Chip-enabled (EMV) credit cards are designed to be more secure than magnetic stripe cards because the ability of the chip to create dynamic, single-use data that is nearly impossible for fraudsters to counterfeit. At least, that is how the main advantage of EMV credit cards was touted by the consortium of card-issuing banks and other institutions that had been suffering billions of dollars of losses for years leading up the October 1, 2015 deadline for US businesses to adopt the new EMV standard.
Fraud cost U.S. retailers approximately $32 billion in 2014, a 39% increase from $23 billion just one year earlier. In an effort to resolve the card fraud problem across in-store, online, and mobile payments channels, payment companies and merchants have been implementing a new payment protocol, labelled “EMV” that could finally help mitigate fraud.
The term “EMV” (Europay, MasterCard, Visa) refers to a specification for the technical requirements of chip-enabled payment devices - generally credit and debit payment cards with embedded microchips - and how the cards interact with point-of-sale and ATM infrastructures. There are many possible protocols of a chip-based payment standard, including using chip + PIN only or chip + choice (the option of using either PIN or signature) as cardholder verification tools. While the majority of EMV implementations globally have focused on chip + PIN enablement, here in the United States, the lower-threshold chip + signature standard was adopted.
Despite the imposition of the October 1, 2015 deadline for implementation of EMV enabled infrastructure, a large number of retail establishments have yet to make the switch. As can be seen in the results of a Wells Fargo survey (conducted by Gallup) below, although implementation does continue to grow, as of Q1 2016, the adoption rate by POS locations was still less than 50%.
Now, it seems the delay in implementing may not have been so bad after all.
At the Black Hat computer security conference, researchers from payments technology firm NCR announced that they’ve uncovered a way that allows the entire EMV security process to be bypassed.
Going Old School on New Technology
EMV “Chip cards” still include a magnetic stripe so they can be used by merchants that have not yet upgraded to EMV-enabled terminals. But when a user attempts to pay with their Chip card via magnetic swipe at a chip-enabled terminal, they are generally not allowed to do so, and will receive instructions to insert the card into the chip reader
Meanwhile, Jason Oxman, a spokesperson for the Electronic Transactions Association, a trade group, is quoted as saying that the issue “actually has nothing to do with the chips” at all. Here’s why:
“Every magnetic stripe on a chip-enabled card has a code on it that tells the POS at a retailer that if the customer tries to swipe the card, they should be prompted to insert the chip card instead. This ensures that the chip is used instead of the magnetic stripe. What this researcher figured out a way to do is alter the code on the magnetic stripe to say to the POS ‘I am not a chip card,’ and then to ask the POS to send the transaction to the issuing bank for approval as a magnetic stripe transaction. This is called a fall back transaction because the transaction should be a chip transaction, but it will fall back to a magnetic stripe transaction.”
The flaw could cause retailers to be even more hesitant to install EMV-enabled terminals and delay their decision to make the switch. Major credit card processing machine manufacturers Verifone and Ingenico said that they offer end-to-end encryption on retailer’s machines. Although merchants can take steps to prevent this type of counterfeit fraud by enabling point-to-point encryption (P2PE) on their terminals, most will likely not do so.
Many merchants aren’t aware that upgrading the encryption can resolve the primary issues with EMV terminals. Thus they might believe that the expenses associated with upgrading to EMV — new terminals cost up to $600 each, plus other costs associated with activation — aren’t worthwhile. As a result, they will go on using their old (non-chip) terminals. That could exacerbate an ongoing problem, because 41% of smaller merchants have not upgraded to EMV terminals — and 20% of that group, which would be most likely to be unaware of the need for encryption, say they don’t plan to do so.