Tapomoy Koley, Sr Associate - Projects at Cognizant Technology Solutions
Yes it seems so.
* The countries where EMV adoption is high the CNP fraud percentage share is increasing.
* The countries where EMV adoption is low is having more POS and ATM frauds.
Check out the European central bank press release and report:
a) http://www.ecb.europa.eu/press/pr/date/2014/html/pr140225.en.html
b) http://www.ecb.europa.eu/pub/pdf/other/cardfraudreport201402en.pdf?e50b929264594aabb07bba92a0a26b3f
Like (2) Reply privately Flag as inappropriate 4 days ago Stanislav P., Fernando Fonseca like this
Alexandre Augusto, Incident Manager at Tata Consultancy Services
Yes I think so, but about risk percentage and fraud, its depend of which country we are talking about. For example, In Brazil the levels of fraud is too high and in the other way the security controls is also too high with also high level EMV adoption
Paul Watson, Payments Solutions and Financial Services Consultant
As Mr. Koley points out, EMV is certainly plugging a security hole. Is it THE answer? Obviously not, as CNP transaction volume continues to grow. But, just because it doesn't plug every hole, doesn't mean it shouldn't be implemented. It is a very big hole!
Christian McMahon, Product Manager at Merchant Link
I don't believe EMV is a security solution, it's more of a fraud prevention solution (two different ideas). I think EMV will work very well in retail and somewhat in restaurant, but not so well in Hospitality/lodging since there are so many card not present transactions (reservations, back office, web payments, etc..) Further, I am unsure how fast EMV will be adopted without government fiat. My hospitality customers are largely waiting to see how much it will cost, what behavioral changes Americans must buy into, and whether the fraud risk benefits outweigh their internal network support and hardware costs. I still think that EMV + other technologies (such as tokenization, encrypted devices, and single use cards) combined are truer security.
Like (4) Reply privately Flag as inappropriate 4 days ago Bill Poletti, Alexandre A. and 2 others like this
Tom Beck, Product Manager at TD Merchant Services
If other countries are any indication, the answer is yes. But as other indicate, there are no "final" answers to payment security. It will always be a moving target.
Like (1) Reply privately Flag as inappropriate 4 days ago Ira C. likes this
Michael Hopewell, Senior Consultant, PCI QSA, PA-QSA
If based on statistics, I think EMV is useful technology to reduce the rate of fraud. With regards to information security then this revolves around people, process and technology. Because of this, I would say that EMV is not "THE" solution to payment security as often there is a vulnerability due to people and process.
Like (3) Reply privately Flag as inappropriate 4 days ago Erana R., Ira C. and 1 other like this
Abraham Motana, Software Development
If I applied and utilized in earnest, it is secure, however the processes to acquire a transaction is acted upon by people; from the developer on the card acquiring device, a operator in a merchant, people involved in keys management etc. at any of those stages processes could be compromised, then your payment security falls flat. I think the true value can be measured by the secure payments vs the fraudulent ones.
Like Reply privately Flag as inappropriate 4 days ago
John Miglautsch, For 30 years, growing both sales and profits. Catalog and eCommerce companies are my sweet spot
Looking at adoption in other countries, fraud does move away from card-present situations. But eCommerce and Catalog companies should be working now to improve their encryption from end to end. Historically the fraud moves to internet attacks. Most of the merchants I talk with are not preparing for 2015.
Like (2) Reply privately Flag as inappropriate 3 days ago Erana R., Bill Poletti like this
Bill Poletti, Retired
As noted earlier, EMV does nothing to address fraud in the growing CNP channels. It only addresses the shrinking face2face transaction channels. Fraud WILL and IS migrating to CNP.
I recently read an article on the quiet development of quantum computing solutions. It does not seem very far off. Though this might seem a little off-topic, quantum computing will end encryption as we know it. That will render the estimated U$31 billion in infrastructure upgrades for EMV a total waste.
I might have a "glass half empty" view and attitude, but EMV has been sold as the complete security solution which is clearly isn't. It will reduce fraud in a shrinking face2face acceptance market but meets no long term growth acceptance channels. It just gives a false sense of security to the average and sub-average cardholder.
Like Reply privately Flag as inappropriate 3 days ago
Bill Poletti, Retired
We will see more of this as EMV rolls out.
