Chip-and-PIN Deadline: US Nowhere Near Ready

The US EMV (a.k.a. chip-and-PIN) payment processing deadline is upon us, as of Oct. 1, and more and more people are receiving new credit cards with microchips in them. However, the ecosystem has a long way to go before full implementation is achieved—or indeed, even before it becomes common.

The deadline means that merchants will be held fully liable for any losses due to payment card fraud, if they haven’t moved to the new point-of-sale technology, which reads a secure chip in the card itself, thus in theory cutting down on the ability of cyber-thieves to lift card data with PoS malware, skimmers and the like—which is the basis of most major data breaches in the last five years.

But according to the Strawhecker Group, only 27% of merchants in the US are able to process chip-enabled cards so far. And of course, chip-enabled cards only help with fraud when coupled with merchants who only accept chip-enabled cards. Many companies may not upgrade their equipment due to the cost and a perceived lack of risk. For instance, most gas stations’ pay-at-the-pump machines won’t be upgraded until 2017.

Also, while chip-embedded cards are a far more common sight than machines that can use them, a CreditCard.com survey shows that more than six in 10 American card holders still don’t have chip-enabled credit cards in their wallets.

But what does EMV really mean for card security? Industry players say that the chip-enabled cards will make a significant dent in the fraudulent "cloning" of traditional magnetic strip cards. But, it will do little to eliminate other types of card fraud, like e-commerce fraud.

"Unfortunately, switching to chip-enabled cards won't curb credit-card breaches, but what it may do is reduce the amount of credit-card numbers that can be used after the data is stolen,” said Mike Buratowski, VP of cybersecurity services at Fidelis Cybersecurity, in an email. “What this means is if a million credit cards are stolen, there will be a percentage of them that will not be able to be used to commit a fraudulent transaction.”

He explained that most cards will still only require the presenter to provide a signature to complete the transaction. While this is a good first step, the switch will not address fraudulent transactions done online or in other card-not-present (CNP) transactions."

"Multi-factor authentication has been urged by the security community for some time,” said Buratowski. “The factors used fall into three main categories. Something you have, such as the chip-enabled card, something you know, such as a PIN, or something you are, like a fingerprint. By rolling out the EMV cards and not implementing another factor, the industry is missing an opportunity to implement much stronger security.”

Fraudsters are nothing if not resourceful, and will very likely exploit this by turning to CNP. In Europe for instance, where EMV use is near-ubiquitous, recent research has revealed that card fraud losses rose 6% across Europe in 2014, and £29 million in the UK alone; 70% of losses were due to CNP fraud. That’s because EMV adoption for credit cards has pushed criminals from one country to the next and from one form of attack to another. To the latter point, many of them are eschewing physical card fraud and focusing on CNP transactions, such as those made over the phone or via e-commerce.

“Banks in the UK and most of Europe adopted EMV technology years ago, so it may appear that they have little to worry about from mag-stripe fraud,” said Martin Warwick, FICO’s fraud chief for Europe. “However, the trends suggest that any European plastic card can be targeted.”

What’s Hot on Infosecurity Magazine?