 |
| He's ready to learn. Let's get moving. |
These days,
EMV chips are all the rage in Europe, and, with their official USA ETA in
October 2015, they’re coming on over to stay in the United States as well. You might have an EMV card now, or maybe you’ve
seen a few of your customers present them to you for payment. But, aside from looking high-tech and probably having to do with security,
just what’s going on with these EMV chips? Here are five quick details to take with you.
1. EMV chips don’t significantly change
how cards are used, but they really only work for card-present transactions
As the EMV
chip is a physical feature of a card, it interacts with another physical object
for its security: an
EMV chip reader. For card-not-present
transactions, all information is transmitted manually over a phone line or the
internet, so the chip’s security won’t have any use at all in those situations.
Aside from the physical aspect of having
EMV chips, newer credit cards look the same as their older counterparts. (Eventually, the magnetic stripe on EMV cards
will fall out of use as businesses update their hardware, as all pertinent
transaction information can be gathered through an EMV chip anyway.)
2. The EMV shift will cost businesses
and banks a good deal to implement
Replacing a couple of credit card
terminals might be annoying, but it isn’t terribly expensive–I’ve seen
EMV-equipped terminals for $300, give or take about $50. But, what if you
own a retail store with four credit
card terminals? What if you operate an independent grocery store and you
need to replace ten? Considering those possibilities, it’s no wonder many
business owners are trying to shelve their updates for as long as possible. And, it isn’t just retail businesses that are
feeling the pain. Banks have their work cut out for them, what with the nearly
billion older credit cards in
circulation now. And, let’s not forget
their ATMS, which will all have to be
equipped to read new EMV debit cards.
3. October 2015 is the deadline to
update your card-reading hardware, but you probably won’t see overall
compliance until much later
October 2015
marks the liability shift—the point
at which businesses become responsible for fraudulent charges resulting from
EMV-equipped credit cards used with standard mag stripe-reading terminals. Some businesses will be slow to adapt to the
new rules, however dire the punishment for not doing so, simply because of the
expense of updating hardware. You may
very well have $1200 lying around to spend on four new EMV terminals, but, you
may not want to part with it because you don’t see the need—not yet, anyway,
because you haven’t been hit by fraud… It’s a waiting game, though.
4. EMV chips do prevent fraud nicely,
but it’s still possible to pull a fast one on card-issuing banks
In October
of this year, a fraudster team in Brazil reportedly captured credit card data
from a real EMV-equipped credit card, and then manipulated information like
credit card numbers, issuing banks, and acquirer IDs, to fabricate other
transactions on the fly that looked quite real with the addition the captured
EMV information. According to this
article, the fraudsters played off the notion that banks’ fraud controls
would be looser for EMV-signed transactions—and, indeed, they were, as banks
automatically approved the charges due to the presence of the additional EMV
information, however false it was. These
so-called replay attacks aren’t so
common, but can occur from time to time if someone’s head is turned away at the
wrong time.
5. There are two different potential EMV
systems to put in play, each with distinct advantages and disadvantages
When
businesses choose to upgrade to EMV technology, they will have another choice
to make: whether to use a chip-and-PIN
system or a chip-and-signature system.
Chip-and-PIN systems are the inherently more secure option because their
requiring a PIN (verified by the EMV chip) with every transaction makes it
much, much harder for thieves to use a card fraudulently at that kind of credit
card terminal. As expected, a
chip-and-PIN system requires the use of a special PIN pad, which costs businesses
money to use. Bearing that in mind,
there is another, somewhat less secure method businesses can use to secure
their EMV transactions: the chip-and-signature system. The major factor chip-and-signature systems
bring to the table is their lack of a
PIN feature. Signatures add a small veil
of security, much like signatures for purchases with conventional credit cards,
but the problem is signatures can always be replicated, and, as anyone who’s
ever used one of those battered electronic styli and pads at a grocery store
can attest, it really doesn’t matter what the hell you sign. Predictably, businesses tight on cash will
opt for the less secure chip-and-signature method in the interest of cutting
costs—until they’re affected by fraud themselves. So it goes!
By now you
understand I’m full of it; brevity isn’t my strong suit
Those weren’t
fast facts at all, but, hopefully they were substantial facts and you come away
from this ready to win some bar bets. In
all seriousness (I know! In this
blog?!), EMV is a big deal because it’s the first real update to the credit
card itself since its (mainstream) inception in the ‘70s. Cards are going to look a little different,
and business owners and banks will have to front the cost of these upgrades;
that’s just the system we’ve built.
Security will likely be much better in the future, though, and we won’t
have as many of these nasty fraud stories to talk about.
Cheers,
Jeremy
No comments:
Post a Comment