It is one of the few security solutions that banks and merchants have rallied around in the aftermath of the Target breach: EMV smart chip cards.
But what exactly makes these cards so smart? And why has it taken the United States so long to make the switch?
EMV (shorthand for Europay, MasterCard and Visa) has existed since the early '90s and been in widespread use throughout the world for nearly a decade. The chip cards are outfitted with a microprocessor that stores and transmits encrypted data, making it difficult to counterfeit, unlike the magnetic-strip cards used in the U.S. Cardholders are often required to enter a personal identification number or sign-off to complete face-to-face transactions.
For years, the credit card industry has been nudging all players in the U.S. payment system--the banks that issue the cards, merchants that accept them and financial firms that manage the transactions--to convert to chip. But they all balked at the multi-billion investment needed to make the switch.
Enter the "liability shift." Credit card companies--MasterCard, Visa and the others--laid down an ultimatum three years ago that any actor without chip technology in place by October 2015 would have to bear the cost of fraud. This proposition was a hard sell, but it got a lot easier after hackers stole information from over 100 million Target customers.
Now it's just a matter of time before the U.S. gets up to speed on what has become a global standard. But there are still a host of questions and concerns swirling around the conversion. To answer them, I turned to MasterCard president of North America Chris McWilton and Visa's chief legal officer Ellen Richey. Here's an edited version of our conversation, with a few notes of my own.
Danielle Douglas: Why is conversion to EMV so important for the payment industry?
Chris McWilton: We've been talking about EMV in this country for a long time. But in the past, banks that would have to issue chip cards and merchants that would have to install new terminals to accept them relegated the EMV decision to a spreadsheet exercise, a business case of return on assets, return on investments, discounted cash flow. The answer they kept coming back with is 'no, this doesn't make sense. The amount of fraud we have is manageable. Banks have their own internal system for monitoring fraud. There have been relatively low rates [of fraud] and we can afford it.'
Target was a wake-up call, a bucket of cold water on the system that said you can't relegate this to a spreadsheet exercise. If you lose the public trust whether you're a bank or a merchant, you don't have a business. And all of the spreadsheets in the world become meaningless. Now we're seeing a groundswell of interest in migrating to EMV. It is one of the key steps in securing the payment system on all channels. EMV only covers security in the physical world. There is a whole other set of technology being rolled out to secure digital or e-commerce transactions.
Douglas: Security experts have said there is still a need for other technology, like tokenization or end-to-end encryption, to secure the payment system. Why not have banks and merchants add those extra layers of security as part of the EMV conversion?
McWilton: Tokenization is not necessarily ready for primetime. It takes a bunch of card credentials that consumers would use on the Internet and replace those credentials with a one-time use card number that in some cases may be limited to a specific merchant, specific date, specific time, a specific amount of money. Its use is very restrictive right now, though it could be layered onto EMV to secure the online channel.
Encryption is a much bigger issue. It says that every time data gets handed off from one party to another and another in the chain of the data system, the data is encrypted throughout the entire stretch. That requires a tremendous amount of effort. If you have success with EMV and success with tokenization, the need for encryption is mitigated because the credentials can only be used one time.
Tokenization is the next major channel that has to be secured. Beyond that there is the whole frontier of facial recognition, fingerprinting. There is still a ways to go and each one of those come with all sorts of dilemmas. People are concerned about privacy and having their fingerprints on file; there is a whole gamut of consumer issues that have to be overcome. (Note: MasterCard, along with Visa and Amex, are working on a global standard for developing tokenization technology.)
Ellen Richey: We could see an acceleration of the adoption of end-to-end encryption because of what happened at Target. It's an important aspect of the overall solution, particularly because its gong to take some time to move the entire environment to EMV. You have to let people innovate and develop these solutions, and see which one proves most effective. If you rush in with a mandate too fast, you could freeze in place something that may not be the preferable approach and force people to incur unnecessary costs.
Douglas: Why didn't credit card companies institute an earlier deadline for EMV conversion?
McWilton: There was no impetus for any party to migrate toward EMV because it wasn't a big issue. The merchants and the banks were saying 'I don't need to invest in this technology. My fraud losses are manageable and it's too extensive to do it.' There was not a burning platform five years ago for EMV. Now you've got that burning platform.
Douglas: Why are there different conversion deadlines for merchants?
Richey: There are two exceptions to the deadline--gas stations and ATMs have until October 2017. It's complicated and expensive for gas stations to change out readers that are attached to the pump so they have a longer timeline, same thing for ATMs.
Douglas: How can you ensure that banks and merchants are going to make the EMV switch? It isn't a law and not exactly a mandate.
Richey: If you look at Canada, right around the liability shift date you saw a dramatic increase in chip deployment on the issuing side. We saw it in Canada and all throughout Europe where they converted through a liability shift. And those countries currently have something like a 90 percent chip-on-chip transaction rate, meaning 90 percent of the transactions are chip cards meeting a chip terminal.
The liability shift works. Nobody wants to be the last person issuing mag-stripe cards because criminals are sophisticated enough to know which BINS--the number that identifies the bank that issued your card--don't have chip cards and they go after them. Once it gets started, you don't want to be the last man standing.
Douglas: What's the difference between "chip and PIN" and "chip and signature"? And why are you giving merchants and banks the choice between the two?
