Is it time for EMV in the U.S.?
In order to consider EMV for the United States, first it is important to understand what it is and how it works.
EMV is an international standard specifying how smart card chips can replace the magnetic stripe on bank cards in payment transactions. The standard also calls them integrated circuit chip cards, a common term that means the same thing as smart cards.
EMV stands for the organizations that developed the standard – Europay, MasterCard and Visa. After the development of the standard, Europay became a part of MasterCard, while other card issuers such as JCB and American Express have begun supporting it. EMVCo, an organization jointly owned by American Express, JCB, MasterCard and Visa, now manages the EMV standard.
Most countries implementing smart bank cards require the use of a Personal Identification Number (PIN) in each transaction, which is why “chip and PIN” is often used to refer to EMV implementation programs.
Post your comment
Comments
What a load of arse!!!
If EMV was rubbish, it wouldn't have taken hold throughout the developed world, so why would anyone apparently occupying a position on the right-hand side of the bell curve want to leapfrog it?
But hey, the Yankee Doodles (who in this respect, are clearly not part of the developed world) are indeed trying to leapfrog EMV by migrating straight to contactless cards (as if contactless cards are "what is next". Ah, but wait, these are nothing more that pieces of RFID enabled plastic broadcasting magstripe data with a dynamic CVV (I know some have a bit of EMV on them, but not seriously). Now I think that's clever - in an era and an area where PCI:DSS is a religion, strongly worshipped by congress, they allow card issuers to issue contactless cards that broadcast unencrypted PANs to RFID pickpockets - well done!
Which brings me to my next point: we hear over and over again that the US, as a nation, is not prepared to pay for the security provided by EMV (and don't give me any of that rhetorical "EMV is weak" nonsense unless you have done the homework and understand what you are saying) but will happily force the implementation of PCI:DSS both at home and abroad. We, the rest of the world, are therefore being forced to implement pointless security systems in order to protect US card data, and to pay dearly for the privilege, and all of this so that you don't have to upgrade your POS.
C'mon Y'all, haul yourselves into the 21st Century.
Posted by David Griffiths, 15/06/2010 11:09am (2 years ago)
No way, no how!!! We need to think about leapfrogging EMV to what is next. Asking retailers to upgrade their POS equipment for the benefits is not justified. If it becomes a necessity, have issuers issue EMV cards to the 5-10% of their customers who travel regularly.
Posted by Steve Klebe, 13/06/2010 7:52pm (2 years ago)
One of the stupidest BS’ US financial institutions like to make is the “cost to merchants and retailers” for “upgrading POS terminals” as if trying to play on the gullibility of the public and to hide their real intentions: they don’t want to pay more to make EMV chipped credit cards.
EMV cards are BACKWARDS compatible; they already have magnetic stripes on them. Europeans, Canadians, and Mexicans have no problem using their EMV chipped credit cards when they visit the US because all merchants in the US have to do is swipe it; they have both EMV AND THE MAG-STRIPE. On the other hand, Americans visiting abroad can’t do likewise because we only have the mag-stripe but not the EMV chip. This is essentially the same as a file created in Windows 98 can be opened in Windows 7.
We invented the credit card yet Americans can’t get to use them abroad while the rest of the world can visit our country and use it with ease? How is this good for our country? Less US dollar being spent abroad while Euros, Canadian Dollars, and even Mexican Pesos flowing into our country. No wonder our money is worthless these days!
Posted by Ken, 09/06/2010 2:59pm (2 years ago)
I'm sure that European issuers welcome any US initiatives. Even though we have implemented CHIP we still need magnetic stripe since our customers travel abroad. Stealing data from mag stripe, and using cloned cards in US (or other places without chip and pin) is still a pain for us.
For inspiration about US initiativ take a look at this article.
http://www.smartcardalliance.org/articles/2010/05/25/emv-comes-to-u-s-for-international-travelers-wal-mart-calls-for-chip-and-pin
Posted by jes rasmussen, 09/06/2010 2:51am (2 years ago)
Just adding to your reasons for the US to migrate: What is currently happening in countries that have made progress on EMV migration such as UK, Brasi and Mexico, is that cards from US travelers have become the most attractive product to local fraudsters. They are very easily ¨cloned" and used and cause a big headache to the owners that get their card canceled by the issuer in the middle of his trip. If banks take at look at their cross border fraud they will notice this increase, and this will only get worst
Posted by Fernando Castejon, 07/06/2010 2:55pm (2 years ago)
Is it really going to take the fact that US citizens are increasingly finding card acceptance in Europe difficult or impossible to drive the migration to EMV? Is the security argument not strong enough by itself?
Many years ago, when the likes of the UK were making the first moves in the direction of chip card technology because it was clear that magstripe cards were too easy to copy and magstripe fraud was on the increase, the US card industry told us that there wasn't a problem in the US and that migrating to chip was a waste of time and money - card fraud in the US was under control.
It now seems to be the case that it isn't. UK card fraud has moved in the predicted direction: card present fraud reduced; card not present fraud on the increase, a bit but not out of control. Whilst this has been happening in the UK (and the rest of the world) US fraud has been rocketing.
The key to this rocket-powered card fraud bonanza is the indisputable fact that data hacked from retail systems, and transaction processing systems, and telecommunication lines, and anywhere else that the data might show up can be used to manufacture fraudulent cards that are electronically indistinguishable from the original - it's all too easy, and has been for the last 20 years. This is NOT the case with EMV data: it doesn't matter where the EMV data comes from, sniffing the transaction, reading the settlement data or even reading the card directly, the compromised data can NOT be used to generate an acceptable card.
If the data is of no value, it isn't going to be at risk. We are currently, as an industry, spending a fortune on implementing PCI:DSS. I am sure that there are many consultants out there paid to defend it, and I am sure that there are many others happy to hide behind the "You've got to have security" argument, without actually understanding why. US payment systems get hacked because the prize is a shed load of data that has real value. The equivalent UK systems do not get hacked because any crim with the required hacking knowledge is usually bright enough to recognise that it's a waste of time - the data has no real value as it cannot be turned into a card.
PCI:DSS might well have closed some doors, but the magstripe data remains valuable. A lot of cash has been thrown at PCI:DSS, but it hasn't made the problem go away, and it's a difficult process to maintain, and the data (magstripe) is well and truly in the public domain.
The current US solution is to force the world to build a safe to protect the valuable data as it travels between retailer and issuer. The rest-of-the-world solution is to render the data valueless!
It seems to me that having developed mainstream cryptography, we have looked for an application, found one and now we are going to make sure that we use it.
There are some very good reasons why the US should embrace EMV. If the one that has gained traction is the fact that the good old US traveller is finding it difficult to pay in the rest-of-the-world, then let's embrace that and move forward. Let's ditch the data on the magstripe and step into the second decade of the 21st century with a commitment to chip.
You wouldn't keep coal in a safe!
Posted by David Griffiths, 07/06/2010 9:39am (2 years ago)
RSS feed for comments on this page | RSS feed for all comments