Posts

The Switch to the Chip Card – One Year Later

The October anniversary of the liability shift has passed, and anniversaries are an excellent time to look back on progress…this is no exception. The U.S. EMV migration plan was set four years ago as a way to fight card fraud and to protect both consumers and merchants.

the-shift-to-chip-infographic-11-1-2016Back in the day, we had one choice when we wanted to purchase something, and that was cold, hard cash. However, a few decades ago, people began using credit cards for everyday purchases instead of for only big ticket items, such as refrigerators. Though this was certainly convenient, it also opened the door for the bad guys to not only access your credit card information, they could use this information to make purchases and even to learn more about you and steal your identity. Over the past couple of years, once again, we in the U.S. are changing things up when it comes to how we use credit and debit cards. Our new cards, the ‘chip cards,’ as in use in most other places in the world, are making it safer than ever before to make purchases.

Love ‘em or hate ‘em, these new chip cards and terminals are working to eliminate card fraud, and they are working very well. The way we pay in the U.S. needed a huge overhaul, and this security upgrade was an attempt to make things safer. Data and research confirms that this new technology has had a great impact on reducing card fraud.

Don’t get me wrong. This transformation has not been without a few headaches for merchants and consumers but believe me…things are improving, and they will continue to improve as businesses complete their shift to the chip. How much? Mastercard fraud data indicates that there was a 54 percent decrease associated with counterfeit fraud when comparing data from April 2016 to April 2015.

We Have a Strong Start, But There is Still Work to be Done

When considering everything, the U.S. is off to a solid start, but we still have work to do. When looking at the more than 150 world markets that use chips in cards, we know that more chip transactions must be done before we can see a significant drop in fraud. To do this, we will need about 60 percent of chip terminals interacting with a minimum of 60 percent of chip cards in market. If you have one or have seen chip cards, you likely know that we have gone well beyond that 60 percent mark on cards, but only about 30 percent of store terminals are set up to accept chips.

Another thing that we need to do is continue to speed up the certification process for merchants. The faster we can get chip terminals in stores, the faster we will see these card fraud levels drop.

We also need to increase the speed of which these transactions occur. If you have used a chip terminal, you know that it feels like a slower process than the ‘swipe’ we are used to. The payments industry is hard at work to address this issue, and new technologies are being created to speed up transaction times when using these payment methods. Remember, even though the process feels a bit slower right now, you are significantly safer when using a chip card.

Ultimately, if we can have a little bit of patience with the process and endure these short-term issues, we will all greatly benefit when it comes to payment security. We are already moving in the right direction, and if we keep adding terminals and encouraging the use of chip cards, we will definitely see even more improvement when we compare with next year. Before you know it, most forms of card fraud will be all but gone thanks to the switch to the chip.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

EMV Will Help Retailers Prevent Credit Card Fraud

EMV, which stands for Europay, MasterCard, and Visa, refers to the chip and PIN credit card technology commonly used in Europe and elsewhere around the world. Credit cards that incorporate an embedded microprocessor chip are far more secure than any other form of credit card currently available, including the standard magnetic striped cards that are all too easy to skim at ATMs and point of sale terminals.

Major banks and retailers are now pushing very hard to make EMV the new standard in the United States. Implementation should occur in 2015, Visa announced plans to expand their Technology Innovation Program to the U.S., which will encourage retailers to support cards with microchips by “[eliminating] the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75% of the merchant’s Visa transactions originate from chip-enabled terminals.” This will go into effect October 1, 2012 for merchants whose point-of-sale terminals accept both contact and contactless chips.

PCMag reported MasterCard followed Visa’s lead stating that it too intends to move U.S. consumers onto so-called chip-and-PIN technology. MasterCard, like Visa, also said that it is preparing for a world where consumers will pay in stores, online, and via mobile devices.

Another method of credit card fraud prevention is device reputation technology. It works to prevent all types of fraud and abuse on the Internet, including account takeovers, which occurs when your existing bank or credit card accounts are infiltrated and money is siphoned out. Iovation the leader in device reputation helps prevent new account fraud, which refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Security Benefits of EMV for Consumers

Major banks and retailers are now pushing very hard to make EMV the new standard in the United States. Visa announced plans “to accelerate the migration to contact chip and contactless EMV chip technology in the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to accept and process chip transactions.”

EMV, which stands for Europay, MasterCard and Visa, refers to the chip-and-PIN credit card technology commonly used in Europe and elsewhere around the world. Credit cards that incorporate an embedded microprocessor chip are far more secure than any other form of credit card currently available, including the standard magnetic striped cards that are all too easy to skim at ATMs and point-of-sale terminals.

Gemalto reports, “As the U.S. continues its implementation of EMV chip cards, it’s lucky to be able to look to other countries that have adopted the technology for best practices, lessons learned and future benefits. As a Gemalto employee based in the U.S., I’ve been eagerly watching to see how our neighbor to the north, Canada, is benefiting from their EMV chip implementation, which started in earnest in 2007.”

