What’s the holdup with EMV cards?
A headline on The Atlantic website asks, “Why Is the U.S. Determined to Have the Least-Secure Credit Cards in the World?”
The article points out that while EMV (Europay, MasterCard, Visa) technology (AKA chip-and-pin) has proven superior to the magnetic stripe system used in the U.S. when it comes to reducing credit card fraud, there remain a host of obstacles to its full-fledged adoption here.
The author of the article, Josephine Wolff, writes that one action that is particularly perplexing is the decision by some to eschew the use of chip-and-pin for less secure chip-and-signature cards. In fact, Ms. Wolff offers this as the answer to the question raised in the article’s title.
Last summer and into early fall, as discussed on RetailWire, retailers and financial institutions were engaged in finger pointing over the Oct. 1 launch of EMV cards. Retailers said banks and credit card companies weren’t ready to hit the ground running, while banks maintained the same of merchants.
Personal experience tells me that a number of chains locally came online past the deadline date. Others with point-of-sale terminals for EMV cards continue to have customers swipe instead of using the PIN function.
- Why Is the U.S. Determined to Have the Least-Secure Credit Cards in the World? – The Atlantic
- Are retailers ready for the EMV deadline? – RetailWire
Image: Visa
Discussion Questions
DISCUSSION QUESTIONS: Do you agree with The Atlantic article’s contention that the U.S. has the least secure credit card system? What is your assessment of adoption of EMV technology within retail companies?
Poll
BrainTrust
Ryan Mathews
Founder, CEO, Black Monk Consulting
Cathy Hotka
Principal, Cathy Hotka & Associates
I am not intimately knowledgeable about every credit card system in the world so I suppose I can’t really answer that question, but if the question was, “Is the U.S’s credit card system ridiculously insecure?” — then the answer would be a loud yes.
Security — as almost everyone knows — is sort of a digital fairytale that you keep believing against the evidence until your identity is stolen, your gas or ATM card is inserted into a “skimmer” or somebody walks past you with a device in their pocket that can read your card while it is still in your wallet and copy all the information.
I agree with George’s point in the article. Based on observation, many retailers had trouble launching the EMV cards and many still have trouble making the system work seamlessly.
And what happens when somebody figures out a way to work around the chip?
Yes, the U.S. has the least secure credit card system, and that’s by design. The card companies aren’t trying to create the most secure system; rather, they are balancing trade-offs between ease of use, security, risk and infrastructure costs. However, choosing to accept signatures instead of PINs is just plain silly.
I’ve observed retailers trying their best to meet EMV implementation deadlines, but there are many companies involved and not everyone was “rowing in the same direction.” Any huge system updated like this will have bumps along the way. The result is an improvement, but don’t be fooled into thinking fraud has been stopped.
Yes, the U.S. is lagging in credit card security, and the fault lies with both card issuers and retailers. Try to get a chip-and-pin credit card. Many issuers don’t have them, offering instead chip-and-signature. Try to use a chip-and-pin card at most retailers and you will be asked to sign rather than enter a pin.
While banks and retailers point fingers at each other, fraud rises and consumers grow more frustrated and less confident in the banking and payment systems.
The system is not ready yet, as our bank we deal with isn’t ready to make a full go of it. My concern, as Ryan mentioned, is after I end up paying for a whole new system, along with other retailers, what about two years from now when the government comes out with more mandates and the chip technology no longer is secure? It is an endless game of keeping up with the criminal element which has grown exponentially. The retailers keep forking over good money to put in new systems, and common sense would tell me that the new ones I will be purchasing should hopefully have an encryption upgrade when the newest threat comes around, rather than making me pay for a whole new hardware system. We’ll see how this goes. Technology is wonderful, but man it never ends does it?
The short answer is cost. At least it is for fuel retailers.
Let’s say the cost to upgrade my dispensers to handle EMV cards is X times the card fraud I am likely to incur. This strategy works until the retailer is the last one in their immediate market and then the bad guys figure out that they can use those fraudulent swipe cards at their location.
The U.S. is a different animal than many European countries when it comes to the checkout process. Because of so much investment in advanced POS functionality and store-level CRM, the majority of U.S. retailers use integrated or semi-integrated payment terminals (meaning they pass information back and forth between the POS and the payment terminal). The payment terminal is part of the consumer experience — there is branding, confirmation of customer information sometimes, etc.
In Europe, it’s pretty much all non-integrated payment terminals — they are just terminals used simply for re-keying the total amount and swiping/inserting the card for authorization to the bank. What all of this means is that it was tremendously easier for the European market to support EMV because it only meant an upgrade/replacement for their terminals. In the U.S. it leads to changes to the terminals, changes to the POS application and changes to payment gateways and potentially credit switches. With all of those players, it has lead to the roadblocks, delays in certification and backlogs across the spectrum.
And again, because the payment transaction is integrated in the U.S., you have U.S. merchants who have to do other things to protect that card data as it flows through their systems, and the U.S. actually takes more of a leadership position when it comes to end-to-end encryption and tokenization, which are arguably more important than EMV when it comes to protecting cardholder data and securing the transaction.
The one piece the article points out that I definitely agree with is the chip-and-pin vs. chip-and-signature debate. The original perception was that U.S. consumers wouldn’t go for an extra PIN for their cards, so they headed down the chip-and-signature path for the initial EMV rollout (whereas the rest of the world is chip-and-PIN). However, after all of the breaches and the rise in debit cards, it turns out that most consumers believe the PIN adds more security and they’d be willing to use that to further ensure they are the only ones using those cards. So in that regard, we’re lacking.
The U.S. doesn’t have the best credit card security, due in part to consumers’ lack of willingness to adopt tighter security measures at checkout. That’s just our culture. Until more retailers “force” more restrictive security, consumers will not ask for it.
