On October 1st, United States will be the last G20 country that transitions to EMV. Known by its “chip cards”, this technology specification named after EuroPay, MasterCard and Visa was built to significantly curb credit card fraud. Instead of leveraging decades old magnetic stripe cards, EMV uses smartchips that are supposed to be much more difficult to counterfeit [1]. This article addresses implications of this technology for merchants, covers some of its technical details, as well as explores its potential benefits and pitfalls.
Liability Shift
To start, let me address EMV adoption thus far. To date, the highest acceptance of this technology is in Western and Central Europe where over 96% of credit card transactions are processed using EMV. Not far behind are Canada and Latin America with 85% adoption followed by Africa and the Middle East with adoption rates of 80%. Other parts of the world only leverage it for 27–58% of transactions and United States is far behind with only about 0.12% [3]. However, that’s about to change since all major payment networks including Visa, MasterCard, Discover and American Express are taking aggressive measures to make sure the technology is rolled out and adopted.
Specifically, on October 1st they are shifting liability for counterfeit credit cards to any party that has yet to adopt EMV. For example, if the issuer (a bank for instance) provides its customers with an EMV card (aka chipped card), but the merchant does not upgrade its payment terminals, the merchant will be liable. On the other hand, if the merchant upgrades its terminals, but the issuer does not issue chipped cards, the issuer is liable. This only applies to in-store transactions while ATM as well as fuel dispenser transactions are exempt until October 2017. The liability shift also does not apply to “card not present” transactions such as online purchases, nor does it apply to fraud committed because of a stolen or lost credit card [5]. It may seem that payment networks are strong-arming everyone, but considering that almost half of world’s credit card fraud happens in the United States even though it only represents quarter of all credit card transactions, perhaps such an aggressive push is understandable. Despite these liability shifts, according to Forrester Research, EMV will not see a broad adoption in the United States until 2020 [7].
Magstripe Technology
To understand EMV, one should first consider how the “old” magstripe technology works. The magnetic stripe on a back of a card comes with several pieces of data encoded on it. It contains card holder’s name and a card number as well as expiration date and the CVV (Card Verification Value). When a consumer swipes his or her card, the reader extracts this data and sends it for validation to the issuer system (such as a bank). The request is actually not sent directly to the issuer, but is often passed through several systems including merchant’s point-of-sale system (and often their back-office), merchant acquirer systems such as First Data or Heartland (and sometimes their third party processors), and payment networks such as Visa or Mastercard [3].
However, there are several security flaws with this design. First, private data including the card number (aka the PAN) is stored on the card in clear text. Anyone with rudimentary tools and very little knowledge can extract these data from a card. Also, merchants often store PANs on their POS and back-office systems unencrypted, which could enable hackers to potentially steal them as well. Further, transactions are sometimes transmitted unencrypted (in clear text) over the Internet and potentially vulnerable to theft. Because of these various flaws, it’s possible for criminals to potentially steal consumers’ card data and either leverage them to create cloned cards or simply use them online. In a fuel retail environment thieves could for instance get access to fuel dispenser’s internal electronics (by simply opening the dispenser with a common key), insert a skimming device and record the data as cards are being swiped.
EMV Technology
In addition to a magnetic stripe, the current generation of EMV cards comes with a chip. The chip is actually a microcontroller, which not only stores data, but also executes logic–like a computer would. As a card is inserted into a chip reader (terminal), it essentially runs a program that performs certain actions while communicating with the reader. In case of “online” transactions (those that are immediately validated by the issuer), the chip first generates a cryptogram called ARQC. This cryptogam is basically a digital signature that insures the card is valid (and not cloned) and that the message has not been altered. The cryptogram is then sent to the issuer along with some additional data. When the ARQC is validated by the issuer, the issuer then responds with a cryptogram of its own (ARPC), which is in turn validated by the chip on the card. This exchange typically occurs for merchants who are “connected” to issuers and are “online.”
As with magnetic stripe cards, data actually passes through several entities including merchant acquirers and payment networks. In scenarios where merchants are not online, cards are still validated. This validation occurs only between the card and the payment terminal. It is accomplished by using digital certificates where the issuers and payment networks generate a certificate, which is then put on the card’s chip. Payment terminals then validate this certificate to insure the card is legitimate and not cloned. [3]. As one can see, unlike traditional magnetic cards, the chip cards are actually checked for validity, which makes them much more difficult to clone. One cannot simply create a copy of a chipped card with ease and expect to use it for fraudulent purchases. In cases where cards are stolen, the usual signature verification still applies in United States. In Europe, EMV uses chip-and-PIN, which means that instead of asking for a signature the terminal will ask the user for a PIN.