Like Reply privately Flag as inappropriate 3 days ago
Christian McMahon, Product Manager at Merchant Link
So I've heard that the thieves migrate to the lowest hanging fruit (ie. from Europe, to Asia, to Canada and North America as each rolled out EMV) basically running to where EMV was not. I know they are not going to give up. They might focus more on card not present or will they double their efforts to try to crack the EMV magic. I've been trying to figure out what's the next "thing" after EMV? Obviously any technology will have to support mobile as it's growth in the payments space is on a tremendous upward track. Thoughts?
Like (1) Reply privately Flag as inappropriate 3 days ago Ira C. likes this
Parama Raj, at Planet Payment Inc
There is enough to be earned by fraud now from the earlier technologies. When the focus shifts to EMV, in my opinion there are sufficient opportunities in EMV to result in significant losses. Advances in electronics since the introduction of EMV will enable fraud to effectively compromise EMV and then create havoc. Implementations of CHIP and PIN might not be as secure as it appears to be. Take the example of the photo card, very quickly it was shown that the fraud reductions reported were skewed.
Like (2) Reply privately Flag as inappropriate 3 days ago Ira C., Bill Poletti like this
Enkelejda BALLIU (POPA), MSc. Banking Professional, Bank Card Management, Risk and Fraud Subject Matter Expert
Simple, No. EMV is the secure way for card present transactions always when is implemented correctly and combined with other measurements of preventing and/or detecting fraud. Yes, it is true the thieves have migrate they activity to non EMV countries. This because a cloned EMV card will be used through magstripe in a non EMV environement which is a pure magstripe transaction as the CHIP will not be read ( the cloned card will not have a chip so will be swiped or entered in ATM). This is the traditional way for them to secure fast cash. The criminals today aim to steel big data through data breaches, This is the fraud biggest trend. They will try to use them mostly in non EMV environemet. So it is important that the industry to implement unified security measures globally and imlementimg EMV in non EMV countries now is a must. If we cut the source of usage of the stolen data for me is crucial to prevent the data breaches. EMV helps a lot.
Like (1) Reply privately Flag as inappropriate 3 days ago Ira C. likes this
Bill Poletti, Retired
And even AFTER the US implements EMV, there is still a huge non-EMV environment that will be exploited in CNP. EMV is ONLY effective in card present and only for a limited time. When quantum computing is developed, EMV will no longer be an effective tool against fraud. The Brazillian fraud case is an example of what will happen because cardholders will become complacent. After all, EMV has been sold as the complete security solution for bankcard.
Parama - For 18 years, almost to the day, I have been pointing out that EMV is not the total solution. By 2000, it was obvious that the industry should not pursue EMV because of the booming e-commerce CNP growth. Retail face2face is shrinking by comparison. Now, EMV is being implemented globally and card fraud is starting to migrate to the path of least resistance. Everybody is pushing EMV, but ignoring CNP exploding fraud.
Like Reply privately Flag as inappropriate 3 days ago
Gary Smythe, President and Co-founder at Catalyst Card Company
It seems to me that the decision has already been made and that EMV migration has begun. The discussions regarding whether or not we should pursue this technology in the US are moot. Let's all work together to make the transition as successful and secure as possible, and let's tackle CNP to improve the entire environment. In other words, let's move on.
Like (3) Reply privately Flag as inappropriate 3 days ago Enkelejda BALLIU (POPA), MSc, Ira C. and 1 other like this
Bill Poletti, Retired
Oh, the decision has been made. The marketers, consultant and vendors have sold it to the world. The lawyers will take over when it doesn't work as predicted.
Like Reply privately Flag as inappropriate 3 days ago
Tom Beck. Product Manager at TD Merchant Services
But for CNP scenarios, there is no reason to think EMV provides much security. It is card verification schemes that add a bit of security in that case. Maybe they day will come when every computer will have a scanner and allow fingerprint ID (like the iPhone). That adds the security of cardholder identification, but again, it is certainly not 100% secure.
Like Reply privately Flag as inappropriate 3 days ago
John Miglautsch, For 30 years, growing both sales and profits. Catalog and eCommerce companies are my sweet spot
Heartland sent me two white papers on their CNP and especially reducing PCI risk profile. They seem to be working hard on CNP.
Like (1) Reply privately Flag as inappropriate 3 days ago Ira C. likes this
Bill Poletti, Retired
Just dust off SET and modernize it a little. It would work until quantum computing destroys cryptography as we know it today.
