What Is EMV (aka Chip and PIN)?
When you see the words “chip technology”, they’re talking about credit and debit cards with an embedded microchip that contains unique cardholder information, including the cardholder’s name, card number and expiration date. Instead of swiping your magnetic stripe card and signing to authenticate, the new point-of-sale (POS) machines will read the chip on the card and then ask the cardholder to enter a PIN code to authenticate. Replicating the chip itself is far more difficult than replicating traditional magnetic stripe data, making card duplication much harder.
Although clearly more secure than magnetic stripe data, EMV has already been hacked using a man-in-the-middle attack effectively bypassing the stringent PIN requirement for authentication. A 2010 paper by Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated a serious flaw in EMV security that would allow cybercriminals to disable the PIN checking on a stolen card. Murdoch and Drimer used a simple electronic circuit connecting a stolen card to a fake card that always approved PIN authentication. Bank security systems would then approve the transactions regardless of the PIN entered. The researchers noted that the technology and skill required for this hack was not high.
The United States is one of the few remaining major markets that still use a signature system for payments. As a result, most US cards are difficult to use overseas where EMV is well established.
Major credit card issuers including Discover, MasterCard and Visa have set an October 2015 deadline to implement EMV in the US. This consortium of issuers has already missed an earlier 2013 deadline, so the industry might well miss the 2015 deadline as well. After the 2015 deadline, US retailers without EMV terminals will be held liable for the entirety of any card-present fraud losses, unlike now where the card issuer takes the loss.
However, because of the large cost of retooling hundreds of millions of POS terminals, the US implementation of EMV will likely allow signatures for authentication, forgoing the need to enter in a PIN code. This lesser security will naturally allow less fraud protection than that seen in Europe. Some issuers are already beginning to shift to EMV technology in advance of the 2015 deadline, including American Express, Discover, Japan Credit Bureau, MasterCard and Visa.
Update: The New York Times reports that Sam's Club is expected to announce on June 4th that it will be implementing a switch to EMV cards, becoming the first major US retailer to implement a switch to EMV.
That leaves a lot of questions, addressed in other parts of this series.
To learn more about EMV and its impact on U.S. cardholders moving forward, download a copy of our latest whitepaper: