Writing for the Institutional Investor, analyst Jeffrey Kutler reports that U.S. merchants – in an effort to limit loss liability – face an October 2015 deadline to install PoS (Point of Service) devices compatible with the E.M.V. standard.
“[This] enables them to read cards equipped with computer chips, which are far less vulnerable to fraud and forgery than the old magnetic stripes, and which card issuers are currently distributing,” Kutler explains.
“The [new] terminals are an aggregate $7 billion expense, but if it solves an $18 billion problem, the cost-benefit is clear.”
As Kutler points out, the Retail Industry Leaders Association (RILA) believes chip cards are only a partial measure, since cardholders are still required to sign their names to complete a transaction.
As such, RILA advocates personal identification numbers as a viable and secure alternative. Indeed, according to RILA president Sandy Kennedy, PIN transactions are 700 percent safer than sales executed with non-PIN equipment.
“The technology is shown to be highly effective,” John Gunn, the Chicago-based head of communications for authentication systems company Vasco Data Security, told Kutler. ”It’s just a question of who pays for it.”
Paul Kocher, a veteran of the card security wars who is president and chief scientist of the Rambus Cryptography Research division in San Francisco, says he believes the disagreements over cost and effectiveness will eventually sort themselves out.
“We could see a repeat of what happened in Europe – a rapid move to chip-and-PIN,” Kocher opines.
At least, he says, there is a consensus that “fraud is bad for everybody” and that “1960s magnetic stripe technology has to change.”
As Kocher recently noted in an article penned for The New York Times, “smart” credit cards quipped with E.M.V. security chips are widely used throughout Europe and the rest of the world. However, most American cards today are only equipped with a magnetic strip to verify authorized customer activity.
“With a magnetic stripe, payment terminals access all the information required to produce a clone of the card,” writes Kocher. “In contrast, the E.M.V. cards give merchants non-reusable authentication codes, drastically reducing the potential for fraudulent use of information that can be hacked from retailers.”
According to Kocher, the upgrade will deny cyber criminals one of their most lucrative strategies, although they certainly won’t be throwing in the digital towel anytime soon.
“Instead they’ll shift to other lucrative (though somewhat less attractive) ways to profit from stolen data and credentials, such as stealing from brokerage accounts, forging checks, filing bogus tax refunds and engaging in insider trading and medical billing schemes,” Kocher attests. “More systems will get attacked and then upgraded, technical advances will create new and greater opportunities for abuse, and the cycle will continue.”
Nevertheless, says Kocher, the market is steadily progressing towards safer technologies, with cryptographic algorithms providing the mathematical building blocks for security and privacy. Indeed, dedicated security hardware that once occupied racks of equipment can now be manufactured on the corner of a chip for just a few cents.
“The E.M.V. roll-out is a critical first step, but it will take a long time to shift our critical security tasks away from complex microprocessors and their software to simpler, well-isolated circuits and chips built for security,” he concludes.