In the latest edition of Communications of the ACM, Ross Anderson and I have an article in the Inside Risks column: “EMV: Why Payment Systems Fail” (DOI 10.1145/2602321).
Now that US banks are deploying credit and debit cards with chips supporting the EMV protocol, our article explores what lessons the US should learn from the UK experience of having chip cards since 2006. We address questions like whether EMV would have prevented the Target data breach (it wouldn’t have), whether Chip and PIN is safer for customers than Chip and Signature (it isn’t), whether EMV cards can be cloned (in some cases, they can) and whether EMV will protect against online fraud (it won’t).
While the EMV specification is the same across the world, they way each country uses it varies substantially. Even individual banks within a country may make different implementation choices which have an impact on security. The US will prove to be an especially interesting case study because some banks will be choosing Chip and PIN (as the UK has done) while others will choose Chip and Signature (as Singapore did). The US will act as a natural experiment addressing the question of whether Chip and PIN or Chip and Signature is better, and from whose perspective?
The US is also distinctive in that the major tussle over payment card security is over the “interchange” fees paid by merchants to the banks which issue the cards used. Interchange fees are about an order of magnitude higher than losses due to fraud, so while security is one consideration in choosing different sets of EMV features, the question of who pays how much in fees is a more important factor (even if the decision is later claimed to be justified by security). We’re already seeing results of this fight in the courts and through legislation.
EMV is coming to the US, so it is important that banks, customers, merchants and regulators know the likely consequences and how to manage the risks, learning from the lessons of the UK and elsewhere. Discussion of these and further issues can be found in our article.
Thanks for the paper, it will be interesting to see how this plays out for customers, merchants and banks over the next few years, and also if any of the lessons learned in the UK are heeded before issues arise, or reactively after issues arise.
Good article minus one incorrect statement. The track equivalent data in the chip has a fake CVV, rendering it useless for magstripe fraud.
I think you’re referring to the iCVV feature. This is optional and our testing has shown that some cards do not use it and so allow the reconstruction of the full magstripe details from the chip. Some banks which even claim that they use iCVV have been proved wrong.
An interesting article on how ATM skimmers are getting quite advanced (some nice surface-mounted board design shown there) with the US being a good market for stolen data due to their slow C&P adoption.
http://krebsonsecurity.com/2014/07/the-rise-of-thin-mini-and-insert-skimmers/