Like (2) Reply privately Flag as inappropriate 3 days ago Bo L., Ira C. like this
Tom Beck, Product Manager at TD Merchant Services
SET will encrypt everything (on top of existing encryption), but other than having your own digital signature, I don't see this as anything but another encryption scheme. Still, it would not hurt. :-)
Like Reply privately Flag as inappropriate 3 days ago
Bill Poletti, Retired
A FULL implementation of SET (3KP) would require the cardholder to use their own asymmetric key pair and digital certificate. To get that certificate, the cardholder has to apply for it using credentials and authentication information supplied by the issuer. Not perfect but better than only supplying CVC2 / CVV2 (which can be intercepted).
The merchant would not "see" the card number until after the authorization is complete, then only if the acquirer allows it. The critical information is encrypted by the cardholder in an OAEP envelope directly with the public key of the payment gateway. It's all there to secure CNP. What would be needed mostly is an upgrade of RSA key lengths to RSA 4096 at the ROOT CA and RSA 2048 for the rest of the keys. Would also be nice to integrate ECC with equivalent crypto strengths. (I have a bit of familiarity with SET.)
BTW, though SET was studied extensively, there has never been a successful attack, academically or otherwise, against the protocol or protection scheme.
But quantum computing could take down any scheme based on crypto.
Like (2) Reply privately Flag as inappropriate 3 days ago Tom B., Ira C. like this
Ira Chandler, CTO at Curbstone Corporation
@BillPoletti What's old is new again! SET was a great architecture. We need way more than EMV, obviously. Seems like my cards are constantly being replaced for CNP fraud. Have had two replaced in the last 4 months, Visa and Amex. We need a COMPREHENSIVE payments solution, and we are a decade away from that. I suspect the EMV will be delayed past the 10/2015 target anyway. As a Payment Service Provider who is PCI validated, we are always amazed at the level of ignorance and denial of the merchants for the PCI standards.
Like (2) Reply privately Flag as inappropriate 2 days ago Bill Poletti, Enkelejda BALLIU (POPA), MSc like this
Ira Chandler, CTO at Curbstone Corporation
WE SEE THE IMMEDIATE SOLUTION to be educating the merchants, through their acquirers, as to the different SAQ flavors (A, B, C, D...) and forcing them to perform **effective** Self-Assessment Questionnaire completion/validation/submission. Only when a merchant actually works through an SAQ-D can they appreciate the vulnerabilities, the solutions, and the importance of real security in their systems. ONLY WHEN THE MERCHANTS become educated and fully implements the Industry Security Best Practices (PCI DSS) will we make a dent in the theft of cards and the resulting fraud.
No single acquirer we have worked with really has a pro-active education ability that they implement to get merchants more secure. The most they can do is insist on a quarterly scan. Big deal. Only when the acquirers take an active and effective role in forcing merchants to be DSS compliant will we see improvement.
No merchant we have engaged was ever aware of the Prioritized Implementation resources at PCI that help them get DSS compliant. This resource is excellent, and eases the overwhelming burden of compliance to a systematic, digestible process. But nobody is telling the merchants about it. We are NOT a consulting organization, but we spend huge blocks of time educating our licensees as to the requirements of PCI and the resources available. Why are the acquirers not doing this? They have the most to gain. Unless they are happy passing the costs of the fraud to the card-holders... If the acquirers had to pay for fraud out of THEIR pocket, we would have the most secure system in the World!
Like (2) Reply privately Flag as inappropriate 2 days ago Bill Poletti, Enkelejda BALLIU (POPA), MSc like this
Christian McMahon, Product Manager at Merchant Link
Both Target and Neiman Marcus were deemed to be PCI compliant at the breach event. In my view, PCI is the bare minimum for security. 3.0 is better, but still, quoting Stan from Office Space: "What do you think of a person who only does the bare minimum?"
Like Reply privately Flag as inappropriate 2 days ago
Bill Poletti, Retired
@ Christian - At what point does PCI-DSS vendor compliance attestation break down and merchant due diligence creates a distrust of that compliance attestation?
Like (1) Reply privately Flag as inappropriate 2 days ago Ira C. likes this
David True, Payments, Loyalty, and Mobile Advisor
I trust this is an ironic question. Is a >20 year-old technology, built before ecommerce to address questions, one of which (offline authorization) is irrelevant in the US, the answer to payment security? Of course not.... Is it event worth investing in for US merchant might be a better question.
And that the rest of the world is doing it doesn't, for better or worse, carry much weight in the US. Think metric system.
Bill Poletti, Retired
The issue in the states has always been the business case. Current estimates of U$31 billion to convert to EMV. How much will fraud be reduced by that investment? When one considers that a large percentage of card present fraud and card counterfeit fraud will migrate to other acceptance channels, the investment is a target for question.
