Long past are the days when manual credit card machines were the standard for processing credit card payments worldwide. Several technologies have followed since, but nowadays the most widely used within the U.S. is the magstripe, in which card data is statically encoded on a magnetic stripe that is then run through point-of-sale (POS) system, requiring the user to authenticate their identity via a PIN code or by providing a signature. The problem? Well, for starters, that operation sets us way behind in relation to the rest of the world, and these cards, both credit and debit, are very easy to duplicate using inexpensive reader machines, which may allow criminals to begin purchase right away with little to deter them.
Thus, a new standard was introduced as early as the mid-2000s for Europe and 2013 for Australia, and even some banks in Latin American countries have transitioned to this new technology. First developed by Europay, Mastercard and Visa, the EMV standard uses a chip which generates single-transaction codes. It also requires that the users, in addition to inserting the card in a compatible POS machine, provide a PIN code and a signature in order to authenticate the transaction.
After seeing that there are currently some technology developers who are willing to invest in Research and Development for the improvement of this technology, we might conclude that EMV is expected to be the direction credit card security that is going to take in the next few years, making it an absolute imperative.
“EMV is the to be expected direction credit card security is going to take in the next few years, making it an absolute imperative”
There are, however, many concerns that this technology is not completely secure or effective to deter fraud. Visa and Mastercard, big supporters of the EMV technology, set a deadline in October 2015 for what they then termed a “liability shift.” By doing so, they have effectively shifted liability to whichever party –merchant or financial institution– uses a less secure technology. Thus, it is now the case that if a merchant has chip capability but a bank fails to issue chip cards, the bank will bear the cost of fraud. Conversely, if the merchant chooses to swipe a card regardless of possessing chip capability, they will be held liable for the occurrence of fraud.
Read also: Identity Theft: Damage Control
Although the introduction of EMV cards has reduced the number of counterfeit card fraud, the number of card-not-present, or CNP, fraud is actually on the rise, which occurs during telephone or online transactions –such as purchasing something on Amazon.com or buying a pizza by phone. Moreover, even if the business opts for transitioning to chip card compatible POS, using a PIN is not necessary in the case of Credit Cards, meaning that a stolen card can easily be used at such businesses that choose not to verify the accuracy of a signature, which is not a rare occurrence at all.
There are also concerns that the technology itself may not be completely secure, even if used correctly. According to The Hacker News, there are several inherent vulnerabilities to chip cards. For example, researchers have been able to predict the pattern of what were supposed to be unpredictable numbers. This allowed them to duplicate chip cards.
Security researchers also found a way to bypass PIN or signature requirements altogether by performing man-in-the-middle attacks on chip cards. Finally, Wired reported that a British team found flaws in some “contactless” Visa chip cards, allowing the approval of foreign currency transactions up to USD 999,999.99. Of course, a “contactless” chip card is not made riskier just by that fact, but rather because it does not require any form of security check in order to approve a transaction, since these are all contained within the card itself. So it would be easier for a criminal to simply steal a contactless chip card and use it without having to do much in order to cover their crime –or they could simply manufacture a homemade contactless card reader, bypassing the need for touching the card at all.
In the face of all this, what choice is left to us, the consumers? It seems that while bank and credit card companies decide on the best technology to implement, and until technology itself catches up to increasingly versatile criminals, the best protection against credit card fraud still seems to be the old-fashioned precaution, since there is no choice in the type of card technology that will end up inside our wallets. Much of the world has decided to switch to chip card technology years ago, and the U.S. just began to make the transition towards it. There is no going back now, but we will definitely have to look into the future for whatever it may hold and be prepared for it.