Specifically, the paper explains how fraudsters can make purchases with a stolen card before it has been reported missing by using an electronic device that tricks a payment terminal into accepting an incorrect PIN.
"It is clear that the EMV framework is seriously flawed," the paper concludes. "We recommend that the Federal Reserve should resist pressure from banks to allow its deployment in the USA until it is fixed." Further research from the group suggests that the flaws in EMV cannot be easily repaired because the specification stack is too complex.
Better Than the Mag Stripe The information on EMV security released by Cambridge researchers has been met with mixed reaction from the financial industry. Lars Davies, CEO and founder of Kalypton, a group of companies that specializes in secure information management and electronic payment systems, says the findings suggest that EMV needs to be replaced by a new, less complex solution. He claims that in order to fix holes in the EMV specification one would have to add more layers onto it, making it even more complex and less adaptable to changes or future fixes. "Simply adding to the EMV standard is like continually adding small sticking plasters to a constantly seeping wound," he says.
However, David Porter, general manager of Chase Card Services at New York-based JPMorgan Chase ($2.9 trillion in assets), says that as far as he knows, banks aren't taking the Cambridge findings too seriously. "We'd care if that laboratory experiment could be replicated in the real world," he explains, "but we have yet to see any credible evidence of that to be true. I don't think any other international issuer has reported that either."
Ben Knieff, security, compliance, and fraud management expert and director of product marketing at New York-based NICE Actimize says that despite its flaws, EMV seems to be the best option available for ensuring secure POS payments. "While I would agree with many commentators that the EMV standard isn't perfect and it isn't fraud proof, it certainly sets a higher bar for a would-be criminal -- at least with the point of sale types of fraud -- than what we've been using," he says, adding that as far as he knows, a more secure, mature payment standard than EMV has yet to be named.
To those who claim that EMV technology will be too old by the time a U.S. rollout is complete, Knieff says, "Looking to leapfrog the current technology standard in the U.S. for some yet unnamed, 'better' standard would probably take even longer."
Conroy McNelley echoes Knieff's sentiment, saying that switching from inherently insecure magnetic strip cards that are currently used in the U.S. to EMV-enabled chip cards makes sense. "No fraud prevention technology is foolproof, by any means, but EMV is a heck of a lot better than what we have right now," she comments.
Hamilton believes that despite her concerns about EMV's security, she believes the U.S. is going to have to adopt the standard to keep up with the rest of the world. However, she says that no matter what happens with EMV, banks must have a comprehensive fraud and risk compliance program that enables them to have a 360-degree view of all of their customers’ payment activity. "Know who your customer is and monitor them in a proactive sense," she says.
Related Article: Is EMV Past Its Prime?