11 FAQs on EMV Chip & Pin Cards

Independent Fraud and Risk Specialist

In this article you will get answer of the following questions in detail.

What is EMV?
Does EMV work – Is it proven?
Why has the US become one of the last markets to adopt EMV?
What are the main reasons that have held us back in the USA?
What other reasons have been cited for not implementing EMV?
How will EMV stop frauds associated with the big data compromises like Home Depot?
What happened on October 1st 2015?
What is all of this happening at the last minute and so quickly?
What are the issues around Signature vs. PIN?
I have Signature, but I have to use my PIN abroad – What do I do?
Why is the USA moving towards a less secure Signature as an authentication of a customer rather than PIN ?

FAQs – Frequently Asked Questions – About EMV and the US market.

This is an FAQs for the emerging USA market that is today moving towards EMV – i.e. in the USA – EMV is now starting to happen quickly in order to catch up with the rest of the world where EMV has been implemented over the last 15 years.

What is EMV?

EMV is the standard that was created about 15 years ago to increase the security of payments globally and reduce fraud at the same time as making payments easier for all parties. It was originally conceived by Europay,MasterCard and Visa – hence the name. It was a US company initiative, but was adopted much faster around the rest of the world for a number of reasons.

Does EMV work – Is it proven?

Yes.

It is used almost globally now. The USA market may be a large market in itself, but it is now just a small final part of the global solution left to implement EMV. Overall, EMV has reduced fraud where cards are present at the point of sale to almost $0 and created a safe card processing architecture for all parties. There has been a lot of misreported problems that often stem to articles written 20 years ago, but all the pre-EMV doom-mongering has proven unfounded. EMV has been a global success.

Sadly, the US market is where the fraudsters have moved their operations to – i.e. away from from the markets that have implemented EMV – where EMV based OTC fraud has reduced to almost $0. The compromised cards from say, the Target and Home Depot data thefts have been little more than useless in EMV environments.


Why has the US become one of the last markets to adopt EMV?

The easy answer is to say: ‘we do not know’. 

The more complex answer is that there were a series of technical, strategic, legal (Dodds Frank / Durbin) and operational issues that delayed implementation of EMV. There were also many less relevant reasons that managed to be cited for non-adoption of EMV over the years.


What are the main reasons that have held us back in the USA?

The reasons are many, but fall into the following broad categories:
  • The US does not have a national payments ‘card strategy’ direction body. In the rest of the world, implementations have been either directed by a government or national body or have been supported by a strong collection of interested parties who have created the business cases, statistics, and losses for the problem. Similar bodies that have driven forward the solutions and project managed the communications, and change management.
  • Many interest groups have examined their own costs of implementing an EMV solution in isolation from the industry as a whole – and based upon assumptions that benefits would not be realised or passed-on. The average interchange costs from the schemes for ‘secure transactions’ – which are defined as EMV transactions in an OTC environment – are lower than those for non-secure transactions; which form a large part of the financial benefits differential for an EMV implementation .
  • Without a strong ‘national’ lobby group, retailer groups in the US have not been able to so readily ‘demand’ softer benefits for an EMV programme such as making the customer journey easier, cheaper, and quicker at the till. Retailer groups have assumed that the costs would fall to them, without benefits.
  • The payments market is fragmented with so many different parties with their own P&Ls and interests – e.g. card schemes, Issuer banks, Acquirer banks, processors, technology providers and merchants. Some of these groups are stronger and bigger than others, and the best decisions for ALL parties may not have been made.

What other reasons have been cited for not implementing EMV?

There are many of these, so it is hard to know where they start and finish, but the main ones seem to be:

The costs of card upgrades is perceived as high – whereas in costs have fallen exponentially over the last 15 years; and we still see people who quote costs associated with the 1990s. Costs of CHIPs on cards or on SIM cards are now a cheap commodity.

The costs for merchants is perceived to be too high : which is a perception that is unfounded. Most merchants upgrade their POS equipment regularly and in doing so, the wise-ones will implement CHIP readers. This technology is relatively cheap and technically much more robust than magnetic stripe readers. In other markets, large retailer groups have demanded PIN implementations because this removes the need to take and store signature; and puts the card and customer ‘checking’/ security process back into the hands of the card issuers rather than as a part of the duties of a till operator. Experienced PIN users find the ‘signature processes’ both slow and cumbersome. Retailers like PIN as the throughput of customers is faster, documentation storage, production and retrieval is removed.

There are legal reasons that prevent adoption in the US. The main reasons seem to be associated with a need for payers to be allowed to select payment methods at the point of sale (often associated with the Durbin Act). EMV standards were amended many years ago to permit such choices at the point of sale in order to accommodate needs for such flexibility within other countries in the world.

EMV is only for off-line transactions – A belief that EMV is either only for offline transactions, or mainly for off-line transactions persists. EMV has security, handshakes and flexibility for all parties in many ways, and it allows for cards to be used in off-line environments securely and safely too, but ONLY if defined by the card issuer as a requirement. Many issuers will not require such functionality, as the world is moving fast to become fully ‘online’. Where customers travel to countries (or indeed regions without ‘on-line’ capability in the US or EU, i.e. where they need to deal with merchants which are away from a telecoms infrastructure, it can be useful for banks to allow customers to spend in such locations that may be off-line. Scheme rules are however continuously changing and Telecoms are becoming much better than they were 10 years ago.

