Data breaches turn spotlight on EMV cards
Can chip-enabled cards reduce data breach damage?
It's no secret that the United States has been slower than other parts of the world to embrace "smart" credit cards embedded with computer chips. Recent data breaches have led to a renewed push to transition to the more secure technology. However, while some companies are moving up their timelines for supporting chip-enabled cards, many caution that the technology has its vulnerabilities, too.
Target was the first major retailer to sound the alarm in the flurry of breach announcements that began in December, when it revealed that customers' payment card data had been compromised. Consumers were further rattled when Neiman Marcus and Michaels also announced security breaches. Most recently, White Lodging Services, a company that manages more than 169 hotels, including some Marriotts and Sheratons, announced a breach that may have impacted customers at 14 properties between March and December of 2013.
The recent breaches show "how truly vulnerable the U.S. payment system has become," says Randy Vanderhoof, executive director of the Smart Card Alliance, an organization that works to promote the technology used in chip-enabled cards. The breaches also have sparked a renewed interest in EMV.
EMV stands for Europay, MasterCard and Visa, the developers of the technology's standards. Credit cards that use EMV technology have an embedded microprocessor chip instead of a magnetic stripe. While magnetic stripes store credit card numbers and expiration dates, which can be used to make counterfeit cards, EMV-enabled cards encrypt transaction data differently each time the card is used. As a result "that data is no longer vulnerable to counterfeiting," Vanderhoof says.
A long time coming
One reason EMV-enabled cards have been slow to catch on in the United States is because of the huge cost to banks and retailers to convert card readers, ATMs and other payment processing systems. The Smart Card Alliance estimates that there are between 10 and 15 million EMV-enabled credit cards in use in the United States, "but that still represents less than 2 percent of the total card market," says Vanderhoof. Of the 10 million point-of-sale devices in the U.S. market, roughly 1 million -- or 10 percent -- are EMV-capable, Vanderhoof adds.
There are even more hurdles facing debit card issuers. Unlike credit cards, which typically work with one network such as Visa, MasterCard or American Express, debit cards typically work with multiple networks, such as Visa, MasterCard, PULSE and STAR. As a result, more parties have to agree to technical standards that would allow the networks to communicate with each other during an EMV transaction. While debit issuers have been grappling with the issue for the past two years, "the Target incident has put the pressure on all participants to do something quickly," says Bob Woodbury, senior vice president and general manager for FIS Payment Networks. FIS is a founding member of the Debit Network Alliance, an organization working to come up with EMV standards for debit payments in the U.S.
Retailers and financial institutions have another incentive to move quickly on EMV. Visa, MasterCard, American Express and Discover have all announced that merchants and banks that do not support EMV transactions by October 2015 will be held liable for fraud that occurs as a result.
But some companies are taking action before that deadline. Target Chief Financial Officer John Mulligan announced in early February that the retailer would invest $100 million in order to be equipped to handle EMV technology by the first quarter of 2015, six months earlier than its previous goal.
After the breaches, MasterCard President of North American Markets Chris McWilton wrote in a letter to customers: "in the wake of the recent reported merchant data breach, chip technology has gained even greater interest and rightfully so ... MasterCard continues to believe that now is the time to migrate to EMV in the United States."
Visa echoed the same sentiments with CEO Charlie Scharf saying, "Visa is committed to ensuring our network operates at the highest level of security available and will continue to move the industry toward the adoption of new safeguards including EMV chip" technology.
In the wake of the recent reported merchant data breach, chip technology has gained even greater interest and rightfully so ... MasterCard continues to believe that now is the time to migrate to EMV in the United States.
|-- Chris McWilton
MasterCard President of North American Markets
Consumers are also looking to EMV for renewed confidence in the payments system. Dan Nainan, a comedian in New York, had his credit card compromised after shopping at Target over the Thanksgiving holiday weekend. Since then he's only shopped with cash and says he will be reluctant to pull out a debit or credit card until EMV chips are in wide use in the U.S.
solution, not a panacea
While most agree that EMV is an improvement over the magnetic stripe, it won't prevent all fraud. In fact, it wouldn't have prevented the Target breach, Vanderhoof says, but "EMV would have significantly reduced the damage that resulted from the data breach because there would be fewer cards vulnerable for counterfeiting."
EMV does not protect consumers from "card-not-present transactions" -- those made via the Internet or phone in which the cardholder is not physically present -- because no chip transaction is involved.
Another problem is that EMV-enabled cards in the U.S. are likely to continue to have a magnetic stripe so they can be used by merchants who have not upgraded. As long as EMV cards have the magnetic stripe, they will continue to be vulnerable, says Michele Johnson, director of legislative affairs for The Credit Union National Association (CUNA).
CUNA estimates that the breach cost credit unions between $25 and $30 million in card replacement costs and the monitoring of customers' accounts. However, that number could rise if fraudulent purchases are made as a result of the breach, says Bill Hampel, chief economist for CUNA. For that reason, credit unions are looking for a long-term solution that improves upon the security benefits of EMV. "We do see things evolving from magnetic stripe to EMV chips, but we also see things evolving past that," Johnson adds.
Congressional hearings have begun, which look at what retailers and industry groups can do differently to prevent other breaches from occurring. Legislation has also been introduced by Senate Judiciary Committee Chairman Patrick Leahy that would require companies to better protect personal data and force them to disclose information about breaches to consumers.
While EMV isn't the endgame, it's a step in the right direction that the payments industry can build upon to make a safer environment for consumers. "We need to redouble our efforts and try to get this conversion moving as quickly and as efficiently as possible so we don't have consumers being adversely affected years from now because we didn't make the investments today," Vanderhoof says.
See related: Headed overseas? Get an EMV chip card
- Metal credit cards aren't just for the wealthy now – Metal credit cards aren't just for the wealthy now. Once reserved only for affluent, a few no-annual-fee cards now have that "plunk" factor ...
- If you really want a metal credit card, you can get one for a fee – The Lion Credit Card startup will turn your plastic card into a metal one for a fee, but why would you want to do that? ...
- Skim Reaper: The death of card skimmers? – A grimly named handheld gadget can detect card-data-stealing skimmers in compromised gas pumps, ATMs ...