From 2001 to 2004, Target actively worked with Visa to push for smart-card use in its stores. The momentum was lost because of the concerns about cost, speed and the learning curve for clerks and consumers.
Now in the wake of disclosing a breach of 40 million card accounts and 70 million customer contact records, Target CEO Gregg Steinhafel, one of the decision makers that halted the EMV rollout back then, is urging retailers and banks to deploy EMV chip-based
cards to thwart data breaches at the point of sale. In his own words Target wants to 'lead' the rollout.
Well better late than never I would say. Welcome to the club of EMV technology supporters Mr Steinhafel. The EMV technology PR teams definitely need you as a prominent 'convert' - a former disbeliever joining the supporters. Big win for the EMV ecosystem players.
This might be overall good news for the EMV rollout in the USA. Will this EMV momentum last this time? It remains to be seen, but the big payment schemes like Visa, MasterCard and others are certainly exploiting the moment and have upped their advertising campaigns.
Many news articles have appeared since Target data breach was revealed to the general public, promoting the EMV superior security compared to the magnetic stripe.
Hopefully Target's recent 'warming up to EMV' example will be followed by other large retailers - even the ones which formed MCX consortium. Clearly using the QR code scanning during payments at POS is possible, but it is clumsy compared even with contact EMV
and especially with its contactless and NFC derivative cousins. The famous 'liability shift' that's coming will play its role as well. Merchants and Acquirers need to use EMV enabled POS terminals in order to avoid being held liable for fraud at POS. And Target's
example clearly shows that the liability in cases of fraud can be quite significant.
The rollout of EMV in the US would also mean another big thing - we can potentially finally get rid of that archaic magnetic stripe at the back of our plastic payment cards. We do not really need it. Our cards would be chip only. No swiping anymore. No ability
to clone the cards and use them in ATMs and mag stripe only POS terminals across US. One big payment security hole that currently exists because of the US resistance to EMV would finally be eliminated.
That's all nice and dandy but even EMV cards provide the PAN (card number) 'in clear' to the POS during payment transaction. Yes they do, because the current implementations of the EMV do not use the concept of unique per transaction end to end 'PAN tokenization'.
You see, the EMV standard does not prevent card issuers (although it does not recommend that option either) to implement on their own end to end tokenization of sensitive card data like PAN. EMV chip application and Issuer Host already share several secret
keys, the most prominent being DES key used for EMV application cryptogram. This shared key could also be reused by the EMV chip application to produce a unique per transaction, format preserving 'PAN token' during the transaction (i.e. BIN/IIN portion of
the PAN preserved for proper routing along the payment rails, but rest of PAN is tokenized).
This completely issuer based PAN tokenization would be completely transparent to the merchant, acquirer, payment schemes. PAN token would look, feel and behave as PAN to POS Terminals, Acquirers and Schemes but would have no value if stolen. Only Issuer Host
would be able to map PAN token back to the PAN.
Beauty of such 'issuer only approach' is that it should not require any changes to the current EMV specs, because all existing interfaces between POS and card, POS and Acquirer, etc. would stay the same. Only content of the PAN data item would change transparently
and only the issuers need to be aware of that.
Would this not eliminate all existing data breache exposures at POS and ATMs? I think it would. It would also mean that Merchant and Acquirer system would never store PAN data and fraudsters would not be able to steal card data from their systems. And since
the US is starting from scratch this should be considered as an option by issuers right now.
Then we need to secure the CNP channel by eliminating merchant handling (seeing and storing) any PAN data. That's the area where the innovative security focused companies like Blueline Data (www.bluelinex.com) can help. They already know how to efficiently
tokenize the PAN data on the fly in online transactions, in a fully transparent way to online merchant and consumers, without requiring changes to the current online merchant's infrastructure. No PAN data ever flows to the online merchant.
With all of these tweaks of the EMV and CNP it may mean significantly reducing the scope and need for heavy costs associated with PCI certifications, audits, etc
Let's hope that these ideas become reality soon and that one day lives of consumers and payment professionals become a lot easier, while lives of crooks and fraudsters become much more complicated in result.
Blog updated: 30 May 2015 09:47:11