EMV Credit Card Chips: No Silver Bullet, but a Significant Step Forward in Fraud Reduction

Image of EMV Chip Card.

It was only two years ago that Target's infamous data breach put some 40 million credit card numbers in peril due to hacked point-of-sale systems skimming credit credentials. The result was millions of reissued credit cards. Of course, Target is not alone, and since that breach, many other national brands such as Goodwill, TJ Maxx, Kmart, Neiman Marcus, Staples, Safeway, Hilton and others have had breaches that released credit card data. These breaches have resulted in wasted time and money, as millions of people were issued new cards, and have spent time looking for and following up on fraudulent activities. It is worth considering how technology is adapting to provide more secure transactions to hopefully improve the situation going forward.

For most people, the most noticeable change is the implementation of chip-and-sign technology in the United States, often referred to as an “EMV” card. Many new debit and credit cards issued in the past year contain large gold-colored metal chips.

  • This EMV chip is actually a small tamper-resistant microprocessor with some private storage that is used to secure transactions and provide significantly more security beyond what is capable with the small magnetic strip on the back of traditional credit cards.
  • The chip adds a small computer to the credit card that permits it to interact with credit systems using secure cryptographic protocols, similar to those used to secure Internet transactions.
  • The chips can even be reprogrammed at a point-of-sale terminal to modify their susceptibility to fraud in real-time. For example, they can be canceled, or have a limit on the size of transactions placed on the card. In contrast, traditional magnetic strips can only contain static information, and are quite easy to read, duplicate and forge.

EMV technology is not a silver bullet that solves all problems. For backward compatibility, most merchants are still accepting traditional magnetic swipe cards and have yet to adopt the EMV terminals, although this will change over time.

“Many of the merchants in CRBT’s portfolio have been reluctant to convert to EMV because the potential loss does not outweigh the cost of converting their equipment,” shared Kellie Lindblom, AVP of Merchant Processing at Cedar Rapids Bank & Trust. “The transition to EMV in the U.S. has not been an easy task. I believe that some merchants want to wait until some of the bugs have been worked out before they invest in converting to EMV. EMV equipment has changed many times in the last 12 months. Some equipment that was thought to be EMV-compatible is no longer compatible. Some merchants who purchased equipment in 2014, thinking it would work with EMV cards in 2015, were told that they would need to purchase new equipment again because the manufacturers were putting certain terminals at end of life. Industry-wide, this has become a frustration.”

In addition, EMV is currently not effective for online purchases (your personal computing device probably doesn't have an EMV reader on it). Therefore, there will continue to be a market for stolen credit card credentials for the near future. However, it does provide many fraud reduction features, and has enabled more payment options for consumers.

So how do EMV chips reduce fraud? The system works on several levels.

  • First, all of the digital information stored on the card is digitally signed by the issuer. Digital signatures are not the scanned signatures the consumer signs on a digital pad, but rather cryptographic protocols that allow a signing party to sign information, so that a verifying party knows who signed it and that the signed information has not been modified. However, EMV chips do not just send a card number to perform a transaction. The point-of-sale terminal generates information specific to the transaction, and the card itself digitally signs this transaction-specific information. This prevents transactions from being replayed, and ensures the card is present for the transaction. The card is known to be present as the tamper-resistant private memory of the chip contains something called a signing key, and only someone with access to the key can sign on behalf of the card.
  • Secondly, a number of fraud prevention features can be programmed directly into the card, either at the time of issuance or the next time it is inserted into a point-of-sale terminal for a transaction. For example, EMV cards can be programmed to prevent the card from being used in foreign transactions, or to allow only offline transactions below a certain value, or to completely disable a card that been reported lost. These features can be programmed in near real time, during the next transaction the card performs.

One might wonder why EMV cards do not simply encrypt all information and send that data to the issuer. There are several issues here. First, there will always be a need for some transactions to be offline, and in those cases some public credit card number is seemingly necessary. Secondly, and probably more importantly, many merchants and intermediaries need these numbers to track customer purchases, enable easy purchase returns, route purchase data through payment networks, and other practical functions. While encryption seems like an easy solution, it creates a number of practical problems.

One recently introduced solution called "tokenization" uses an "alternate" credit card number for different merchants, locations or even transactions. This allows merchants to store all your transactions under a unique pseudo credit card number, but one that has no value to other merchants, as your card would generate a different pseudo credit card number for other merchants. Thus, merchants can perform returns, and track purchases using the pseudo credit card number, while gaining the security that a breach in their pseudo credit card numbers would result in no global damage. Further, after a breach has happened, everyone's cards can be programmed to update their pseudo credit card numbers, making them of no future value. Of course, both the card and the bank need to be able to map back and forth to the actual credit card number to appropriate pseudo credit-card numbers, in order to properly manage accounts. This is done securely on the chip, and in secure processing facilities at the issuer.

Several "new'' technologies, including wireless Near Field Communication (NFC) credit cards and smartphone enabled technologies such as Apple Pay, Android Pay and Samsung Pay, are all very similar. The point-of-sale terminal is talking to the microprocessor in the smartphone as opposed to the one embedded in the credit card. The mechanism by which communication takes place is now over a low-power, near-range radio transmission, as opposed to physical contact with the chip reader. All these technologies are running EMV protocols, which is why ApplePay, Android Pay and Samsung Pay were able to roll out their services to so many merchants with little difficulty.

Take-away:  Remember that we’re just in the infancy of the adoption of new technologies that will significantly reduce the impact of fraud. EMV has worked in the countries where it has been implemented. To help put this in perspective, the United States is only seeing about a quarter to a third of all point-of-sale transactions going through the EMV mode currently. So… we have a long way to go before the benefits really take hold.

PLEASE NOTE:  Cedar Rapids Bank & Trust cardholders are currently scheduled to receive EMV cards upon expiration of their existing card. However, if you wish to receive your EMV card sooner, simply contact an Account Executive at 319.862.2728 and we will order your EMV card to be mailed to you within 7-10 business days.

 

Sources Cited: Myers, S. (2016, January 07). EMV Credit Card Chips: No Silver Bullet, but a Significant Step Forward in Fraud Reduction. Retrieved from http://www.huffingtonpost.com/acm-the-association-for-computing-machinery/emv-credit-card-chips-no-_b_8916126.html