DecodeDC

Actions

Is U.S. rollout of credit card chip and pin technology too little too late?

Posted at 1:26 PM, Nov 18, 2014
and last updated 2021-09-30 06:33:04-04

A more secure credit card technology called chip and pin is slated to roll out next year, but with the holiday season upon us and a seemingly endless number of data breaches, this supposed answer to cyber-attacks might be too little too late.

Banks and retailers in the United States are slated to adopt the technology, also known as EMV, by October 2015. Chip and pin credit cards, which are widely used in Europe, use an embedded chip and a pin code rather than a magnetic stripe to complete a transaction.

The Obama administration embraced the technology in October of this year when the President signed an executive order to roll out the cards for use within government institutions. 

But EMV is far from new. In fact, the U.S. is the last of the G20 nations to incorporate chip-based cards. The technology has been used in countries like the U.K. and France for over two decades, and many experts believe its roll-out in the U.S. will only be a band-aid to a much larger hacking problem.

“EMV is a 1990s solution to a 2014 problem,” Mark LaRow, an executive vice president at mobile software developer MicroStrategy, told the Credit Union Times.

Almost half of companies in the U.S. were subjected to a data breach in the past year, according to a study on data breach preparedness.  Many of the breaches, like those at Target, JP Morgan and Home Depot, resulted in compromised personal information for millions of customers.

Some of these security failures occurred through point of sale systems (POS)—the type of breach that chip and pin technology would protect against.

But many other incidents occurred through different kinds of breaches, like compromised user passwords or login information, or by accessing credit card information stored through online purchases. None of these hacks would be stopped by the roll-out of EMV.

Julie Conroy, a fraud analysis with the Aite Group told reporter Brian Krebs, “The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud.”

And what about all of those purchases consumers are likely to make online this holiday season rather than in person? Chip and pin can’t help there either.

“The migration to EMV is a great step to reduce card-based fraud for businesses. The challenge is that all of these criminals aren't suddenly going to go become math teachers; they'll redirect their efforts at other areas of weakness for the financial system,” said Adam Dolby, VP of Business Development at Encap Security. “As a result, and as we've learned from rollouts in other areas, we'll see a dramatic spike at CNP (card-not-present) fraud.”

In those situations criminals just need your credit card number and the CVV code, the three or four digit code found on the back of your card.  Both types of data are static and don’t frequently change. Once stolen, criminals will often buy gift cards anonymously online and use them to make purchases to their heart’s content.

The other area hackers might focus on once EMV technology is widely used in the U.S. is the online banking system, which according to Dolby, has “minimal, if any, security.”

“These two areas present a huge weakness for banks and consumers and place an overall burden on the economic system as losses are introduced and absorbed. Ultimately that cost (of stolen account numbers) is always paid by the user, either explicitly or simply by raising prices and fees,” he said.

One solution retailers could invest in is stronger encryption software and newer, potentially more secure payment methods such as Apple Pay, which does not share individual credit card numbers with merchants.

Want to keep up with all the latest DecodeDC stories and podcasts? Sign up for our weekly newsletter at decodedc.com/newsletter.