Chip cards alone are just one option for EMV, as the technology is a foundation for other, more secure payment solutions beyond the chip.
For example, this created the possibility for contactless NFC devices, such as Apple Pay, that utilize tokenization and transmits a token as a secure substitute for a users actual account number.
Implementing EMV in the U.S. is a step in the right direction toward more secure payment. However, this is just step one. As highlighted recently in the Washington Post, the most significant security vulnerabilities remain unaddressed by EMV alone.
What is most significant about EMV is not actually EMV chipped cards as is currently being implemented, but the groundwork EMV has laid for a more robust, adaptable payment infrastructure that will continue to evolve over time.
While mainstream media is talking about EMV and what changes we will be seeing at merchants in the coming months, the industry has already shifted the focus to a host of new, powerful technologies that are being layered on top of EMV and that will meaningfully address the security holes facing payments today.
Card networks are pro-actively looking to support and collaborate with technology companies to drive this innovation faster and further. Their goal is to ensure they are staying relevant by pro-actively cultivating the next generation in payment technology to give consumers a more secure, more powerful payment experience. Examples include Apple Pay, Samsung Pay, and Android Pay that all use network based next generation tokenized security.
NFC or EMV contactless systems that utilize tokenization, where a new token or a one time passcode is created for each transaction, or biometrics with fingerprints or retinal scans to confirm identity will ultimately become the long term goal. The U.S. payments industry is entering an exciting time, change that was long overdue is finally occurring, but its not enough to sit back and say job well done.
A relatively new concept here in the U.S., EMV refers to a set payment security principles and standards that were first introduced in Europe in the 80s and 90s to combat card-present fraud, or fraud involving use of a stolen or duplicated card at a physical store location.
EMV cards, which contain visible contact pads connected to a computer chip, work with special terminals that are designed to read chips. At every transaction, the chip generates a unique code, or cryptogram that is used to verify a cards authenticity. The chip electronically submits this unique code to the terminal along with standard, unencrypted card account information, including the cardholders 16-digit account number and his/her first and last name.
EMV transactions can be completed by dipping the chip card into an EMV card reader, or by waiving an NFC enabled EMV card or device within a couple inches of compatible readers. A large majority of new, EMV enabled terminals are designed to support chip-based and contactless/NFC based forms of EMV. In the U.S., the initial focus will be on an easier to implement chip and signature system that utilizes a less secure version of EMV technology, rather than the more secure chip and pin technology used in Europe and elsewhere.
When EMV was introduced in central Europe in the 1990s, it quickly brought under control surging card-present fraud rates and was widely heralded a success. Poor telecommunications infrastructure in Europe in that era created a need for strong physical security at the point of purchase. EMV served this need. Over the past two decades, countries globally have followed Europes lead and implemented chip card technology.
The U.S. long stood as an exception to this trend. The U.S. banking system has historically imposed a zero floor limit on card transactions, eaning that all transactions are monitored for fraud in real time. This has kept fraud rates low and weakened the business case for EMV. By 2010, industry analysts had begun questioning whether EMV would ever take root in the U.S.; they asked whether the 15 year old standard would be leapfrogged by newer standards better suited to mobile payment and other, newer payment applications.
The momentum started to shift in 2011 when Visa, MasterCard and Amex each announced 5-6 year initiatives to rollout EMV across the U.S., with strong incentives for all relevant verticals - merchants, issuers, acquirers, processors - to get on board with the plan. Initially, the news went unnoticed by consumers and generally was received unfavorably by large retailers who viewed supporting EMV as a costly distraction with not enough benefit in fraud reduction. Meanwhile, credit/debit networks bickered over how technical details of the rollout would be administered. As late as 2013, there was talk of pushing back deadlines and legitimate uncertainty over whether the EMV rollout would pull together at all.
The momentum changed drastically over the course of 2014, which saw a rash of highly publicized merchant data security breaches that put millions of Americans card information at risk. Following these events, merchants and issuers were compelled to adopt more pro-active payment security strategies, with EMV front and center. The migration to EMV in the U.S. is now fully under way, and while the transition will extend several more years, most Americans will have their first experience dipping cards this fall.
Thiago Olson is CEO of Stratos Card.