EMV, the chip-based payment standard used in many countries around the world, has been lauded for reducing point-of-sale card fraud. But while some financial industry professionals are encouraging an EMV rollout in the U.S., others are saying that the standard is flawed.
"My biggest concern with EMV is how safe it will be in another 10 years," says Dena Hamilton, detection and fraud expert at Guildford, UK-based intelligence solutions provider Detica. "One of the greatest security risks to EMV that people have not really acknowledged is that we’re talking about a technology that’s almost 15 years old and has yet to be adopted by one of the single largest producers of transactions -- the United States. How long will it take to roll this out across the U.S.?" Ideally, a rollout would take about four years, according to executives at Visa (San Francisco), who recently announced a plan to help speed up adoption of EMV contact and contactless chip technology in the U.S. The company has set a goal to have a working EMV payment system in the U.S. by October 2015.
Others, such as Julie Conroy McNelley, senior analyst at Boston-based Aite Group's retail banking practice, are not so optimistic about a quick rollout. "There's no way we're going to be there that soon," she says of Visa's goal. She says that putting the infrastructure in place to facilitate all of the loyalty aspects that could help drive EMV acceptance among consumers, on top of getting NFC terminals at the point of sale, presents "a really big hurdle" that will make a widespread rollout more difficult.
Hamilton agrees with McNelley, adding that the security of the technology will be compromised by the time a rollout actually happens.
The EMV standard has already been compromised, according to researchers at The Security Group in the Computer Laboratory of the University of Cambridge in England. In 2010, researchers Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond published a technical paper called "Chip and PIN is Broken." The paper identifies security flaws they found in the type of payment that requires PIN authentication along with an EMV-based chip card at the point of sale, a method widely used in the U.K. and many other countries throughout Europe.
Specifically, the paper explains how fraudsters can make purchases with a stolen card before it has been reported missing by using an electronic device that tricks a payment terminal into accepting an incorrect PIN.
"It is clear that the EMV framework is seriously flawed," the paper concludes. "We recommend that the Federal Reserve should resist pressure from banks to allow its deployment in the USA until it is fixed." Further research from the group suggests that the flaws in EMV cannot be easily repaired because the specification stack is too complex.
Better Than the Mag Stripe The information on EMV security released by Cambridge researchers has been met with mixed reaction from the financial industry. Lars Davies, CEO and founder of Kalypton, a group of companies that specializes in secure information management and electronic payment systems, says the findings suggest that EMV needs to be replaced by a new, less complex solution. He claims that in order to fix holes in the EMV specification one would have to add more layers onto it, making it even more complex and less adaptable to changes or future fixes. "Simply adding to the EMV standard is like continually adding small sticking plasters to a constantly seeping wound," he says.
However, David Porter, general manager of Chase Card Services at New York-based JPMorgan Chase ($2.9 trillion in assets), says that as far as he knows, banks aren't taking the Cambridge findings too seriously. "We'd care if that laboratory experiment could be replicated in the real world," he explains, "but we have yet to see any credible evidence of that to be true. I don't think any other international issuer has reported that either."
Ben Knieff, security, compliance, and fraud management expert and director of product marketing at New York-based NICE Actimize says that despite its flaws, EMV seems to be the best option available for ensuring secure POS payments. "While I would agree with many commentators that the EMV standard isn't perfect and it isn't fraud proof, it certainly sets a higher bar for a would-be criminal -- at least with the point of sale types of fraud -- than what we've been using," he says, adding that as far as he knows, a more secure, mature payment standard than EMV has yet to be named.
To those who claim that EMV technology will be too old by the time a U.S. rollout is complete, Knieff says, "Looking to leapfrog the current technology standard in the U.S. for some yet unnamed, 'better' standard would probably take even longer."
Conroy McNelley echoes Knieff's sentiment, saying that switching from inherently insecure magnetic strip cards that are currently used in the U.S. to EMV-enabled chip cards makes sense. "No fraud prevention technology is foolproof, by any means, but EMV is a heck of a lot better than what we have right now," she comments.
Hamilton believes that despite her concerns about EMV's security, she believes the U.S. is going to have to adopt the standard to keep up with the rest of the world. However, she says that no matter what happens with EMV, banks must have a comprehensive fraud and risk compliance program that enables them to have a 360-degree view of all of their customers’ payment activity. "Know who your customer is and monitor them in a proactive sense," she says.
Related Article: Is EMV Past Its Prime?