It's too late to rely heavily on EMV as a means to stop card fraud.
But I was reminded last week of just how long we've been talking about shifting to chip cards, and why it's doubtful anything involving a revamping of our payments system in the U.S. will be swift (see Chip and PIN Not a Cure-All).
Almost 10 years ago, I wrote an article titled: "EMV: When Will It Hit the United States?" I was writing for a different publication at the time - BankInfoSecurity was not even around back then.
In the piece, I quoted Randy Vanderhoof, executive director of the Smart Card Alliance who now also serves as director of the EMV Migration Forum. Last week, Vanderhoof ran across the article link and sent it to me.
In the June 10, 2005, article, I noted that the U.S. lagged the rest of the world in its migration to chip cards that conform to EMV, the Europay, MasterCard, Visa standard. I even quoted one expert who at the time said he expected Visa and MasterCard would mandate that U.S. card issuers and retailers migrate to EMV within the next five years, "after the rest of the world is ready to roll."
But another expert quoted in the piece said he was skeptical. "EMV in the U.S. has not gotten out of the starting box," he said. "[Before EMV] we noticed fraudsters getting wise in the U.K., and we're seeing some of this moving into the U.S."
Then and Now
I could easily post the same article today and no one would be the wiser. As an industry, we're still facing the same infrastructure and acceptance issues.
One thing that has changed since 2005, however, is the way attackers compromise our card data. A decade ago, fraudsters compromised cards primarily via skimming - attacks that EMV chip technology helps prevent.
Today, hackers are not just attacking the physical point-of-sale; they are attacking the network. And they're getting in through a number of ways - Target being a case in point.
In the Target attack, the retailer's POS network is believed to have been breached because of the compromise of a refrigeration vendor (see Target Vendor Acknowledges Breach).
Experts, including Curt Wilson, a senior research analyst at online security firm Arbor Networks, point out that POS malware has evolved over the last five years, with so-called "lateral" attacks against third-party vendors becoming increasingly common (see Why More Retailer Breaches on the Way). As was the case with Target, credentials used by third parties, such as vendors and service providers, are compromised and used by hackers to infiltrate retail POS systems, he says.
"Arbor is aware of other hostile activity directed toward the POS infrastructure, and our awareness of this, plus the volume of POS malware, indicates that this serious problem continues, with attackers most likely emboldened by the success of large-scale compromise and theft of card data," Wilson adds.
Troy Leach, lead security standards architect for the Payment Card Industry Data Security Standards Council, stressed in his March 5 Congressional testimony that a migration to EMV will help prevent card-counterfeiting, but it won't eliminate all card security risks. The use of chip cards would not have prevented card data from being exposed in attacks that compromised Target and Neiman Marcus, he said.
"Protection from malware-based attacks requires more than just EMV chip technology," Leach noted in his written testimony. "EMV chip technology could not have prevented the unauthorized access, introduction of malware and subsequent exfiltration of cardholder data" (see Target Hearings: EMV Not Enough).
Other experts have warned that one of the greatest concerns is that new strains of malware used to infiltrate networks are not easily detected. What are commonly referred to as "low-and-slow" attacks, such as the attack that in October 2012 compromised Houston-based liquor store chain Spec's, will continue, even with EMV.
So what's next?
Well, Visa is pushing for a migration to EMV, but the move is not being mandated. Instead, card issuers and retailers will face shifting liability for card fraud that results on legacy magnetic-stripe cards after fall 2015.
But Visa also understands EMV is not a cure-all.
During her keynote presentation at Information Security Media Group's Fraud Summit San Francisco, Ellen Richey, chief legal officer and enterprise risk officer at Visa, stressed that curbing card fraud requires a three-pronged approach -- EMV, tokenization and end-to-end encryption.
According to new research from the consultancy Aite Group, card issuers are heeding the warning. Aite predicts that by October 2015, 70 percent of U.S. credit cards and 41 percent of U.S. debit cards will be EMV-enabled.
"The 17 months before the liability shift takes effect will pass by quickly, though, and issuers, based on lessons learned from other countries, should consider issues like fraud migration paths and how to counter them, as well as how to educate the consumer and merchant alike on chip cards," says Julie Conroy, research director of retail banking at Aite.
Too Late for EMV?
Some pundits argue it's too late for EMV in the U.S., and I agree, to some degree.
It's too late to rely heavily on EMV as a means to stop card fraud. But from a global payments interoperability standpoint, I don't see how we can avoid adoption of EMV much longer.
We can't afford to continue this discussion for another 10 years.