By Joe Thomas,
Director of Network Security, VPS

Traditional magnetic-stripe credit and debit cards—a technology in use for over 40 years—is being phased out in the U.S. by a new technology design to reduce card-related fraud: the EMV chip-card.

Mag-stripe cards contain the card number and card owner’s personal data, in plain text. Thieves love to get their hands on this data because they can use it to make counterfeit cards and fraudulent transactions.

EMV—which stands for Europay, MasterCard, and VISA—is a universal standard for cards with computer chips used to verify point-of- sale transactions. Unlike mag-stripe cards, every time an EMV card is used for a transaction, it creates a unique transaction code (or “cryptogram”) that cannot be used for any future transactions.

If a thief did copy the chip data used during an EMV transaction, he would be unable to use that data to make another transaction, or a counterfeit card.

An estimated 40% of the world’s cards and 70% of its terminals deployed outside the U.S. are using the EMV standard.

“Liability Shift”

EMV technology has been used all over the world since 2002, and it’s been proven to greatly reduce counterfeit cards and fraudulent purchases. Some 2.37 billion chip payment cards are now in use, and 99% of terminals in Europe are chip-enabled.

In what’s termed, the “liability shift,” merchants (including government agencies) who use non-compliant credit/debit card readers after October 1, 2015, may be held financially responsible for losses attributed to accepting a card that was lost, stolen, or fraudulently replicated.

And note that EMV-ready POS card-readers are backward compatible: they’re still able to accept the old mag-stripe/swipe-and-sign cards. Card readers that are EMV-ready and backwards compatible to swipe-and-sign are considered complaint for the liability shift.

But card holders should have their EMV cards in-hand before the deadline date. American Express, Discover, MasterCard and Visa have all announced plans for moving to EMV, and banks have already started issuing their customers payment cards with EMV technology.

In the government space—where billpayers can exercise their cards to pay taxes and a variety of fees, via POS—the threat of someone paying with a counterfeit card would seem minimal. Rather than fraud protection, it’s more a question of compliance and being able to accept the new EMV chip-cards.

Astonishingly, almost half of companies in the U.S. were subjected to a data breach in the past year (according to a Ponemon Institute study). Many of these security failures—like the highly-publicized ones at Target, JP Morgan and Home Depot—resulted in compromised personal information for millions of customers.
45% of card fraud in the U.S. (2104) was online
37% of card fraud in the U.S. was card-present counterfeitBut some occurred through point of sale systems (POS)—termed, card-present fraud—and these are the types of breach that chip and pin technology would protect against.But other incidents occurred through different kinds of breaches, like compromised user passwords or login information, or by accessing credit card information stored through online purchases.

These issues EMV cannot resolve.

SOURCES: USA Today & Ponemon Institute