EMV Caveats
While EMV is a significant step in the right direction in terms of credit card security, the standard is not intended to be a complete and immediate security solution to prevent ALL credit card fraud. Specifically, EMV’s intent is to curb counterfeit credit cards being used in card present (such as in stores) situations. However, other fraudulent credit card uses and exploits will remain largely unsolved for a while. This was apparent when Europe rolled out EMV. Namely, when it was initially implemented in France, the card-present fraud did drop by 35% (between 2004–2009), but the card-not-present fraud (such as fraud committed online) increased by 360%. Likewise, in many countries where magstripe cards were used as a fallback payment mechanism, criminals would simply continue to use counterfeit magstripe cards to make purchases.
The fact that the specification is only designed to solve counterfeit credit card fraud is apparent when it comes to data security. The encryption used during the process is leveraged for credit card authentication, but not for data transmission [6]. The transmission of PAN (Primary Account Number) and other data can still occur in clear text. This makes it potentially vulnerable to interception by hackers. Security breaches such as the Target breach where credit card numbers were stolen by hackers could still potentially occur because merchants could still store and transmit data unencrypted [6]. These data could then be used to create counterfeit magstrip cards or leveraged fraudulently online.
To prevent this kind of fraud, the industry should implement encryption and tokenization. Encrypting credit card transactions would prevent hackers from stealing data while being transmitted or stored on a server. Moreover, tokenization would replace the actual card number with a token, which would essentially be useless to hackers even if they could get their hands on it. In fact, some technologies like ApplePay already do this while maintaining compatibility with the EMV Contactless specification [4]. According to Shift4, maker of a tokenization gateway, when EMV is implemented as part of a complete solution it can make a real difference in eliminating credit card fraud.
Another set of vulnerabilities relative to EMV centers around actual implementations. EMV is merely a specification, but every company that creates EMV technology must somehow implement it. The implementers typically do so properly, but there have been instances where software developers were simply careless or uninformed and unknowingly created security holes. One such example was when researchers in Europe discovered that random numbers used to insure that credit card transactions are unique and thus cannot be simply re-played were in fact not so random. These security experts were able to in effect “clone” a valid transaction and re-play it against an ATM to withdraw money [2]. This was not a flaw with issuers or payment network systems. It was not even a flaw within the card firmware. Instead, the flaw rested with the software leveraged by the ATM.
Similarly, and even more concerning are potential issues with contactless chip cards because the transmission of card information to a wireless reader is unencrypted. This transmission typically only works when the card is held 2–3 inches away from a reader, but there have been some reports that hackers can boost wireless signals up to 25 feet and essentially snag the card data remotely without the person ever knowing it. While the contactless cards typically do not include cardholder name, address, or the CVV, it’s plausible that hackers could use social engineering (or other means) to obtain its target’s name and address, and leverage them on e-commerce sites that do not require a CVV [8].
Regardless of any potential issues, most experts would agree that EMV is a step in the right direction. There is no doubt that the technology specification will continue to evolve, but at least the payment industry is moving forward. There will always be an ever-present cat-and-mouse game between the security establishment and criminals, but perhaps these latest technologies will tip the scales in the industry’s and thus in the consumers’ favor.
References 1. http://www.esecurityplanet.com/mobile-security/emv-is-no-payment-security-panacea.html 2. http://sec.cs.ucl.ac.uk/users/smurdoch/papers/oakland14chipandskim.pdf 3. https://www.emvco.com/about_emvco.aspx?id=202 4.http://support.verifone.com/fstore/0a463145bbfccb42_17e67747_1491c67f2a9_-6932/Apple%20Pay%20FAQ%20External.pdf 5. http://usa.visa.com/merchants/grow-your-business/payment-technologies/credit-card-chip/liability-shift.jsp 6. http://www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-Tokenization-WP.PDF 7. http://blogs.wsj.com/cio/2015/04/29/broad-emv-adoption-for-plastic-cards-wont-happen-until-2020-forrester/ 8. http://www.click2houston.com/news/thieves-easily-stealing-credit-card-info-by-electronic-pickpocketing/25026758