Blog article
See all stories ยป

The War On EMV - part 2

OMG ... it is Christmas Eve and we have another charlatan's friend EMV 'expert' claiming that EMV is not the answer to Target data breach in the following article

Well let me tell you again ... EMV IS THE ANSWER as much as 'experts' such as these claim otherwise. It has NOTHING TO DO WITH ENCRYPTION of card data (although this doesn't hurt of course). It has EVERYTHING TO DO WITH DYNAMIC CARD AUTHENTICATION as part of the EMV compliant transaction processing.

YES of course, and unfortunately, the EMV compliant cards and mobile phones (ones having NFC capability) would still provide the card number, expiry date and CVV in CLEAR to the EMV compliant terminals, and therefore ultimately to the merchant systems. Those card data can be stollen if the merchant isn't taking care of them. That's all true. But if this card data is made effectively useless then it simply would not matter.

To refresh our collective EMV knowledge here is the simple fact - the transaction between EMV compliant card and the EMV compliant and certified POS terminal / ATM could be approved (and consumer account charged) ONLY AFTER either

1. in offline transaction - the EMV compliant terminal / ATM fully authenticates the card by verifying dynamic data authentication (DDA) / combined dynamic authentication (CDA) cryptogram, provided by the card, which is unique for each transaction, OR

2. in online transaction - the card issuer system fully authenticates the card by checking dynamic ARQC cryptogram, provided by the card, which is unique for each transaction ...

This all means that the EMV compliant cards MUST ALWAYS FIRST PROVE to the EMV terminal (offline case) or card issuer system (online case) that they are 100% authentic cards, which are issued by the certain bank, BEFORE transaction can proceed and eventually be aproved.

The EMV cards produce these dynamic authentication cryptograms by using secret keys unique for each card, which are injected into them during the card personalization process by the card issuers.

No EMV cards can be cloned and replicated, unless the thief also knows those secret keys - and they are imposible to get by simply reading the card data. On the other hand magnetic stripe cards DO NOT need to (because they simply can't) authenticate themselves to the POS terminals or card issuer systems and they can be cloned and replicated very easily (because they are just storing STATIC card data, without ability to produce any dynamic authentication cryptogram).


The only 2 reasons why it still matters when these hacker 'bad guys' steal card data from careless merchant's systems is because

1. US is still using and relying on mag stripe cards for proximity payments across the board - in merchant stores and in ATMs

2. the stollen card data could be used in online internet payments which are not protected by 3-D Secure consumer authentication

Risk #1 CAN BE FULLY ELIMINATED by US switching completelly to EMV technology. Then every card would have to be properly authenticated by verifying the card's dynamic cryptogram on every merchant POS terminals or every ATM machine, before the transaction can be approved.

Risk #2 can be eliminated in many ways - 3-D Secure, etc, ...

Basically if EMV cards were used everywhere and if magnetic stripe technology is completely eliminated (phased out) then stollen card data would not matter at all anymore to anybody. Nobody will be able to clone the EMV card by using card number, expiry date and cvv value and use it on ATM or merchant POS terminal.

Now all of you 'experts' ... can you please STOP spreading NONSENSE anymore ... once and for all ... PLEASE.

Let us hope that year 2014 may bring some sense into the payment industry.


Comments: (0)