Blog article
See all stories ยป

EMV Smart Card security - what's the way forward?

My post on 'should we have chip only payment cards?' gave rise to some discussion and debate, and many thanks to all those concerned for their views and comments.  The related website poll conducted by the European ATM Security Team (EAST) indicated that 60% of respondents felt that European EMV cards should not hold sensitive cardholder data as standard in a magnetic stripe, although feedback was received highlighting issues with removing the stripe. 

As long as magnetic stripes remain on EMV cards, there is a risk that these can be copied and duplicated for fraudulent use outside of Europe.  EAST has put up a new website poll (https://www.european-atm-security.eu/Research/) which highlights two possible solutions to address this:

1. Magnetic stripes on future cards would not be activated unless the card holder planned to travel outside Europe (as only the Chip would be required to use the card in Europe). To activate the stripe, the Cardholder would have to call their bank (or use another platform such as SMS or internet if available).

2. Chip only cards would be issued to cardholders for use in Europe. Any cardholder wishing to travel outside Europe would need to request a second card, with a stripe, for this purpose. 

It is noted that the second option would give rise to a requirement for most ATM motorized card readers to be reconfigured to not require a magnetic stripe to open the shutter and allow the card to be inserted.

The national representative members of EAST are meeting next month and will be discussing this topic and how to take it forward.  The group is interested in any other views or comments on this.

3401

Comments: (1)

A Finextra member
A Finextra member 21 January, 2010, 10:04Be the first to give this comment the thumbs up 0 likes

Just a thought but couldn't option 1 be activated at the European ATM, rather than on the phone? When the customer returned to Europe, first use of an ATM could then prompt the customer to deactivate the mag stripe. There could also be separate transaction limits for the stripe