EMV security is in the spotlight after a recent string of retailer breaches affecting magnetic-stripe card data, but many critics call EMV-chip cards "last decade's technology."
However, EMV's supporters consider the chip-based security standard as relevant today as it ever has been.
Developed as a fraud-resistant payment standard by a consortium of card networks in the early 2000s, the Europay, MasterCard and Visa system governs point of sale payments in nearly every corner of the globeexcept the United States.
Beginning in a few months, however, liability for fraudulent transactions with magnetic stripe cards in the U.S. will begin to shift from the issuing banks to the merchants. And that liability shift has most players in the payments industry making plans to upgrade their soon-to-be obsolete equipment.
But why upgrade to a standard that is already a dozen years old? Couldn't the United States just "leapfrog" the EMV standard and become the first nation to adopt whatever new technology comes next? Maybe an NFC-based mobile-only system is where the future lies.
Not so fast, say most opinion leaders in the payments realm. While it's nice to dream of what's next, skipping steps isn't just difficult it's dangerous, they warn.
"Just because there is new technology to implement, doesn't mean we don't need to finish implementing the old technologies," said Gil Luria, managing director for Los Angeles-based Wedbush Securities.
Luria, along with other industry experts, notes that the United States has held out stubbornly against switching to EMV. That hasn't been the wisest move, they agree.
Randy Vanderhoof, executive director of the Smart Card Alliance, says EMV detractors are railing against the standard because they have some other technology to promote.
"I think the only people who are making the claim that EMV is passé and shouldn't be implemented are those folks that are looking to replace it with something they hope will catch on," Vanderhoof said.
Fraud prevention ranks among the biggest selling points for the EMV standard, and it's beginning to outweigh one of the biggest selling points of magnetic stripe cardscompatibility.
Mag-stripe advocates cite the system's ubiquity in the U.S. as an advantage. But this country is looking is hanging onto the legacy technology while the rest of the world has long on, experts say. A day could come when cold, hard cash would be the only way American tourists could pay for dinner during a vacation abroad.
And if the United States just chose to skip over EMV, that scenario would almost certainly play out.
"Since the rest of the world has converted to EMV, if we decided to do something else, it would put us at odds," said Deborah Baxley, a New York-based principle for Paris-based consulting firm Capgemini. "It would be a little like the metric system all over again."
If the U.S. found a way to skip EMV, it would have to maintain global interoperability while everyone else caught up. And because leapfrogging the world wouldn't solve that odd-one-out scenario, the U.S. would likely be stuck with its half-century old magnetic stripe technology as the common payment denominator.
"What EMV does is it helps to secure transactions and it gives global interoperability," says Zilvinas Bareisis, a London-based senior analyst for the research firm Celent. "That is not something to be sneezed at."
Dumping cards altogether is also not a viable optioneven analysts with the dimmest outlook on the future of cards concede that plastic has at least another five years of relevance. Most predict a much longer life for cards.
And while mobile payments seem like the next logical technological step, there just isn't an existing acceptance infrastructure to make a quick switch.
"The serious people in the industry who understand how all the parts of a payments system work and are connectedthey recognize that mobile payments will happen, but we are not going to stop and wait for it to hit maturity," Vanderhoof said.
Developing standards, testing and validating the system all takes time and resources.
"It takes 10 years to get major changes implemented," Vanderhoof said. "The U.S. doesn't have 10 years to fix the problems with outdated security and a lack of upgradability."
With large-scale and high-profile data breaches, and with increasingly sophisticated attacks against the U.S. payments system, America is emerging as the weakest link in the world's payment security chain.
"That big data breachit wasn't Tesco, it was Target," Luria said referring to the British supermarket giant.
Breaches are now coming from all sides of the payments system, and keeping the antiquated system secure is a never-ending nightmare for security companies.
"I have heard people say that with mag stripetrying to secure it from hackers is like putting a steel door on a grass hut," Baxley said.
A longer version of this story appears in ISO&Agent.