The biggest issue I have is that EMV has been sold as the total card security solution. Careful analysis of authorization data and all acceptance channels would seem to indicate otherwise.
Like (3) Reply privately Flag as inappropriate 2 days ago Paul Watson, Tom B. and 1 other like this
Christian McMahon, Product Manager at Merchant Link
@Bill. Agree totally.
David True, Payments, Loyalty, and Mobile Advisor
@Bill you need not be so circumspect; it is pretty damn clear that for many participants, the ROI would be better if spent on a solution that works for both card present and card not present transactions. Target's announcement of rapid EMV adoption is more PR, to repair their reputation, than anything else.
Like (1) Reply privately Flag as inappropriate 2 days ago Bill Poletti likes this
Tom Beck, Product Manager at TD Merchant Services
Bill, you clearly know more than me about SET. Thanks for the details.
Bill Poletti, Retired
Visa and MasterCard provided one person each to co-author SET. I was the one selected from MasterCard.
Like (1) Reply privately Flag as inappropriate 2 days ago Tom B. likes this
Uldis Berzins, Head of Business Development, Baltics at Oberthur Technologies
EMV is the answer for face2face and CNP environments if card schemes make a logical move.
A cheap reader ( a few euros or $) turns EMV card into one-time-code generator which can be used to approve CNP transactions. CAP (Chip Authentication Programme) specs are out there. Schemes should extend the CVC2/CVV2 infrastructure to handle 6 digit OTCs - so that issuer can verify the OTP. That would enable to drop 3D-Secure protocol .
Total migration to EMV/EMV OTC would largely make PCI DSS obsolete as there would be no value in stealing PAN data as transactions can not be made without keys on card.
Disposing off with PCI-DSS would be huge saving for everyone from merchant to issuer.
Like (1) Reply privately Flag as inappropriate 1 day ago Enkelejda BALLIU (POPA), MSc likes this
Bill Poletti, Retired
A few dollars each in the US card environment can be many billions of dollars. Pretty much everyone in the US participates in e-commerce and have several cards against which they charge e-commerce purchases. Anything more expensive than free will not be accepted, particularly by consumers.
It is doubtful that the US card infrastructure will spend more over the already U$31 billion mark for EMV deployment. After all, basic EMV has been sold as THE COMPLETE SOLUTION for bankcard security.
Consider the massive loss of that entire investment when quantum computing becomes a reality. And it's not that far away if it isn't already working.
How will all the lawyers react when EMV cards start to get compromised via e-commerce?
Randy Smith, Founder and Chief Editor Mobile Wallet Media, Founder and CEO MobilePayUSA, a TechCrunch Disrupt Award Winner
EMV is an answer, but is far from being the best answer. EMV does not solve CNP fraud. The answer lies in a technology I originated some 10-15 years back. Just this year OnDot Systems and TSYS announced mobile card-lock tech. Read my latest two articles on this very subject at MobileWalletMedia.com: 1) http://www.mobilewalletmedia.com/OnDots_Remote_Control_Card_App_May_Kill_Need_for_EMV_Transform_Security-140506.html and 2) http://www.mobilewalletmedia.com/The_Card_Fraud_Solutions_War_Has_Begun_Could_Lock_and_Key_Derail_EMV_140521.html.
But's this is just the tip of the iceberg. I welcome providing my solutions an a single industry top player for compensation. Either that or I will be writing about them soon and sharing with the whole industry. If you want to lead and possibly avoid leakage of your innovation being exposed earlier than you would like, contact me soon to talk business.
Bo Lin, Service Leader & Principal Engineer, Transaction Security division, UL
@Bill re "... It would work until quantum computing destroys cryptography as we know it today."
Does the above apply to post-quantum cryptography, such as the newly proposed "Supersingular Elliptic Curve Isogeny Cryptography", the not too old NTRU, and the very old (1978) McEliece? Never mind the 10 and 15 year range of the possible feasibility of quantum computing.
- my personal opinion -
Bill Poletti, Retired
@ Bo Lin - I have not investigated post-quantum cryptography. I have read and heard that we might not have to wait 10 - 15 years before quantum computing is feasible. I did a quick lookup and have found some interesting reading.
Simoun Ung, Technopreneur
EMV is not the answer to Payment Security. It helps prevent fraud in a card-present environment but doesn't eliminate fraud in a card-present environment. I have yet to see a case made for EMV helping to mitigate fraud or enhancing security in a card-not-present environment which is where the growth in processing volumes seem to be headed with e-commerce and m-commerce.
