How to commit a credit card fraud? "Simples!" - emboss card number on the card itself.
The credit card predecessor (called "Certificate of Credit") didn't have a card number at all, just the bearer's name - there were not that many people who were
wealthy enough to have such a certificate back in the 20s in a given area, I guess (those cards were only accepted locally).
Next came "charge plates" (I have a few of them sitting on my desk). Those were typically issued by the department stores, and were kept
in-store too (think of "Pay with Square", btw). Charge plates still didn't have numbers, but this time the name of the owner was embossed - so that the copy of a charge plate could be imprinted, using carbon paper, onto the transaction receipt.
When the first credit cards appeared in the early 30s (initially issued by the petrol stations, Diner's Club would not come into existance
for another twenty odd years), they had a name, but not the embossing - those cards were made of cardboard. Embossing was introduced on plastic credit cards initially as a counterfeit prevention measure. Later, embossing began to be used for the same purpose
as embossing on the charge plates - creating card's imprint on the receipt.
Fast forward to 2013: do we need card number (let alone the expiry date) on the card? Well, perhaps there could be a few odd places out there where credit
card imprinters are still in use, but is that the reason for the whole card industry to remain backward?
All transactions in a physical retail environment can now be conducted without either party knowing the card number. Expiry date is an atavism too which serves no purpose at all these days - the issuer does know whether the card expired or not.
We only need card number for online transactions. Card itself is not, by far, the best place to keep that number. In fact, banks should be providing us with a different card number specifically for remote transaction, decoupling it from the physical card
- so that if the "online" number is compromised, the physical card does not need to be re-issued.
Better still, the issuers should be giving us one-time tokens for online purchases - some banks are already experimenting with that approach.
Going further, the physical card should have on-chip tokenization, so that retail transactions can be based on one-time tokens too. That will bring exposure of sensitive data to zero, and would allow to greatly simplify retail card terminals (as well as
to reduce their cost).
When there is nothing to steal, there is nothing to protect.
If EMV wants to remain relevant in the fast-changing payments world, they need to start thinking about changing the underwear - the old one begins to stink.