Blog article
See all stories »

The War On EMV

Will the EMV technology based payments be rolled out in the US in the next couple of years? I do not know for sure, but I hope they will and strongly believe that they should. There is clear push by the major payment schemes wrt so called 'liability shift'. Today card issuers are bearing the costs of the card fraud in the US. Liability shift will expose non-EMV compliant merchants, after preset deadline, to bear fully the costs of fraudulent transactions when they happen to be using non-EMV compliant POS terminals. But certainly it is tough to say for sure what is going to happen here and whether the liability shift threat is a strong 'stick' enough (in addition to some carrots of course)  to motivate US merchants toward EMV rollout. Inconvenience of not being able to use your card abroad is also becoming a big deal for US consumers.

What I noticed however is that many so called 'payment experts' seem to be taking sides and claiming that EMV is 'this' and 'that' and that it will never happen in the US, for 'that' or 'this' reason - without assuring me that they really know what they are talking about. I have the impression that their goal is primarily making hype and spreading anti-EMV propaganda instead factual debate.

I have to say upfront that I have led the implementation of numerous payment solutions in both EMV compliant and in non-EMV environments and I have no vested interest in promoting EMV as a solution over anything else. In other words I am here reporting my own views, based on what I have seen (worked with, read, investigated) so far. Everything I state is based on my personal knowledge and experience in working with EMV and non-EMV environments and is purely based on technical facts.

The recent article

is just one example of anti-EMV propaganda without really providing the clear case for what's exactly wrong with EMV  that can't be easily fixed (if there is will) and why EMV would be considered inferior to anything else preached as a viable replacement.

Article => "While wildly successful abroad, experts have long made the case that EMV's once rising star is waning, and that the U.S. payments system requires new solutions to meet its fraud protection needs".

Me => Hmmm. EMV is wildly successful abroad? Yes I knew that. Did these 'experts' really take time to understand real reasons why the EMV is 'wildly successful' outside of US? I do not think so. Well let me tell you then. It is so because it is the most secure and comprehensive proximity payment solution. It is also becoming globally accepted and adopted standard - except in the US. Is it an ideal solution? No of course not. No solution will ever be. However other non-EMV payment solutions that I have had chance of working with are way worse in terms of their support for security and fraud prevention (which is much better than pure fraud detection they rely on). They are also much more vulnerable to card cloning and identity theft.

Article => "[EMV] becomes much more difficult when things move and shift to cloud-based transactions in a digital environment." "Yes, there are workarounds... [but] more complications and costs are added to the process, which just make it harder. U.S. consumers don’t like harder. We like safe and convenient."

Me => hmmm, let me analyze more closely this whole bunch of buzzword loaded 'arguments' - when things move and shift to the 'cloud'? EMV doesn't work in digital environment? We in the US do not like harder, we like it safe and convenient? For starters, the EMV fully supports the 'cloud' and it is 100% digital (hello - as everything else based on microprocessor technology ;-) The full support for online transaction authorization (i.e. 'cloud' based EMV authorization using ARQC transaction cryptogram instead of offline SDA/DDA or CDA card authentication) was an important part of the standard from the get go. And guess what - it works well, it is very easy and very convenient for consumers (here in Canada all EMV payments are online based for several years already). Plus due to its reliance on secure smart card chip technology it is much more secure, not prone to card cloning and skimming and more resilient against replay attacks than mag stripe or any QR code based solution I have worked with. The fact is that EMV provides fully secure 2 factor authentication based on open, proven and published security standards - i.e. card authentication (reliable and proven capability in offline and online mode to detect fraudulent cards) in combination with fully secure cardholder verification via PIN. The goal is obviously FRAUD PREVENTION. No hassle, quick and fully secure. Everything else I have seen relies (even if they use cryptography) on 'security by obscurity' type paradigm. I do not trust those nor should you.

But wait ... this gets even better (or worse).

Article => "EMV Is Obsolete - proponents of EMV say that it is compatible with mobile devices, but a growing group of detractors counter that EMV is obsolete, or not enough by itself in the age of mobile and online selling. Further, and perhaps most importantly, they state that these emerging channels mitigate its primary advantages."

Me => EMV obsolete? Well I simply stopped reading here ... I beg you (instead of me) to fill in the blanks for this one ;-) I simply think it is utter nonsense propaganda altogether.

To recap this short blog (unfortunately have to get ready for an upcoming ice storm here in Ontario, Canada) with the question of my own - what do alternative payment solutions (so called 'digital', 'cloud' solutions ;-) offer in terms of security and fraud prevention? Unfortunately not much. Static username/password (in some cases enhanced by using OAuth) is used across the board for user authentication, and nobody seems to be paying any attention on importance of reliable dynamic device authentication using proven challenge response methods. Those 'cloud' based solutions are not better in that respect than today magnetic stripe technology that US relies on so much. Speaking of anything being 'obsolete' then - nothing is more obsolete than static authentication methods. That's not security - that is calling for fraud. Just ask Target customers whose credit card data were stolen recently. If the consumer cards were all EMV secure chip based and if US merchants were already using EMV compliant POS terminals (as any other world wide) then consumers should not have to worry much ... their cards could not be cloned and be used at POS terminals and ATMs.

As for ability to use stolen card data in online transactions ... well 3-D secure is good enough to prevent that as well, with all of the EMV shortcomings existing today (i.e. providing card data in clear to the POS during the transaction) PLUS there are other potential means to eliminate reliance on card numbers in online payments ... for example it could be done by simply implementing the 'over the air' EMV payments by using smart phones in online transactions.

Has EMV been implemented in all markets (UK comes to mind here) without cutting corners? ... No unfortunatelly not, but that same logic applies to any payment solution alternative - corners will inevitably be cut under project / implementation / budget pressures, however if the corners are cut in less secure solutions than EMV, things will get really bad and ugly that's for sure. What EMV lacks right now and what can be added easily (i.e. this should be done urgently) is upgrading the EMV spec and implementing full support for end to end tokenization (i.e. EMV chip not giving real card data to the POS or online merchant) and combining it with end to end encryption. Both can be added transparently into the EMV applets and EMV POS  kernels without impacting consumer experience which exists now. I hope that would eliminate last reason for anti-EMV 'experts' to complain

But that is topic for another time and blog entry.


Comments: (0)