EAST, the European ATM Security Team, has recently released
European ATM crime statistics for the period January to June 2010. The figures show a 24% increase in card skimming attacks at European ATMs - 5,743 attacks were reported for the period January to June 2010, compared with 4,629 for the same period in 2009.
This is the highest ever figure for a six month period since EAST first began reporting these statistics in 2004.
More reassuringly, for the same periods, skimming related losses fell from €156 million to €144 million. This is the fifth consecutive reported fall since the period July to December 2007, when losses peaked at €315 million. Incidents peak, yet losses
continuing to fall? The bad guys have to work harder for less return.
The industry in Europe has invested significantly into EMV (Chip and PIN) technology and 95% of European ATMs are now EMV compliant. So what? So it is now much harder for criminals to get cash from compromised European EMV cards within the EMV area. Why?
Because an EMV card issuer will not allow an EMV card transaction to take place without a Chip. Even better, the EMV area is expanding and the liability shift now also applies to both Canada and South Africa, and more countries will follow. The world, with
the exception of the USA, parts of Africa, and Mongolia, is moving to the EMV standard.
Which brings one to the salient security weakness of most EMV cards – they still have a magnetic stripe on them. This means that the sensitive stripe data can still be skimmed or illegally copied, although industry counter-measures mean that it is not always
easy. Why do European EMV cards still have a stripe? So that cardholders can use them globally at any terminal that accepts their scheme. This opens the convenience debate: EAST ran two web research polls to assess opinion on this topic from November 2009
to February 2010 (you can download the poll results from the
ATM Research page of the EAST website).
In the first poll 60% of the respondents felt that European EMV cards should not hold sensitive cardholder data as standard in a magnetic stripe, and in the second poll 28% indicated that they would be happy to contact their bank to activate the stripe on
their card before travelling outside of Europe, 12% were happy to carry a Chip only card, and to apply for a separate stripe card should they need to travel outside Europe, and 20% were in favour of both.
Now the EAST polls are just opinion snapshots, not scientific studies, but logic dictates that the vast majority of European card holders do not travel either outside their own country, or certainly outside the 32 countries of the Single Euro Payments Area
(SEPA) – and now Canada and South Africa have joined the club. Events are overtaking the debate as Chip only debit cards are starting to appear in Europe, most notably the
V Pay initiative offered by Visa Europe which first appeared in 2005. The more of these cards that are issued to satisfied cardholders, the more other issuers are likely to follow suit.
Is this the beginning of the end for the magnetic stripe on payment cards? According to the European Central Bank (ECB) it is for European payment cards; the
7th Progress Report for the Single Euro Payments Area (SEPA) has just been published, from which an extract is below:
"In line with Europol’s stance on the future of the magnetic stripe and in support of the
industry’s efforts to enhance the security of cards transactions by migrating from the
“magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards. If the industry decides to keep the magnetic stripe
for practical reasons, any data enabling magnetic stripe transactions should be removed. The industry will have to be prepared to offer the cardholder cards with legacy magnetic stripes upon request as long as there are still regions outside SEPA which have
not fully migrated to EMV."
I put up a blog on this site last November asking
‘Should we have chip only payment cards’, which resulted in quite a few comments and which kicked off with the question – should sensitive cardholder data be held as standard in magnetic stripes on European EMV cards? It seems that the ECB has just answered