Following some high-profile data breaches in 2014, US payment card network participants began heavily endorsing Europay, MasterCard and Visa (EMV) chip cards as an important way to prevent damage from payment card breaches.
However, criminals have taken advantage of poor implementations of EMV chip payment applications, committing extensive fraud that defeats EMV controls for everyone in the payment card ecosystem.
In her research note “Avoid Pitfalls with Payment Card Security Technologies and PCI,” Avivah Litan, vice-president and distinguished analyst at Gartner, points out some of the hidden problems with payment card security technologies and the payment card industry. By year-end 2015, at least 5 per cent of card issuers will suffer fraud on EMV cards due to improper implementations, up from a handful today.
In her blog post, Litan shared some of the findings from her report:
“EMV chip cards, already adopted in the rest of the world, have proven to dramatically reduce counterfeit card fraud because they are significantly harder to clone than magnetic stripe (magstripe) cards, which are still used throughout the US. Nevertheless, the adoption of EMV is relatively slow and as a result, payment card network participants must prepare for at least five more years of support for EMV chip as well as magstripe protocols on a single payment card.
“Card data breaches have pushed US banks, card networks, mega-retailers and other payment card acceptors into more aggressively adopting two further key security technologies in addition to EMV cards – tokenisation and point-
to-point encryption (P2PE).
“Although these three security technologies have been around for years, interest in them soared after the breaches, and many enterprises have developed much more aggressive implementation timetables than they would have otherwise. However, in the march to rollout these enhanced security systems some vulnerabilities and conflicts have surfaced. This calls out the need for all players in the payment ecosystem to work together on open security standards, streamlined certification processes and shared education on best implementation practices.
“EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenisation systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations. Merchants who use their own tokenisation system, and also accept Apple Pay or other EMV token payments, will end up with multiple tokens for one card number, defeating a major reason why many merchants adopted tokenisation in the first place.
“As far as P2PE is concerned, P2PE can usually be turned on within three months if the solution uses remote key injection and management. Physically injecting keys into each card reader in a ‘safe room’ under its own ‘lock and key’ obviously takes much longer. Once deployed, P2PE can help protect all card transactions against data breaches. Retailers we regularly speak with say they will turn on EMV acceptance ‘later’. They rightfully view EMV as mainly helping the card brands and issuers, although when EMV becomes ubiquitous it will help everyone.”