The Target data breach has so far cost US banks over $172 million in re-issued plastic cards, according to figures from the Consumer Bankers' Association.
With that budget and the right approach, one can populate the entire US retail with contactless EMV readers. Retailers are aware of the problem now and by striking that hot iron, it could be possible to bring EMV into the US by the end of this year.
While EMV certainly helps greatly in the fight against fake cards, it should be noted that EMV would not have prevented the recent Target breach. The card details were stolen while travelling "in the clear" through Windows-based POS checkout counters and
store servers by some nasty malware called "BlackPOS". It did not matter at all whether that card data originated from magstripe cards or chip cards.
End-to-end encryption between the card reader and the authorization system would have helped, but this may require some changes in the current POS processes. And of course, it would greatly help if Windows and/or Linux platforms did not have those thousands
of vulnerabilites. Unfortunately, getting rid of those is a dream that probably will never come true ...
Gerhard, the simplest way to solve the issue of card data is to (a) use EMV in physical retail and (b) use token-based payments online. That way any card data which can be intercepted in retail is useless to the attacker.
@Alexander: Fully agreed, doing both EMV and tokenized electronic payments with end-to-end encryption would solve the problem. I'm all for EMV - but some people seem to believe that issuing chip cards alone would help, and unfortunately this is not the case.
@Gerhard - the point of EMV chip is not to stop the data being stolen in the first place but to render the stolen data useless to the fraudster. It's easy to use stolen data to produce a countefeit mag stripe card but very difficult to use that data to
produce a chip card. And every chip transaction generates a unique cryptogram so it's immediately obvious whether the card is genuine or fake as soon as it's used at an EMV terminal. It's in that sense that the Target data breach would not have been a major
problem if the US had completed its migration to EMV chip.
@Nick: Fully agreed, it is very hard to produce fake chip cards, so with EMV fully implemented worldwide the problem would be much smaller. But fraudsters are likely to move over to card-not-present situations (online shopping, buying via call centers etc.)
where card data that has previously been transmitted "in the clear" via a POS network can still lead to significant fraud.
CompetitiveNew York City, NY, USA
© Finextra Research 2015