EMV smartcards offer security benefits even without PIN, Visa says
Chip cards can help eliminate counterfeit fraud, Visa exec says
Computerworld - A senior executive from Visa this week dismissed concerns over the manner in which the Europay MasterCard Visa (EMV) chip card standard is being implemented in the U.S. and insisted the technology will yield significant security benefits for retailers, consumers and banks.
In an interview with Computerworld, Ellen Richey, Visa's chief risk officer, said that EMV smartcards have all but eliminated cases of fraud involving counterfeit cards in the countries where the technology has been adopted. The same benefits will become available in the U.S. when the switch is made to EMV.
Cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data.
Visa and MasterCard require U.S merchants and card-issuing banks to migrate to EMV technology by October 2015 or face increased liability exposure.
Some groups, like the Retail Industry Leaders Association (RILA), have noted that the smartcard mandate leaves gaps in payment card security because it does not require merchants or banks to support PIN-based authentication.
In a majority of countries that have moved to EMV technology, users are typically required to enter PINs, instead of signing their names, to complete payments at point-of-sale terminals. Chip-and-PIN systems are considered more secure than chip-and-signature systems.
In the U.S., however, both Visa and MasterCard have left it up to banks and retailers to decide if they want to implement chip-and-PIN or chip-and-signature models, prompting concern from groups like the RILA. The U.S. is among about two dozen countries that don't require a PIN to conduct a smartcard transaction.
Richey noted that concerns about the lack of a PIN requirement are misplaced. Credit and debit cards based on the EMV standard offer significant protection against fraud even when a PIN is not used, she said.
Chip technology, with or without a PIN, prevents counterfeit fraud, which represents the biggest category of payment card fraud in the U.S., Richey said.
PIN-based authentication can help address fraud involving cards that are lost or stolen. But that type of fraud is relatively uncommon, and preventing it is not a big enough concern to merit the additional investments in the systems necessary to support the use of PINs, Richey said.
Moreover, PINs are a valuable target for hackers and therefore need to be protected at additional cost. Requiring a PIN for all transactions would also add to the cost, complexity and time involved in moving from magnetic stripe technology to EMV, Richey said.
Though Visa's EMV road map does not include a PIN requirement, the company will support all cardholder verification models, including those requiring signatures or PINs -- and even those with no signature or PIN requirements for certain low-value transactions, such as purchases made at unmanned kiosks.
Visa's priority going forward is to gradually eliminate the use of static data such as PINs as authentication for payment transactions, Richey said.
She noted that it is unfair to expect EMV to be effective against all types of payment card fraud. For instance, many people have noted that EMV is useful only for transactions in which a physical card is used, such as purchases in stores, and is less effective in situations where an actual card is not required, such as online transactions.
EMV technology plays a crucial role in bolstering payment card security, but it is only part of a multilayered approach to security. Approaches like tokenization, fraud detection networks and dynamic authentication also play key roles in improving payment card security she said.
The EMV standard has received considerable attention from stakeholders in the U.S payment industry and from lawmakers following the massive data breach at Target that exposed data on 40 million credit and debit cards.
This article, "EMV Smartcards Offer Security Benefits Even Without PIN, Visa Says," was originally published on Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
Read more about Data Security in Computerworld's Data Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Mitigate the OWASP Top 10 Web Application Security Risks This technical brief analyzes each of the ten risks and outlines how you can protect your organization from threats targeting your high-value applications...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts