Blog article
See all stories »

With US Rollout Of EMV Who Needs Magnetic Stripe Anymore?

From 2001 to 2004, Target actively worked with Visa to push for smart-card use in its stores. The momentum was lost because of the concerns about cost, speed and the learning curve for clerks and consumers.

Now in the wake of disclosing a breach of 40 million card accounts and 70 million customer contact records, Target CEO Gregg Steinhafel, one of the decision makers that halted the EMV rollout back then, is urging retailers and banks to deploy EMV chip-based cards to thwart data breaches at the point of sale. In his own words Target wants to 'lead' the rollout.

Well better late than never I would say. Welcome to the club of EMV technology supporters Mr Steinhafel. The EMV technology PR teams definitely need you as a prominent 'convert' - a former disbeliever joining the supporters. Big win for the EMV ecosystem players.

This might be overall good news for the EMV rollout in the USA. Will this EMV momentum last this time? It remains to be seen, but the big payment schemes like Visa, MasterCard and others are certainly exploiting the moment and have upped their advertising campaigns. Many news articles have appeared since Target data breach was revealed to the general public, promoting the EMV superior security compared to the magnetic stripe.

Hopefully Target's recent 'warming up to EMV' example will be followed by other large retailers - even the ones which formed MCX consortium. Clearly using the QR code scanning during payments at POS is possible, but it is clumsy compared even with contact EMV and especially with its contactless and NFC derivative cousins. The famous 'liability shift' that's coming will play its role as well. Merchants and Acquirers need to use EMV enabled POS terminals in order to avoid being held liable for fraud at POS. And Target's example clearly shows that the liability in cases of fraud can be quite significant.

The rollout of EMV in the US would also mean another big thing - we can potentially finally get rid of that archaic magnetic stripe at the back of our plastic payment cards. We do not really need it.  Our cards would be chip only. No swiping anymore. No ability to clone the cards and use them in ATMs and mag stripe only POS terminals across US. One big payment security hole that currently exists because of the US resistance to EMV would finally be eliminated.

That's all nice and dandy but even EMV cards provide the PAN (card number) 'in clear' to the POS during payment transaction. Yes they do, because the current implementations of the EMV do not use the concept of unique per transaction end to end 'PAN tokenization'.

You see, the EMV standard does not prevent card issuers (although it does not recommend that option either) to implement on their own end to end tokenization of sensitive card data like PAN. EMV chip application and Issuer Host already share several secret keys, the most prominent being DES key used for EMV application cryptogram. This shared key could also be reused by the EMV chip application to produce a unique per transaction, format preserving 'PAN token' during the transaction (i.e. BIN/IIN portion of the PAN preserved for proper routing along the payment rails, but rest of PAN is tokenized).

This completely issuer based PAN tokenization would be completely transparent to the merchant, acquirer, payment schemes. PAN token would look, feel and behave as PAN to POS Terminals, Acquirers and Schemes but would have no value if stolen. Only Issuer Host would be able to map PAN token back to the PAN.

Beauty of such 'issuer only approach' is that it should not require any changes to the current EMV specs, because all existing interfaces between POS and card, POS and Acquirer, etc. would stay the same. Only content of the PAN data item would change transparently and only the issuers need to be aware of that.

Would this not eliminate all existing data breache exposures at POS and ATMs? I think it would. It would also mean that Merchant and Acquirer system would never store PAN data and fraudsters would not be able to steal card data from their systems. And since the US is starting from scratch this should be considered as an option by issuers right now.

Then we need to secure the CNP channel by eliminating merchant handling (seeing and storing) any PAN data. That's the area where the innovative security focused companies like Blueline Data ( can help. They already know how to efficiently tokenize the PAN data on the fly in online transactions, in a fully transparent way to online merchant and consumers, without requiring changes to the current online merchant's infrastructure. No PAN data ever flows to the online merchant.

With all of these tweaks of the EMV and CNP it may mean significantly reducing the scope and need for heavy costs associated with PCI certifications, audits, etc

Let's hope that these ideas become reality soon and that one day lives of consumers and payment professionals become a lot easier, while lives of crooks and fraudsters become much more complicated in result.


Comments: (1)

A Finextra member
A Finextra member 04 February, 2014, 09:531 like 1 like

Unfortunately life isn't as easy as that.  Many POS and ATM devices still rely on reading the Magstripe to look for service codes of 2xx or 6xx to determine that an ICC is present.  Indeed - most Unattended Payment Terminal (or Cardholder Activated Terminal - whichever Cardscheme floats your boat) will not accept Cards without a Magstripe present.

I believe an initiative in the early 2000's called V-PAY (built on the back of Electron) tried to kill the Magstripe but wasn't entirely successful for a number of reasons.

Now hiring