5 issues that could hamper EMV smartcard adoption in the U.S.

Separating post-Target hype from the reality

1 2 3 Page 2
Page 2 of 3

2. Security ROI still iffy

It's not clear if the investments will yield the kind of security benefit that many assume it will.

That's because the EMV standard can be implemented in a variety of ways. A majority of EMV implementations around the world require cardholders to enter a PIN as an authentication measure when conducting a transaction. These kinds of Chip-and-PIN EMV implementations are believed to yield the strongest security benefits.

But EMV can also be implemented in less secure ways. For example, EMV can be implemented simply as a chip card without a PIN, or as a chip card requiring either a signature or a PIN to authenticate the cardholder. Such smartcard implementations still offer more security than magnetic stripe cards, but they are less secure than chip-and-PIN formats.

MasterCard and Visa have left it largely to the card-issuing banks in the U.S. to decide which route they want to take.

But without a mandatory PIN requirement, any move to EMV standards in the U.S. is half-baked at best.

"It is not the enhanced security system that retailers have long-called for," says Brain Dodge, senior vice president of communications at the Retail Industry Leaders Association (RILA). "There is an enormous cost with moving systems to EMV. From the retailers' perspective, the added protection we are getting (from smartcards) is not enough to justify the expense," without a mandatory PIN requirement, Dodge said.

3. Not just a PIN issue

EMV implementation plans in the U.S. also permit the use of a magnetic stripe on the back of the card. This further weakens any benefits that might be gained from having a smartcard in the first place, said James Huguelet, an independent consultant who specializes in retail security.

In addition, EMV implementation plans do not require encryption of cardholder information on all transactions, which is another major weakness, Huguelet said.

For instance, EMV technology would have done little to prevent data thieves from harvesting credit and debit card data from Target's POS systems because the data was grabbed before it could be encrypted.

Even if all such issues were to be magically solved, EMV alone does nothing to make online and mobile payment methods more secure, Huguelet said. EMV cards are fundamentally designed to make so-called card present transactions more secure. The technology makes it harder to clone cards and use them to make fraudulent transactions. However, they are of less use in card-not-present situations such as online or mobile transactions.

In the wake of the Target breach, "there is a meme that has developed that the U.S. isn't moving quickly to EMV -- [and] if it did, that will make consumers safe," Huguelet said. "But there are several inconvenient truths to the current state of EMV in the U.S. that this sort of storyline ignores."

Seth Eisen, senior business leader with MasterCard North American Markets, downplayed such concerns. He noted that the liability structure under the proposed EMV model would be incentive for both U.S. banks and retailers to implement the most secure form of EMV.

"The terminal where the transaction takes place would determine the technology for the liability shift. If that terminal is not EMV and the card is, then the merchant is liable for any counterfeit fraud," Eisen said.

1 2 3 Page 2
Page 2 of 3
How to protect Windows 10 PCs from ransomware
Shop Tech Products at Amazon