Security Snapshot: How Is EMV Safer?
To understand why EMV credit cards—or “chip and PIN” cards—are safer, first we must understand standard magnetic stripe cards. The familiar magnetic stripe, which can be seen on all credit cards carried in the United States, has been around for more than four decades.
The security technology behind the magnetic stripe has been compromised, since the availability of card reading and writing tools makes it easy to decipher the data stored on the magnetic stripe. Criminals use these tools to create skimming devices and other hacking methods.
EMV, on the other hand, is a relatively new technology with plenty of built-in encryption. According to the Smartcard Alliance, “[EMV] transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.”
In simple terms, the data is thoroughly scrambled.
The cardholder verification process is another factor enhancing EMV card security, by ensuring that the person attempting to make the transaction is, in fact, the legal cardholder. EMV supports four cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification. With a regular magstripe credit card, the only possible verification option is to check the ID of the person presenting the card, which cashiers only sometimes do, and may even create a false sense of security. The primary verification method for online purchases is to request the CVV or credit verification value, which is visibly printed right on the card itself.
So get ready, because “chip and PIN” is coming, and it’s more secure than the cards in your wallet, not to mention the most ubiquitous card outside the United States.
Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures