Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Why the Pending U.S. EMV Liability Shift Deadline Is Almost Meaningless
@VASCODataNewsThe shift to the EMV standard in the U.S. has drawn incredible media attention for more than a year as everyone witnesses the approach of the looming liability shift deadline. But what does it really mean for merchants, consumers, and hackers? I say the answer is actually very little, and in as few words as possible, I will tell you why.
EMV comes to America
It's not a well-kept secret that large numbers of Americans are xenophobes. In U.S. politics, a popular way to attack an intelligent person or a smart idea is to associate it with Europe, especially the French (this I cannot explain). Identifying EMV as migrating from Europe stokes fears of socialism, gun control, and political compromise - all dreaded concepts here in the States.
The real purpose of EMV
The EMV standard has been remarkably and undeniably successful in stopping fraud. But the strange compromise in implementation that we have adopted in the U.S. is akin to bolting the front door and then leaving the windows wide open. We are not using the PIN feature and we are still using personal accounts numbers (PAN) on magnetic stripes. In doing so, we have effectively reduced the EMV chip to an attractive decoration on the card.
For Merchants
Don't mistakenly think for one minute that consumers care if the merchant or the issuing financial institution suffers financially from hackers and fraud. As long as U.S. consumers have a choice and no liability, they will stick to their old ways and the merchants that don't want to lose customers will let them. For merchants, the losses from fraud will still be less than the losses from chasing customers away.
For Consumers
Travel to Europe sometime - enjoy the wonderful culture, incredible food, remarkable history, and see firsthand how great the EMV system works when properly implemented, and that's all I can really say about that.
For Hackers
Fear not, it will be business as usual. Even with U.S. shoppers' wallets bulging with shiny new EMV cards, the magnetic stripes and PANs will still be there long after the liability shift. When a hacker uses a counterfeit EMV-looking card, but has the merchant use the incredibly-easy-to-counterfeit mag stripe, nothing will really have changed from the 1970's. And honestly, at my local dry cleaners and burrito joint where they greet most customers by name, there is neither the need for nor interest in EMV cards. So, without a strict mandate, they will not adopt it. The oldest authentication system in the world still works. (Note to fraudsters - I wouldn't try ripping-off my local gun shop.)
So what?
In the end, we are all collectively engaged in the war against fraud whether we want to be or not and it's time to acknowledge that. Even if we are not victims ourselves, everyone pays for the extra cost of fraud in the form of higher prices. Shifting liability will not deter hackers, they don't really care who the victim is as long as they get their dirty money. Real security measures such as using chip and PIN, eliminating magnetic stripes and PANs, and securing accounts with two factor authentication (instead of user name and password) are what is needed. So what are we waiting for?