EMV smart cards have more security baked into them than the magnetic-stripe cards most U.S. bank customers use today — but that factor alone can't convince everyone to switch.
Ian Hermon, product marketing manager at Plantation, Fla.-based Thales e-Security Inc. spoke to PaymentsSource about the obstacles and options facing the U.S. payments industry during its multiyear migration to EMV cards and other technology, such as Near Field Communication chips for contactless mobile payments.
Thales provides hardware security modules, data key management and network encryption to vendors, businesses and governments to protect payment applications and networks. This interview has been edited for length and clarity.
PaymentsSource: Depending on the source, we hear mixed reviews on how merchants are preparing for, or even accepting, the EMV chip-card migration in the U.S. But merchant organizations definitely voice displeasure, it seems.
Hermon: We’re concerned about merchant reluctance because we have seen how card-present fraud with EMV chip-and-PIN has been virtually eliminated in the U.K. The merchant environment in the U.S. is much more complicated because the country has so many major acquirers and gateways. Plus it has numerous ISOs between the merchant and acquiring bank.
PaymentsSource: How does that type of payments dynamic create complications?
Hermon: Merchants in the U.S. are paranoid about getting the best deal they can on EMV, and they also want to control the [point of sale] and not rely on the acquirer. In a lot of ways, merchants may become like their own gateway with mobile and mobile POS in the U.S. The merchants creating the Merchant Customer Exchange have changed the view of the traditional gateway.
PaymentsSource: What factors make EMV in the U.S. much easier said than done?
Hermon: [The Durbin amendment] and mobile are muddying up EMV in the U.S. Merchants need a simpler terminal and a consistent interface into those terminals.
PaymentsSource: Merchants in the U.S. also are caught in the middle of the debate over chip-and-PIN versus chip-and-signature authentication for EMV cards, with the major brands not agreeing on those technologies. What is Thales’ take on that?
Hermon: The most secure cards are better, and all cards in the U.K. have offline PIN. But in the U.S., Visa doesn’t want to implement a PIN-based system for credit cards. In the meantime, it would be wise to get rid of mag-stripe. In Germany, consumers use VPay chip cards, and the country is getting mag-stripe totally off the cards. In an EMV world, virtually all attacks are on mag-stripe cards.
PaymentsSource: Many voices in the U.S. payments industry say fraud isn’t a big enough concern here to plunge into an expensive EMV migration.
Hermon: The trouble is, there is no true transparency about the rate of fraud in the U.S. It is higher than in the U.K., but we’re not getting the whole story. It makes it tough to justify a business case to the merchants.
PaymentsSource: EMV detractors also point out that the migration does not address the fraud with card-not-present transactions. Is there anything that can be done with EMV on this front to alleviate concerns?
Hermon: EMV cards in Europe have extra security chips in them for card-not-present transactions. I am not sure why this is not on the agenda in U.S. They are called Code Sure for Visa Europe and Display Card for MasterCard. It’s a normal chip-and-PIN card, but also has an embedded LED display and a push button to enter a one-time, seven-digit code when shopping online. The code is checked by the issuing bank, in effect making the transaction no longer card-not-present. It is a costly card, at about 10 euros (US $13), but this could also be replicated on a phone with a secure element.
PaymentsSource: All of the other issues aside, U.S. merchants may still not want to spend the money to convert terminals and networks to EMV at this time.
Hermon: I agree merchants are still worried about the costs of EMV and they are not sure what they want. The development of mobile technology has kind of thrown them a curveball. Mobile is interesting, but it is ten times more complicated to establish a secure structure in mobile than it is with EMV.
PaymentsSource: Some merchants refer to reports that indicate fraudsters are cracking the EMV codes, so it is not entirely a fail-safe operation. Is that true?
Hermon: Even with EMV infrastructure, there are some isolated attacks, mostly from rogue service engineers putting devices in the chip-slot terminals and using Bluetooth technology to capture chip data, mag-stripe data and PIN numbers. Card schemes are working with vendors to stop this, and VeriFone and Ingenico are making terminals much harder to tamper with.
PaymentsSource: What about Near Field Communication for contactless payments, which are part of the EMV liability shift mandate at the point of sale? Any security concerns on that front?
Hermon: NFC has no obvious flaws at the moment.