The USA infrastructure is too complex to change: often accentuated by the woes of the numbers of suppliers, gateways and issuers/acquirers within the market. This may well be perceived to be the case, but we also have to bear in mind that the experience globally is of far greater complexity, and that times change as solutions and markets evolve. We must also remember that we moved (globally) from zip-zap machines (knuckle-busters) to magnetic stripe processing, and exactly the same arguments were used then.

NFC is not supported in EMV – this is very incorrect. The EMV standard provides ‘the rails’ upon which NFC runs – and removes the insecure NFC that is based around ‘open’ unencrypted magnetic-stripe ‘Tap and Go’ cards that were issued a few years ago in the US. There has been a long-term re-hashed investigative TV reporting on card details being stolen via NFC readers, which is just not possible in an EMV environment. Of late, we have also seen reports that the EMV is vulnerable because of NFC – which again is incorrect and confusing.

There are better solutions – if we wait. This is true – There are always better solutions tomorrow, for any market and any solution. However, in payments there is nothing proposed or planned that will work – nor anything that is being designed by any significant body anywhere. The EMV standard was designed 2 decades ago by US companies, agreed to by most of the global card schemes and has been implemented as the global standard almost everywhere. It has also become the global standard and platform for building upon, with amendments adopted to accommodate things such as PCI DSS, greater levels of security, NFC and multiple transaction routings. ApplePay and AndroidPay are technologies that are evolving fast, but they adopt the security that forms part of the EMV standards – rather than replacing them or evolving them.

Delays are inevitable now that retailers need to accept Applepay and Googlepay/Androidpay: No. The EMV architecture can be used for these payment types with no need for further POS Terminal changes. The EMV infrastructure is all that is needed and around which these payment methods were designed.

Restaurants cannot accept tipping with EMV: Another Urban Myth, but one that is still quoted widely.
We would be happy to add other interesting entries to this list if you please provide them to us. We know of many others, but those provided above are the main ones that have substance and traction; and where we can see where some of the confusion or misunderstanding might have come from.


How will EMV stop frauds associated with the big data compromises like Home Depot?

Generally, with Data Hacks /Compromises that seem to be common news these days, card details are captured from the records kept at the retailers and these are then used by the fraudsters to create fake cards or use them on the internet. Fraudsters can purchase a magnetic stripe Card encoder for less than $10 and go into business making magnet strip cards with stolen details. So the card numbers have great re-sell value on the ‘Dark Market’. 

Card details can also be collected from an EMV card, and whilst these cannot be used to re-programme another EMV card, they CAN be encoded onto a Counterfeit Card onto the magnetic strip. In this case the Card Issuer will know that this has been done and stop any fraud. If the Merchant’s terminal has a Chip reader the card will not communicate correctly, and if it is a magnetic stripe card the correct magnetic strip security details will not be present as these are not available on the EMV chip. Fraudsters can try and re-programme an EMV card chip; but this is a lot harder and has not successfully been done. Even if it was possible to re-programme an EMV Chip card, there are much easier ways to commit card fraud.

So, whilst the EMV Chip will not stop data compromises, the stolen data becomes very much harder to use and almost not worth stealing. Indeed today, whenever data is stolen from anywhere in the world, the fraudsters will sell the data for use in non-EMV environments – which is why the US has the largest fraud losses globally.


What happened on October 1st 2015?

Counterfeit Liability Shift for the US market began on this date. From this date card issuers around the world with EMV Chip cards can recover money from counterfeit transaction in the US (and anywhere else), where their card details have been placed on a Counterfeit card and where the transaction is undertaken with a magnetic stripe (usually because they have been stolen or compromised as in Q5 above). Accordingly, the losses go to the merchants / acquirers who do not have EMV Chip processing in place.

What is all of this happening at the last minute and so quickly?

Fundamentally, this is NOT ‘last minute’ at all: plans for EMV have been in place for more than a decade.

President Barrack Obama signed an Executive Order requiring all government departments are EMV implemented/secure, to lead the way.


What are the issues around Signature vs. PIN?

Simply, Visa requires Signature under it’s Chip and Choice program and MasterCard prefer PIN.

Why is the USA moving towards a less secure Signature as an authentication of a customer rather than PIN ?

We do not have a clue! Maybe the FBI can explain it to you. Maybe not – it will all depend on the time of day when you ask.


I have Signature, but I have to use my PIN abroad – What do I do?

IF your Card Issuer has set-up your card for overseas use, then it will work with Signature in the US and PIN overseas. If not, a merchant may accept Signature overseas, so it will still work!
Author of the post Bill Trueman is an independent fraud, payments and risk specialist helping business and bank owners manage risk & fraud and save millions quickly. He is director of RiskSkill, and UKFraud and also an active member of AIRFA. He provides risk management & fraud prevention services covering bank fraud, credit cards fraud, master cards fraud, insurance fraud, corporate fraud & business frauds in Europe and World.
For more information about EMV CHIP & PIN Security, Risk Review Strategy and Parameters, click here.

Other Posts Which You May Like:

25 FAQs on Risk Review, Risk Management, Compliance, Due Diligence and Fraud Prevention

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s