EMV smartcards offer security benefits even without PIN, Visa says

Chip cards can help eliminate counterfeit fraud, Visa exec says

A senior executive from Visa this week dismissed concerns over the manner in which the Europay MasterCard Visa (EMV) chip card standard is being implemented in the U.S. and insisted the technology will yield significant security benefits for retailers, consumers and banks.

In an interview with Computerworld, Ellen Richey, Visa's chief risk officer, said that EMV smartcards have all but eliminated cases of fraud involving counterfeit cards in the countries where the technology has been adopted. The same benefits will become available in the U.S. when the switch is made to EMV.

Cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data.

Visa and MasterCard require U.S merchants and card-issuing banks to migrate to EMV technology by October 2015 or face increased liability exposure.

Some groups, like the Retail Industry Leaders Association (RILA), have noted that the smartcard mandate leaves gaps in payment card security because it does not require merchants or banks to support PIN-based authentication.

In a majority of countries that have moved to EMV technology, users are typically required to enter PINs, instead of signing their names, to complete payments at point-of-sale terminals. Chip-and-PIN systems are considered more secure than chip-and-signature systems.

In the U.S., however, both Visa and MasterCard have left it up to banks and retailers to decide if they want to implement chip-and-PIN or chip-and-signature models, prompting concern from groups like the RILA. The U.S. is among about two dozen countries that don't require a PIN to conduct a smartcard transaction.

Richey noted that concerns about the lack of a PIN requirement are misplaced. Credit and debit cards based on the EMV standard offer significant protection against fraud even when a PIN is not used, she said.

Chip technology, with or without a PIN, prevents counterfeit fraud, which represents the biggest category of payment card fraud in the U.S., Richey said.

PIN-based authentication can help address fraud involving cards that are lost or stolen. But that type of fraud is relatively uncommon, and preventing it is not a big enough concern to merit the additional investments in the systems necessary to support the use of PINs, Richey said.

Moreover, PINs are a valuable target for hackers and therefore need to be protected at additional cost. Requiring a PIN for all transactions would also add to the cost, complexity and time involved in moving from magnetic stripe technology to EMV, Richey said.

Though Visa's EMV road map does not include a PIN requirement, the company will support all cardholder verification models, including those requiring signatures or PINs -- and even those with no signature or PIN requirements for certain low-value transactions, such as purchases made at unmanned kiosks.

Visa's priority going forward is to gradually eliminate the use of static data such as PINs as authentication for payment transactions, Richey said.

She noted that it is unfair to expect EMV to be effective against all types of payment card fraud. For instance, many people have noted that EMV is useful only for transactions in which a physical card is used, such as purchases in stores, and is less effective in situations where an actual card is not required, such as online transactions.

EMV technology plays a crucial role in bolstering payment card security, but it is only part of a multilayered approach to security. Approaches like tokenization, fraud detection networks and dynamic authentication also play key roles in improving payment card security she said.

The EMV standard has received considerable attention from stakeholders in the U.S payment industry and from lawmakers following the massive data breach at Target that exposed data on 40 million credit and debit cards.

This article, "EMV Smartcards Offer Security Benefits Even Without PIN, Visa Says," was originally published on Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies