I came across a pretty interesting article today. It is called – What’s Holding Back Retailers from Adopting Chip and PIN in the US? While it largely follows the advice / direction that I provide to merchants on a weekly basis, I do take exception to one point. Not really a point of the author’s, but a point none the less. We will get to the exception in just a minute. First, I will summarize the article in a Twitter type post:
#EMV Reduces Fraud. Implementation is not cheap. Retailers get #NFC with an EMV implementation. NFC is Cool.
106 characters if you are counting.
Now to the exception. The author quotes Jamie Henry from Wal-Mart as saying that end to end encryption and tokenization is a “Band-Aid” solution. My 3 year old son loves Band-Aids. He is wearing a particularly cool Batman Band-Aid today to cover up one of his boo-boos. By definition, Band-Aids have a limited useful life and almost always end up floating in the neighborhood pool. At least that is my experience.
So will end to end encryption and tokenization end up floating in the neighborhood pool? I think not. First, EMV is much better than the static data based magnetic stripe technology that we have today, but EMV is simply not the end all of payment data security. As is pointed out in a great white paper provided by First Data, EMV is not a data security technology and specifically doesn’t protect card data as it is presented and transmitted via payment systems today. Further it does nothing for card not present transactions.
Let’s jump into those points real quick. In a typical EMV transaction, a static PAN is presented along with a dynamic card verification value (CVV). This dynamic data is ultimately validated on every transaction by the host and this validation proves that the non-duplicated card is present during the transaction. As you can see, this dynamic data only works when an EMV reader is available for the transaction (i.e. card present retail transactions).
So here are some questions: – Does that static PAN have value? Can it be used for fraudulent transactions? Further, would a retailer happily post EMV transaction data on the Internet for anyone to pick up and use? To answer in order – yes, a static PAN has value. Fraudsters are clever and can generate mag stripe data out of the EMV card data that is available in those transactions and hence can be used either for card present fraud in non-EMV environments or for card not present fraud. To the last question – It would be absolutely insane to post a file of EMV transaction data on the Internet.
I will not go into the insanity of posting an EMV transaction file on the Internet, but one must ask what is the likelihood that your particular merchant environment will get breached thereby effectively posting your transaction file on the Internet? I am not going to name names, but some of the largest firms in payments and security have been breached. While some merchants absolutely have better security in place than some of the largest acquirers and security firms, I would bet that the majority of merchants don’t spend as much time on security as these breached companies did and do.
So what is the point? Here is the point – EMV helps to address duplicate card fraud. Full stop. End to end encryption and Tokenization are not Band-Aid technologies, rather they are key features of a layered approach to security.
Unfortunately that is 189 characters and thus too long for Twitter.