Like (1) Reply privately Flag as inappropriate 1 day ago Bill Poletti likes this
Chris Wilson, GAICD, Head of Information Security & Governance at Indue Limited
There is no one answer. Preventing fraud will always involve multiple controls. EMV is one control, but it won't succeed by itself. It's been successful in Europe, Canada and Australia in reducing counterfeit cards and skimming. As others have pointed out, it won't do much to prevent CNP, other than the knock on effect from limiting card skimming (but that may be substantial).
The real question should be:what is the pay-off from an investment in EMV for latecomer countries such as the US. Cards will be around for a long time. Online transactions are still only 6% of total retail transactions. I suggest that implementing EMV with secure POS terminals will still reduce fraud significantly in the US (and wherever US tourists go).
Making PINs compulsory will also help significantly.
Meanwhile new payment methods have their own risks and will require new controls to prevent fraud. How will Host Card Emulation affect fraud rates? At first sight it looks like a big problem, but if implemented properly it could reduce the frequency and value of CNP. Time will tell!
Like (2) Reply privately Flag as inappropriate 1 day ago Bill Poletti, Enkelejda BALLIU (POPA), MSc like this
Rob Nathan, Chief Technology Officer at CardConnect
EMV is definitely not THE Answer. Here is a white paper we recently released that might shed some additional light:
http://www.cardconnect.com/wp-content/uploads/Payment_Security_White_Paper.pdf
Armando Rivas, Gerente de Administracion Desarrollo al Cliente Externo
Speaking of NO definitive solution, but it is a big step to control fraud. In my country the use of EMV reduced almost to zero, frauds in credit card and debits. Now in these last years has increased fraud not face cards (as in many countries). In my opinion in this case of fraud by non-face cards, plays a very important role EDUCATE, to users. Customers should be on knowledge that is high risk placing their data in unsafe websites, and also the answer EMAIL requesting their account data. This subject is of much discussion, would spend days talking about this. Bottom line is NOT debitiva solution, but it is a breakthrough, and I think sifras so indicate. Best regards.
Armando Rivas
Douglas Braun, President & CEO at Internet Payment Exchange, Inc. and Owner, Internet Payment Exchange, Inc.
EMV is a valuable tool for verifying card credentials. It does NOT, however, address the breach problems that have received so much press lately, such as, the Target breach. A multi-tier approach using EMV and card cloaking at the device level is a more responsible solution. Card cloaking frequently includes card fingerprinting (i.e. magnetic stripe clone detection) that can mitigate some of the risks EMV was designed to handle. Here's another White Paper explaining the issues and benefits of a multi-tier approach.
http://info.ipayx.com/overcoming-card-security-threats
Like (1) Reply privately Flag as inappropriate 21 hours ago Bill Poletti likes this
Adrian Hope-Bailie, Product Development Manager at Stanchion Payment Solutions
EMV is required to patch up a broken system. EMV is ancient tech and so are cards. Instead of investing billions in EMV the US should be pushing for real-time push payments initiated by the payer via their financial institution of choice.
All you need to make a push payment is a phone with an internet connection and your FI's app (or wallet provider for the more savvy). Almost zero additional investment required by the merchants or acquiring institutions.
Problem is VISA and MasterCard have a lot invested in cards and card tech so I imagine they won't go lying down if the US Fed suddenly moved for push payments or even just real-time consumer ACH as a first step. I have been trying to standardise this idea at http://openpayee.org and would appreciate feedback
Probir Sengupta, Product Manager at Opus Software Solutions
Everyone knows that EMV will not resolve CNP fraud. But, it WILL reduce card present. People living in the USA should look at the rest of the world to ascertain the positive impact of EMV. So, we must use EMV, 3-D Secure, OWASP compliant e-commerce systems, PCI DSS, etc. Each one will help in its own wasy
Bill Poletti, Retired
Solutions need to be invisible to the consumer. They will know to plug their card into a reader at the point of sale. Anything related to e-commerce must operate securely in the background. It's one of the reasons Amazon is so successful and PayPal is popular and other solutions have not been widely accepted.
Probir Sengupta, Product Manager at Opus Software Solutions
Mr. Uldis Berzins should not be dismissive of PCI DSS. The hundreds of controls of PCI DSS encompass all manner of threats and risks to cardholders - not just restricted to PAN numbers in transit
