Bluefin’s Chief Innovation Officer, Ruston Miles, contributes to today’s blog and boils down the basics of EMV for merchants.
The migration to EMV cards is well underway yet many questions still remain. The differences between EMV and magnetic stripe cards are vast – not only do the cards transfer data differently, but the actual payment process at the terminal is different as well. Consumers want to know how payments will be made, how authorization takes place, and who’s to blame for fraud after the migration is complete.
But perhaps the biggest question among consumers is whether EMV cards will really safeguard their data.
The Differences Between EMV Chip Cards & Magnetic Stripe Cards
To truly understand the purposed of EMV in the security trifecta, it’s necessary to grasp the differences between “chip cards” and magnetic stripe cards. The primary difference is the way the cards transfer data. EMV chip cards have a metallic square on the front of the card that creates a unique, one-time transaction code for every single transaction. This code cannot be used again.
Magnetic stripe cards, on the other hand, have transaction data that remains the same across all transactions. If a hacker were to compromise magnetic stripe data, that data could be used for multiple fraudulent transactions. However, if a hacker stole transaction data from an EMV chip card, the stolen data could not be replicated for future use because it’s only good for one transaction.
Since EMV cards transmit data differently, you may have guessed that the actual payment process occurs differently as well. When consumers pay with an EMV card, the card is “dipped” into the terminal instead of swiped. During the card dipping process, data is transferred to your financial institution to verify the card is valid, and a unique transaction code is created. The process is slower than a simple swipe, but far more secure because of the one-time transaction code.
However, the full migration to EMV in the U.S. is estimated to go well beyond October 1, 2015 – potentially with full implementation not being complete for 5+ more years. Which means cardholders, retailers, and financial institutions are still at risk.
The Dangers that Still Remain
If you’ve already received your EMV card, you may have noticed it still comes with a magnetic stripe – and that’s because not all terminals are equipped to handle card dipping. To make sure consumers keep spending and merchants can adjust, EMV cards will be equipped to handle both types of transactions. So if you were to make a purchase at a terminal where EMV processing hasn’t been implemented, you would resort to the familiar swiping transaction process. Unfortunately, this swipe method leaves cardholders open to old vulnerabilities.
It’s also worth noting that during the migration process, fraudsters will be watching. It will be easy to prey on those who have not adapted to the EMV payment process, such as merchants who haven’t upgraded their terminals. Which is why after the October 1st deadline, the liability falls on the party who is the least EMV compliant (in this case, the merchant who didn’t upgrade their system to support the EMV card).
But even with upgraded terminals, there are still risks. EMV cards have two different verification methods. The most secure version is the chip-and-PIN card, which requires a PIN number to verify the transaction in real-time (like a debit card). However, during the initial roll out, many cards will be chip-and-signature because several payment processors are equipped only to handle signature verification. This means that for the time being, EMV cards can still be targeted for card-present fraud.
Yet the biggest danger lies with complacency. There’s still a prevalent notion that with EMV, we’ve reached the summit of payment security. And while EMV cards certainly authenticate the card and the consumer, they are not the only answer when it comes to protecting your data. As we saw with the Target breach, EMV would not have stopped hackers from entering the payment processing system and stealing unencrypted card data stored there, which can then be used for card-not-present transactions. This means that as long as our payment data stays unencrypted, the danger remains – EMV or not.
That’s why at Bluefin, we take a holistic approach to payment security. By combining PCI-validated point-to-point encryption (P2PE) to protect your card data, EMV to protect you against card-present fraud, and tokenization to eliminate the need for your credit card number to ever be stored, we aim to eliminate data theft and fraud at every and all points of your transaction.
If you have further questions about EMV and payment security, or want to learn how to get started with our holistic approach, contact us today.
Ruston is a frequent speaker on the topic of payment security and is an expert in PCI-validated P2PE. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council (SSC).