Yes, it did take a long time for my card providers to update my cards. I just got a new one the other day. Six months after the deadline. And yes, there is a problem at retail. Even where they have the terminals to insert the card, the cashier often says “please just swipe it.” Or I insert it and they want me to sign the receipt. Or I insert and wait, wait, wait. Then enter my pin and wait, wait, wait. In Europe, the transaction seems instantaneous.
And of course, the restaurants still take my credit card away. I haven’t experienced one that has the hand-held devices that they have in Europe.
It doesn’t matter if the problem is cost,culture or “not invented here,” we should be patient. The system was only invented about 15 years ago, so adoption may take a while.
Net-net, my take is that there is no appreciation for the talent of the hackers and security is way down on everyone’s list of priorities.
My cards are all updated to chip. But with the exception of Walgreens and Walmart the other retailers in my area still ask me to “swipe” the card. I am surprised the adoption of EMV is taking so long.
The most secure system only keeps that designation until someone finds a way around it. U.S. consumers appear to be willing to trade information for benefits. In that situation security is never very secure. A whole industry has grown up around identity protection. Who pays for what is a big question. The issue will not be resolved any time soon.
Ask any retail CIO what they think of EMV and they’ll all proclaim it to be a joke. The current US incarnation is slow, confusing, and apparently designed purely to shift liability on fraudulent transactions to the retailer. The retail industry dawdled on payment security and this kludgy financial industry mess is the result.
The issues consumers are experiencing are software data file compatibility and old technology. The cost of upgrades to the communication capabilities and file fixes is more than was anticipated. In short, it is costing too much to upgrade vs. the risk and payout from the retailer perspective. Add that consumer demand is seemingly minuscule and you will always get a low investment curve.
While we don’t have the least secure credit card system, we certainly do not have the most secure that is currently available and the real frustration is that, having mandated a fairly dramatic change to the process, we didn’t mandate the change to the best then-available method!
For those who will still be working 10 years from now, this will be remembered as one of the great debacles perpetrated on consumers and retailers alike. Overall, it was not the retailers’ fault that the industry didn’t select the best available. And if retailers have been slow to adapt/adopt, in many cases it has been because it was cheaper for some to take the financial hit of claims than it was to buy new credit authorization terminals to support chip-and-pin.
The issuers, however, really bungled this one: they take way too long and make it too difficult for retailers to certify, and — they didn’t have enough EMV cards available in time to distribute to all cardholders before the deadline they themselves imposed.
In a presentation given by payments expert Richard Sanders at a CardTech SecurTech conference in 2005, he declared to the room that the US would become the focus of fraudsters one day if it continued to drag its feet on adoption of EMV standards. Most of the room reflected the opinion that “it won’t happen to us,” but as we see, the US is the last major market in the world to adopt the standard and our mag stripe cards are the target of conniving fraudsters. In my opinion, Richard should be given a monogrammed crystal ball for this and other predictions related to EMV adoption in the US.
It is surprising that after many years of planning, the deadline for liability shift from card issuer to retailer was not taken seriously by either party, retailers in particular. The cost to revamp point-of-sale systems has been the primary sticking point with retailers and I believe accounts for the gradual adoption of the standards by retailers.
For consumers the marketplace today is confusing and frustrating. Because there is inconsistent adoption of Chip and PIN/Signature, one never knows whether to swipe or insert a card into a machine to complete a purchase. The result is that the purchase process is slower than it needs to be. For those that have enabled chip card acceptance, the process to complete a transaction is noticeably slower than swiping a traditional mag stripe card.
The only reason that retailers are not being penalized by consumers for the confusing check out environment is that many consumers view use of payment card as something out of their control. Consumers will swipe, tap, wave or insert as instructed, probably grumbling about just as they do when they open their utility bill.
This scenario doesn’t excuse either the payment networks or the retailers for their slow and inconsistent adoption, something that the Atlantic article accurately documented.
We are certainly laggards here in the U.S. when it comes to EMV. I’ll leave it to the experts to confirm whether that means we are less secure here, but it certainly seems that way based on cursory experience.
One area where progress seems to have been made is in widespread replacement of the card terminals themselves. I think these need to be routinely replaced due to wear and tear anyway, so the huge price tags cited by critics may be an exaggeration. Besides, the advent of NFC payments from Apple, Samsung and Google added a reason for many new terminals to be installed.
On the systems and software side of the equation, however, progress seems very slow to me. Like others here I observe that the vast majority of card slots are either taped over or simply not activated, while checkout clerks mutter vague apologies about “maybe by next year, they tell us.”
The sluggish implementation makes me wonder if retailers calculate that the cumulative risk of individual card frauds at the terminals, for them, is much lower than the risk of massive data breaches perpetrated on their central systems.
I think we all know that’s not true, we are defiantly lacking.
EMV utilizing chip and signature is no more secure than swipe and signature for the most part. No one is checking IDs to make sure the person who owns the card is the one using it. You could find it in the parking lot and use it and no one would stop you if it hadn’t already been reported lost.
Consumers don’t like it because it takes, or seems to take, SO MUCH LONGER to process than a signature transaction. They hate waiting in line already, so places with notoriously bad wait times — like CVS — have disabled it.
Retailers should check their statements VERY CAREFULLY, especially if they have not made the switch. The liability transfer is only for certain transactions, not including lost or stolen cards, which are zero liability for the retailers, yet many banks are now pushing these transactions onto the retailers as chargebacks since no one is really paying attention and most don’t even understand what the rules and regs are for most of what they’ve agreed to in the first place.
Banks are the only beneficiaries in this situation. Perhaps this will push people towards mobile wallets and the lightning fast, more secure transactions that they offer.