“EMV” refers to Europay, MasterCard, and Visa, three financial service corporations that collaborated to establish a global standard for secure, reliable, and consistent credit and debit card transactions. These cards are also called “chip and PIN” cards because they incorporate an embedded microprocessor chip and require a personal identification number for authentication.

JPMorgan Chase began issuing cards with embedded microprocessor chips last year in response to requests from cardholders who are frequent international travelers. And more major card issuers have followed suit by incorporating EMV technology. American Express has announced plans to release chip-based cards in the United States, as part of a “roadmap to advance EMV chip-based contact, contactless and mobile payment for all merchants, processors, and issuers.”Not surprisingly, as the rest of the world has migrated to EMV chip technology, some fraud has shifted over to the United States because of the ease with which fraudsters can duplicate magnetic stripe cards. As a result, the U.S. has carried a disproportionate percentage of global fraud losses—until now. Through our adoption of EMV chips, we’re anticipating a reduction in fraud loss like in Canada, the UK and the 80 other countries in various phases of migration.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

What Differentiates EMV Cards?

In the United States, our credit and debit cards still rely on outdated magnetic stripe technology. The magnetic stripe is the black or brown band on the back of your credit or debit card. The stripe stores data, such as your account number, via tiny, iron-based magnetic particles. When you swipe your card through a card reader, the device accesses the data stored on the magnetic stripe. A quick YouTube search yields numerous vendors offering to sell skimming devices, which can be used to steal data from credit cards as they are swiped in an ATM.

EMV, or chip and PIN cards, on the other hand, are far more secure. These so-called “smart cards” contain embedded microchips and are authenticated using personal identification numbers, or PINs. When a customer uses a smart card to make a purchase, the card is placed into a terminal or a modified card reader, which accesses the card’s microchip and verifies the card’s authenticity. The customer then enters a four digit PIN, which is verified against the PIN stored on the card.

EMV technology supports four cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification. This enhanced cardholder verification process is an additional security feature, ensuring that the person initiating a transaction is in fact the legal cardholder.

Meanwhile, the only way to verify a regular magstripe credit card is for a cashier to check a customer’s identification, but this occurs irregularly at best and may even promote a false sense of security. In card not present transactions, such as online purchases, the CVV or credit verification value is the primary verification method, but this number is visibly printed on the card itself, and is as easily stolen as an account number or PIN.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Banks Should Promote EMV

The old magnetic stripe technology currently used in credit and debit cards in the United States is inexpensive and readily available, making our cards highly vulnerable to fraud. It’s understandable then that credit and debit card fraud is Americans’ primary fear, with 68% of those surveyed describing themselves as extremely or very concerned about the security of their credit or debit card data and 66% as extremely or very concerned about identity theft.

Compare that to the 58% who are extremely or very concerned about terrorism and war, or 41% who fear the possibility of a serious health epidemic. If a health epidemic actually occurred, that would naturally take prevalence over our financial concerns. But for now, we’re mostly worried about our money.

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when an identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or sometimes even when you hand it over to pay at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft, though I’ve always been inclined to categorize it as simple credit card fraud.

EMV credit cards—or “chip and PIN” cards—are safer than the magnetic stripe cards still used in the U.S. According to the Smartcard Alliance, “[EMV] transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.”

In simple terms, with EMV technology, users’ financial data is thoroughly scrambled. It makes sense, therefore, for smart, forward thinking banks to encourage EMV migration as soon as possible.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Travel Smart With EMV Technology

Frequent fliers accustomed to traveling internationally for business are helping drive demand for EMV cards within the United States. Business travelers who have found it increasingly difficult to use their magnetic stripe cards while abroad are now requesting that American banks provide EMV, or chip and PIN cards, which are used more commonly in Europe and around the world.

“EMV” refers to Europay, MasterCard, and Visa, three financial service corporations that collaborated to establish a global standard for secure, reliable, and consistent credit and debit card transactions. These cards are also called “chip and PIN” cards because they incorporate an embedded microprocessor chip and require a personal identification number for authentication. These security measures make chip and PIN cards far more secure than the magnetic stripe cards that are standard in the United States, since the magnetic stripes containing sensitive financial data are vulnerable to skimming at ATMs and point of sale terminals. In Europe, chip and PIN technology has significantly reduced the potential for fraud in transactions where the credit card is not physically present.

JPMorgan Chase began issuing cards with embedded microprocessor chips last year in response to requests from cardholders who are frequent international travelers. And more major card issuers have followed suit by incorporating EMV technology. American Express has announced plans to release chip-based cards in the United States, as part of a “roadmap to advance EMV chip-based contact, contactless and mobile payment for all merchants, processors, and issuers.”

