February 14, 2014, 10:39 AM — Migrating U.S. payment systems to the Europay MasterCard Visa (EMV) smartcard standard could take significantly longer than envisioned and offer fewer security benefits than what's being touted by proponents of the technology.
In the weeks following the massive data breach at Target, the EMV standard has received considerable attention from stakeholders in the payment industry and from lawmakers.
Cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data. Typically, cardholders need to authenticate themselves with a Personal Identification Number (PIN) when using the card.
Chip-and-PIN credit and debit cards are considered significantly safer than magnetic stripe cards used in the U.S. Though the rest of the world moved to chip-and-PIN long ago, the U.S., for a various reasons, has lagged in adopting the technology.
But the Target breach appears to have convinced many that the time has finally come to cast aside reservations about EMV and move to it wholesale.
Even before the breach, MasterCard and Visa announced that they want merchants and card issuers to be ready for EMV card transactions by October 2015. They have noted that the liability for any fraud that occurs at point-of-sale terminals will shift either to the merchant or the card-issuing bank after that date.
If the retailer's point-of-sale systems are EMV-ready but the card-issuing bank's cards are not EMV-compliant, the cost of any fraudulent transactions associated with those cards would be borne by the bank after October 15, 2015. On the other hand, if the bank is EMV-ready but the merchant's POS does not support the technology, the merchant would bear responsibility for any fraud.
Gas station owners will have an additional two years to migrate automated fuel dispensers to EMV before the liability switch occurs.
Despite continuing reservations about the deadlines, MasterCard and Visa solidified their plans only in the weeks since the Target breach. Senior executives from both card associations publicly confirmed their intention to stick with their EMV implementation roadmaps, citing the Target breach as an example of why the move is needed.
The problem is that moving over the EMV won't be easy, but it will be expensive.
1. Upgrading to EMV will cost billions
One of the biggest obstacles is cost. POS systems capable of reading EMV cards can cost hundreds of dollars apiece. Retailers like Target can expect to pay tens of millions of dollars just swapping out the hardware. In addition, they will also need to spend on software, testing and deployment.
Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), a trade group representing convenience store and petroleum retailers, expects his industry will have to spend up to $4 billion to swap out an estimated 800,000 POS systems.
Gray estimates that across the U.S., merchants will need to either replace or upgrade an estimated 13 million POS systems to be ready for EMV card transactions. "That is a big expense that we are going to have to pass down to the consumer," Taylor said.
In addition, card-issuing banks will need to spend tens of millions to upgrade their networks and internal systems if they want to be ready for PIN debit and PIN credit transactions.
2. Security ROI still iffy
It's not clear if the investments will yield the kind of security benefit that many assume it will.
That's because the EMV standard can be implemented in a variety of ways. A majority of EMV implementations around the world require cardholders to enter a PIN as an authentication measure when conducting a transaction. These kinds of Chip-and-PIN EMV implementations are believed to yield the strongest security benefits.
But EMV can also be implemented in less secure ways. For example, EMV can be implemented simply as a chip card without a PIN, or as a chip card requiring either a signature or a PIN to authenticate the cardholder. Such smartcard implementations still offer more security than magnetic stripe cards, but they are less secure than chip-and-PIN formats.
MasterCard and Visa have left it largely to the card-issuing banks in the U.S. to decide which route they want to take.
But without a mandatory PIN requirement, any move to EMV standards in the U.S. is half-baked at best.
"It is not the enhanced security system that retailers have long-called for," says Brain Dodge, senior vice president of communications at the Retail Industry Leaders Association (RILA). "There is an enormous cost with moving systems to EMV. From the retailers' perspective, the added protection we are getting (from smartcards) is not enough to justify the expense," without a mandatory PIN requirement, Dodge said.
3. Not just a PIN issue
EMV implementation plans in the U.S. also permit the use of a magnetic stripe on the back of the card. This further weakens any benefits that might be gained from having a smartcard in the first place, said James Huguelet, an independent consultant who specializes in retail security.
In addition, EMV implementation plans do not require encryption of cardholder information on all transactions, which is another major weakness, Huguelet said.
For instance, EMV technology would have done little to prevent data thieves from harvesting credit and debit card data from Target's POS systems because the data was grabbed before it could be encrypted.
Even if all such issues were to be magically solved, EMV alone does nothing to make online and mobile payment methods more secure, Huguelet said. EMV cards are fundamentally designed to make so-called card present transactions more secure. The technology makes it harder to clone cards and use them to make fraudulent transactions. However, they are of less use in card-not-present situations such as online or mobile transactions.
In the wake of the Target breach, "there is a meme that has developed that the U.S. isn't moving quickly to EMV -- [and] if it did, that will make consumers safe," Huguelet said. "But there are several inconvenient truths to the current state of EMV in the U.S. that this sort of storyline ignores."
Seth Eisen, senior business leader with MasterCard North American Markets, downplayed such concerns. He noted that the liability structure under the proposed EMV model would be incentive for both U.S. banks and retailers to implement the most secure form of EMV.
"The terminal where the transaction takes place would determine the technology for the liability shift. If that terminal is not EMV and the card is, then the merchant is liable for any counterfeit fraud," Eisen said.
"After the liability shift goes into effect, the party that has the lower security standard will be liable for fraud if that were to take place." So banks and retailers have equal incentive to move to the strongest form of EMV, he said.
Visa did not respond immediately to a request for comment.
4. Time is also an issue
Moving the entire U.S. payment system to EMV will take a whole lot longer than October 2015 deadline.
Canada first began moving to EMV in 2003. More than 10 years later, only about 85% of the country's POS systems can take EMV cards, Taylor from PCATS said, and that's in a country with a more centralized payment system and far fewer POS systems, compared to the U.S.
Meanwhile, in countries where merchants have almost completely shifted to EMV-enabled POS systems, the banks have been slow to issue smartcards, Taylor said.
Migrating the U.S. payment system to EMV will take years, and by the time the process is complete, most payments would have shifted to mobile and online applications, Taylor said. "Visa and MasterCard are hell bent on making us homogenous with the rest of the world. But the fact is that we're going to be the last guys in on an aging technology."
Instead of focusing so much on EMV standards, the effort should be to develop technologies and techniques for securing payment methods of the future, Taylor said. In the meantime, several options are available to make payment technology safer, including end-to-end encryption, tokenization and mandatory PIN use, he noted.
5. Legal obstacles
One other obstacle to EMV adoption in the U.S., at least as far as retailers are concerned, has to do with the manner in which debit PIN and debit signature transactions are routed for processing.
Under a federal measure known as the Durbin Amendment, merchants are supposed to have a choice of at least two independent networks for processing debit transactions. The measure is aimed at increasing competition and reducing the controversial "interchange" fees that merchants pay banks and credit unions for each debit transaction.
However, a legal dispute between banks and merchants over a court's interpretation of the Durbin Amendment's intent has delayed implementation of the measure. A ruling on the issue is not expected until this fall, which means retailers will have to wait until then to decide how they should implement EMV for PIN and signature debit transactions.
This article, 5 issues that could hamper EMV smartcard adoption in the U.S., was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about endpoint security in Computerworld's Endpoint Security Topic Center.