Like it or not, today the U.S. finally adopts EMV technology. While the implementation by most major retailers and large U.S. banks is expected to be delayed, the “chip and PIN” card types are coming to America to stay.
The real debate is, will EMV adoption do anything for card data security?
Andrew Barratt, Coalfire’s Managing Director of Europe, explained some lessons learned from the United Kingdom. He sat down with John Rostern, executive vice president, to discuss the EMV liability shift.
Andrew: There has been a lot of coverage in the US recently about the upcoming liability shift this week. It looks like the adoption of EMV chipped cards in the USA is starting to finally gain some traction. You're finally catching up with us in Europe!
John: Yes, many of our multinational clients are already quite aware of the benefits of chipped cards as their Canadian and European operations have already made the shift. However, their U.S. operations represent the immediate task at hand. For many merchants in the U.S., there is still a great deal of uncertainty around what is really means in terms the liability shift, cost and the real benefits of chip based cards.
Andrew: The UK completed its EMV adoption in February 2006 (almost 10 years ago!) and many of the resources that were created are still freely available at the www.chipandpin.co.uk website.
There is a good “what happens after” and some basic card holder security guidance. Over this side of the pond, we went for chip and PIN as the preferred option, primarily as a consumer protection mechanism. Chip and signature offered the benefit for counterfeit card protection, but doesn't protect the consumer because signatures can still be easily copied.
John: It is important to note that the initial adoption in the US will be chip and signature as opposed to chip and PIN. US processor/acquirers are supporting 'chip and choice' where consumers may still swipe a mag stripe only card, but if a card has an EMV chip, the transaction will default to that more secure method. This includes support for contactless payments as the newer terminals typically support multiple transaction modes.
Andrew: In the U.K., a cardholder is essentially liable for all their face to face transactions that are PIN verified unless they can categorically prove that their card had been stolen and their PIN compromised. In those circumstances there are a few additional protections afforded by provisions under our Banking Code as well as the Consumer Credit Act. Essentially, the liability sits with the card issuer. If the merchant is still accepting swipe transactions they hold the liability for those.
John: In the U.S., in cases of card present fraud, liability will default to the party using the least secure method. For example, if a merchant is not accepting chipped cards and their acquirer/process supports them, the liability would rest with the merchant. Conversely, if the acquirer/processor does not support chip transactions or the consumer’s bank has not issued them, the liability would shift to a different party.
Andrew: Eventually, the U.S. will be very similar to the U.K. and Europe. Do you think the Federal government will put any consumer protection laws in place to protect against PIN theft or signature fraud, or have they already?
John: The Fair Credit Billing Act (FCBA which is similar to the Consumer Credit Act in the U.K.) dates back to 1974 as an amendment to the Truth in Lending Act, describes the recourse available to cardholders for disputed potentially fraudulent transactions. In the U.S., consumers are not held financially responsible for fraud. The card brands have made a point of reiterating this as part of the media campaign around the introduction of chipped cards.
Andrew: Is there still confusion over what EMV actually is in the U.S.? Over here, there was confusion over whether EMV was also doing the encryption of the account data, which we know is afforded by PCI-P2PE solutions.
John: Yes, the same thing is happening here. Unfortunately, EMV was portrayed by some as a 'silver bullet' solution to payment card security. In fact, the payments ecosystem needs to be viewed in its entirety and authentication is just one aspect. EMV will be very effective in reducing card present fraud by making much more difficult, though not impossible as some have stated, to duplicate a card. Unfortunately the adoption of chip and signature as opposed to chip and PIN somewhat devalues the solution in a lost or stolen card scenario.
Point to Point Encryption (P2PE) and tokenization, together with EMV offer an opportunity to improve overall payment transaction security by removing cardholder data from the merchant. P2PE encrypts the card data at the point of interaction while various types of tokenization are available to support one-time or recurring transactions.
Andrew: So, it looks like we'll probably see an uptick in e-commerce and card-not-present fraud in the U.S., which is essentially the way it went in the U.K.. And whilst there are a lot of stories of 'EMV compromise,' the attacks that are published are typically not attacking EMV. They are skimming the card data from older card types. As the U.S. is implementing EMV later, hopefully we'll not see the cards that are susceptible to PIN skimming in use.
John: It is very likely we will see stolen EMV data used in certain card-not-present scenarios. Without encryption or tokenization, the card data is still present in an EMV transaction. Until there is a CVV2 mandate similar to the one by Visa Europe in 2008, we'll probably see similar attacks on the data but the usage of that data change. I think the e-commerce uptick will affect a lot of SMB businesses that are currently adopting limited security practices online and placing a lot of reliance on their e-commerce processor.
As always, merchants will need to ensure they have a rounded security program and understand the ways the payment data could change and the potentially new targets within their business.
Other Resources Visa - EMV Liability Shift Visa Europe - Managing Fraud in a changing retail environment Chip and Pin! - www.chipandpin.co.uk EMV Connection - http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/ Data Protection Report - http://www.dataprotectionreport.com/2015/05/the-emv-liability-shift-is-coming-what-merchants-need-to-know/