McWilton: Chip and PIN is the most secure way to conduct a transaction because it prevents a card that's lost or stolen from being used by a thief at the point of sale by signing for the transaction. There are different views in the marketplace on whether PIN is the way to go. Banks will determine that based upon how they configure their PIN and whether they invest the time and effort in the back office to issue PINs to customers. There are costs to go with that standard.
There are those who believe that the consumer experience is going to be very awkward when you are converting to a chip card and also asking for a PIN. A lot of people don't enter PINs when they use their cards today. The vast majority of transactions are not PIN enabled in the United States. We have a number of big issuing banks that say 'look, I don't want to make the consumer feel more awkward than they do with having to use a chip card, dipping it into a terminal, letting it sit there and then pulling it back out.' And then having to enter a PIN on top of that; that's just too clunky. So we're going to go the signature route--you're going to stick your card in, you'll get an authorization, a piece of paper and you will sign for it.' It's more consistent with what they've been doing. We all know that clerks in busy checkout lines aren't closely comparing the signature on the receipt to the signature on the back of the card. It is a less secure protocol than PIN.
Chip is the secret sauce because it creates a one-time use number based on an algorithm that if you try to hack, it destroys itself like 'Mission Impossible.' We set our liability shift arrangement such that if the issuing bank provides chip cards that require a PIN, they will have the utmost protection on fraud liability. If you're a merchant that puts in a chip reader that has a PIN component, you will get the utmost protection if there is fraud on that transaction. If you decide you don't want to make the investment or that PIN is too awkward, then you are going to have less liability protection.
Richey: The chip is the chip. You can have a chip with any kind of cardholder verification. A lot of people think chip and pin is a thing, but it really isn’t. You can have a chip card and then it can be issued either as signature preferring or pin preferring. We think the fastest way to get to a secure payment system in the U.S. is not to complicate matters by requiring everybody to adopt pin everywhere. Only about a third of U.S. merchants accept pin today, so it would require a change of practice at all of those other merchant locations. It’s not really that hard for criminals to steal four-digits from you, either by phishing or shoulder-surfing (Note: Yes, that’s a thing.)
In an EMV environment, chip will eliminate counterfeit fraud by itself. What pin does in an EMV environment is reduce “lost-and-stolen” fraud. You have to steal the physical plastic because you couldn’t counterfeit it anymore. If you want to worry about “lost-and-stolen” fraud, there are other ways to control it that wouldn’t be vulnerable to phishing, shoulder-surfing and all the rest of it that we think would be more effective in the future.
Douglas: You are essentially prodding banks and merchants to go the "chip and PIN" route?
McWilton: If we're going to go as an industry and invest a lot of money on the conversion of this country to EMV, why go part way? We've all learned the lesson of trying to do this on the cheap. If chip and PIN provides the highest level of protection, that's what we should aspire to and that how we've set our liability shift.
Douglas: I've heard that the Durbin amendment to Dodd-Frank has made EMV adoption difficult. Tell me how that law even comes into play?
McWilton: It's a little exaggerated and a bit of posturing by some of the players in the payment system. If you're presented with a debit card as a merchant, the law says you have to have multiple networks to conduct that transaction. In other words, merchants can't be boxed into using one network (Networks: companies such as Pulse, Star or Maestro, which is owned by MasterCard, that process debit card transactions).
The merchants had an issue with the way the Federal Reserve wrote the rule, which required each debit be processed on two independent networks for verification--one for PIN and one for signature. The merchants argued that the law was supposed to give them more flexibility and choice. And they wanted at least two signature options. When the federal circuit reviewed the Fed's decision, it sided with the merchants. (Note: That decision is being appealed.)
Chip cards have what are called application interface devices that provide routing protocols for the transaction. Now there are people in the payment industry saying 'how can we go out and put chips on cards when we don't know whether there is going to be a one-signature requirement or two-signature requirement?' You can put both on the card, but it is more expensive. And some of the banks are saying 'I don't want to incur the expense of a second signature application when the court's decision might be reversed.'
I think the industry is making a bigger deal of this than it should be. For a long time, people have looked at any excuse possible to defer the implementation of EMV. This is yet another attempt. It's just leaving the door open for the fraudsters. They're not going to go on sabbatical while the appeals court reviews the decision; it's jut not going to happen.
Douglas: There have been some studies that say EMV cards can be cloned and counterfeited. Once the technology is in place in the U.S., what liability could consumers face if hackers find a way to replicate the cards?
McWilton: We don't know of any validated cases where EMV technology has been hacked. Banks would still have to stand behind the zero liability standard either way.
Douglas: There are merchants trying to establish their own payment system, like Wal-Mart's MCX mobile payment network. Are you guys worried about how this might impact the conversion to EMV? Or concerned about the competition?
McWilton: We're aware of what they're trying to do. We have dialogue with them because there are some aspects of our network that might be useful to them if we can find a way to co-exist. The large data breach that we're dealing with now has got to be getting big merchants to think really hard about whether they want to own and operate their own payment network.
Retailers are good at merchandising. They're good at brand loyalty and understanding consumers. Operating a payment network is really hard. A lot of businesses have tried to replicate what MasterCard can do and find out that it's not that easy. We get hundreds of attacks on our network every day. And we have extensive amounts of protections and firewalls and security. It's not cheap and it's not easy. Do merchants really want to own a network to save a few basis points on interchange? (Note: MCX would run over the ACH network, allowing retailers to avoid paying banks "swipe" or interchange fees when consumers use plastic.)