It may seem odd for a vendor of payment acceptance hardware to discredit EMV security, which is commonly seen as a catalyst for hardware sales, but that's exactly what MagTek is doing.
The Seal Beach, Calif.-based company, which has long studied ways to improve the security of magstripe cards without replacing them outright, is getting a clear signal from its clients: EMV hasn't changed the way they do business, and in many ways it is making things harder by adding friction to their checkout process.
Some retailers, frustrated with the time it takes to accept a chip-card payment, deliberately mishandle the transaction to force their hardware to fall back on a faster magstripe payment. Others deploy only the bare-bones essentials for EMV compliance, such as a chip-card reader without a PIN pad.
And many that missed the card networks' Oct. 1 EMV liability shift date are in no rush to catch up.
"On Oct. 2, everybody woke up and the world hadn't fallen apart," said Annmarie "Mimi" Hart, president and CEO of MagTek. "Merchants that were desperate to get something on Sept. 29, when they realized that Oct. 1 came and went and nothing bad happened, they [said], 'Well, we're going to defer that decision now.'"
Rather than double down on its efforts to sell EMV hardware, MagTek is eager to side with these merchants, pointing out the flaws of EMV security. At its booth at the National Retail Federation's Big Show in New York this week, Hart and her team used a stripped-down terminal to show the weaknesses of EMV, such as how easily a hacker could obtain the card's primary account number (PAN) from a contact or contactless chip-card transaction.
MagTek's solution is not to add more protections around the PAN, but to remove the need for it entirely.
"We've got to get to the point where we take the PAN off, take all of the sensitive information off the card, and have a safe plastic token," Hart said.
The company's Cyberstripe technology, which it has developed over two years, is based on its earlier security system called Magneprint. The basis of this system is to use traits of a magstripe card that are as natural as fingerprints.
Like a fingerprint, each card's magnetic stripe has a unique signal to it, based on how the stripe was originally formed.
"The tape is actually made from a big vat of … barium ferrite, like magnetic sand," Hart said. "When the barium ferrite dries … it gives off a magnetic signal and it gives off that magnetic signal across the entire content of the stripe," and that signal never changes, even after the account data is written on top of it.
But there is dynamic data there. Just like with taking fingerprints, the print itself may not change but the way it is taken will produce variances such as the amount of ink used or the amount of pressure applied by the fingertip. The same applies to card swipes.
"When the head moves over that underneath layer, it never picks up an identical number of groupings of [barium ferrite] bits that are moving around," Hart said. "It's a factor of the sensor, which is the magnetic head … that creates a digital value, which is in this case 54 bytes of information, but it's guaranteed to change every time you swipe."
All of this technology works today on magstripe cards, emulating some of the security features of EMV without requiring a chip, but MagTek wants to go a step further and use its technology to replace the need to write sensitive account data to the card. Its Cyberstripe card has no PAN, relying entirely on the Magneprint security system.
MagTek is reaching out to banks, merchants and the acquiring community to get these cards in circulation. Any of these entities could function as a distributor of the card; "this card can have a sponsor, not necessarily an issuer," Hart said. The consumer would select the funding source, and can manage funding options and spending limits from an online portal.
Cyberstripe functions as another layer of security on top of what the payments industry already provides, but it gives the merchant the power to act on this layer, especially with its own private-label cards.
The vendor is not abandoning EMV, of course. It still sells EMV-compliant card readers to merchants that prefer it, but it is taking a more modular approach by letting merchants choose just how far they want to go with their EMV deployment. For example, a merchant can choose to do chip-and-signature via a modular device that can accept a PIN pad at a later date.
"The merchant knows best how their consumers are going to react and they know what level of security they need," Hart said.