Most of the EMV-based cards offered in the United States are chip-and-signature, rather than chip-and-PIN, due to differences in the way payments are processed. Nevertheless, these advances in card technology are a positive step, so thank you to business travelers for pushing banks to incorporate EMB technology and making overseas travel more convenient and more secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Security Snapshot: How Is EMV Safer?

To understand why EMV credit cards—or “chip and PIN” cards—are safer, first we must understand  standard magnetic stripe cards. The familiar magnetic stripe, which can be seen on all credit cards carried in the United States, has been around for more than four decades.

The security technology behind the magnetic stripe has been compromised, since the availability of card reading and writing tools makes it easy to decipher the data stored on the magnetic stripe. Criminals use these tools to create skimming devices and other hacking methods.

EMV, on the other hand, is a relatively new technology with plenty of built-in encryption. According to the Smartcard Alliance, “[EMV] transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.”

In simple terms, the data is thoroughly scrambled.

The cardholder verification process is another factor enhancing EMV card security, by ensuring that the person attempting to make the transaction is, in fact, the legal cardholder. EMV supports four cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification. With a regular magstripe credit card, the only possible verification option is to check the ID of the person presenting the card, which cashiers only sometimes do, and may even create a false sense of security. The primary verification method for online purchases is to request the CVV or credit verification value, which is visibly printed right on the card itself.

So get ready, because “chip and PIN” is coming, and it’s more secure than the cards in your wallet, not to mention the most ubiquitous card outside the United States.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

How EMV Impacts International Travel

In the United States, credit and debit cards rely on magnetic stripe technology. The magnetic stripe is the black, brown, gold, or silver band on the back of your credit or debit card. Tiny, iron-based magnetic particles in this band store your account number. When the card is swiped through a “reader,” the data stored on the magnetic stripe is accessed. Card readers and magnetic stripe technology are inexpensive,  readily available and  vulnerable to fraud.

The other, more secure type of credit card is called “EMV,” which stands for Europay, MasterCard, and Visa. According to the Smartcard Alliance, “EMV is an open-standard set of specifications for smart card payments and acceptance devices. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.”

If you have plans to travel internationally this summer, you may have problems using your U.S. magnetic stripe card abroad, as many other countries, particularly in Europe, have made the EMV card the new standard.

The Smartcard Alliance explains:

“U.S. travelers are reporting troubles using their magnetic stripe cards while traveling. Aite Group has estimated that 9.7 million U.S. cardholders experienced magnetic stripe card acceptance issues when they traveled internationally in 2008, costing banks $447 million in lost revenue. The most common areas where travelers may face issues are at unmanned kiosks for tickets, gasoline, tolls and/or parking, and in rural areas where shop owners do not know how to accept magnetic stripe cards.”

To avoid payment problems, follow these steps:

  • Ask your bank if they offer an EMV card. Most major banks do, including Bank of America, Chase, Citibank, U.S. Bank, and Wells Fargo.
  • Pay in cash.
  • Don’t expect your debit cards to work at payment terminals. Yes, your debit card requires a PIN, but that doesn’t make it an EMV card. You should be able to use your debit card to get cash from ATMs.
  • Inform your bank you will be traveling, otherwise they may flag your card for fraud.
  • Visit GetFluentC.com to share your story and learn more.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Which Will Make a Bigger Splash in 2012, Mobile Wallet or EMV?

During the latter half of the past decade, a heated battle has been fought around the world to determine which payment method will take center stage in the coming years. Many believe mobile payment will leapfrog what is known as EMV, which stands for Euro MC/Visa, or chip and PIN credit card technology, and that soon enough chip and PIN technology will go the way of the magnetic striped credit card.

Certainly, there are many major companies that have wagered heavily on the presumed success of their chosen technology, and these companies have a vested interest in the failure of their rivals. Personally, I think there is more than enough room for both Mobile Wallet and EMV.

Google recently introduced Google Wallet, a mobile app that turns your phone into a wallet by securely storing your credit cards on your phone, as well as promotional offers. When you make a purchase from a brick-and-mortar store that accepts Google Wallet, you can pay and redeem offers quickly by simply tapping your phone at the point of sale.

Google Wallet facilitates online shopping by securely storing your credit cards for use on the Internet as well. Paying is quick, easy, and safe when you make a purchase from an online merchant that accepts Google Wallet.

Meanwhile, Visa has announced plans to “accelerate the migration to EMV contact and contactless chip technology in the United States.” The company intends to encourage investments in infrastructure necessary to accept and process both new forms of payment technology. Jim McCarthy, Visa’s global head of product, explains, “We will speed up the adoption of mobile payments as well as improve international interoperability and security. As NFC mobile payments and other chip-based emerging technologies are poised to take off in the coming years, we are taking steps today to create a commercial framework that will support growth opportunities and create value for all participants in the payment chain.”

The fact that Visa has opted to recognize and support the development of both mobile payment and EMV affirms the likelihood of both technologies’ success.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures