availability of stolen credit card details on the black market, perhaps it's not surprising that since 2009, credit card fraud has increased by 62%.
Without a doubt, EMV will be a security step forward for the United States. But the technology isn't bulletproof, even for card-present transactions. Last week at the Black Hat conference, a UBM TechWeb event in Las Vegas, for example, security researcher Andrea Barisani of Inverse Path demonstrated a card-skimming attack that works against EMV cards, even though their passwords are encrypted. The attack, which sneaks a chip into point-of-sale, EMV-compatible readers, which are supposedly tamperproof, was discovered in the wild.
"We think an EMV skimmer poses a serious threat, due to ease of installation, and is very difficult to detect," said Barisani. "There have been reported chip-skimmer installations dated 2008, being seen in the wild," he said. But it's often impossible for someone to tell if a point-of-sale terminal had been tampered with.
In response to his card-skimming research, Barisani said that some card organizations, such as EMVCo, have said that any such flaws would be mitigated through other means. Meanwhile, MasterCard has said that it would be too difficult at this point to overhaul EMV. But the Netherlands appears to have blocked this type of attack via a point-of-sale machine firmware upgrade that disables plaintext PIN verification for Dutch cards. As a result, a card skimmer can't read the PIN code.
In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).