EMV Is Simply Not Worth The Effort. Not Even A Little
Trinette Huber is the manager of Information Privacy and Security at Sinclair Oil, a $7 billion oil and gasoline company with 2,700 gas stations and convenience stores.
In the months since Visa this summer said it was reversing itself and embracing EMV for the U.S., we have had a few weeks for this to settle in and to listen to a few Webinars and experts. My considered reaction is now: "What?! Why are we buying this?"
Visa wants retailers to spend thousands of dollars and what do we get? EMV is not good enough. We want EMV 2.0. We want something better. This is old technology, being painted and plastered with lipstick and rouge to look like better security. If this is the answer that retailers, consumers and banks have been demanding for better credit-card security, I again say, "not good enough." This is asking retailers to once again upgrade their point-of-sale equipment to something that is already obsolete; it is just a step along the way to the technology we really want to see: secure payment transactions, more mobile payments and trusted service providers.
For the last five years, I've been advising, cajoling, arguing and sometimes arm-twisting when it comes to PCI compliance for our distributors and c-store operators. We've been waiting for technology that protects credit-card data. Stop coming back to the trough to get retailers to pay for something that doesn't remove PCI compliance requirements and protect online transactions.
EMV—generally deployed as Chip-and-PIN—is being sold to retailers as a way for banks to authenticate that a card is legit and, if a PIN is used, that the consumer is legit. The idea is no more counterfeit cards and no more friendly fraud when everyone finally migrates to the same platform. Sounds good?
And, just so you understand the value proposition, Visa is willing to waive your requirement to report to it your PCI compliance status if you've upgraded at least 75 percent of your point-of-sale equipment to accept Chip-and-PIN. Imagine the response I'll hear from our c-stores.
"Great! No more PCI compliance? This means I spend money to upgrade all of my point-of-sale equipment—about $20,000 for an average c-store—and I can offset that expense by not having the fear of a breach or the cost of compliance?"
Ah, no. Chip-and-PIN doesn't eliminate your requirement to be PCI compliant. You still have to do that. If we adopt Europe's old technology, the card data will still pass in the clear. You still need to spend all of that money securing your point-of-sales, auditing your network and reporting on your compliance status. Well, maybe not reporting to Visa—if you meet its requirements—but there's still MasterCard, American Express and Discover.However, Visa is going to assign you the liability for any fraud traced back to your retail location if you don't upgrade your equipment. This would be in addition to the chargebacks you already have to deal with. Starting to see why this pretty nifty plan is just lipstick and rouge?
"Please tell me this will at least reduce my risk for being breached because somehow malicious software got onto my point-of-sale?"
I've heard people say this, but no, sorry, until your customers stops paying with cards that have a magstripe, you've still got the same risk. And, if PCI adoption rates are any indication of how long that is going to be, you're going to be waiting a few years. Of course, it would help if consumers started using PINs with their credit cards. But I don't really see that happening. You're asking every U.S. consumer who hasn't bothered to learn a PIN when using their credit card for the last 20 years to start memorizing a PIN?
"Why am I doing this? Why am I spending thousands of dollars—again—to upgrade my point-of-sale equipment when I still have to be PCI compliant and I still have to worry about breaches and the fraud I see doesn't come close to covering this cost?"
I'd like to say "lack of imagination" or "no one is really demanding something better." Big retailers who have businesses all over the world really like the idea of reducing their fraud. But I bet they'd like the idea of reducing PCI compliance costs and having safe online transactions, too.
There are also consumers. Consumers who travel to Canada and Europe—or come here from there—really like being able to pay for things without having their cards rejected. But I bet they'd also like safe transactions online and not having to worry about having their magstripe data being skimmed.
"But I just spent thousands of dollars upgrading my point-of-sale and my network security! I upgraded my gas pumps so I could accept TDES PINs! Now, I have to upgrade my pumps so I can accept Chip-and-PIN? And after that, what? I'll need to upgrade my pumps again so I can accept mobile payments?!!"
Yep. Like I said, lipstick and rouge. You get to upgrade all of your equipment with old technology that doesn't even encrypt credit-card numbers. Hey, it doesn't protect you online, either. Yes, in the U.S. where online shopping on Black Friday surpassed brick-and-mortar sales, we are going to adopt a technology that does nothing to improve the security of credit cards online.Yes, in the U.S. where online shopping on Black Friday surpassed brick-and-mortar sales, we are going to adopt a technology that does nothing to improve the security of credit cards online. Speaking as a consumer now, this old technology has already proven to be susceptible to man-in-the-middle attacks, which is security speak for steal your PIN. As a consumer, this makes me more nervous than having to remember my PIN, because now it's going to be just that much harder to protest that those are not my charges and that I don't even live in Estonia.
"Is there any reason we can't just have technology that secures the card data, removes my costs for data security compliance and protects consumers online?"
Actually, no, there is no reason. The chip in the card is probably capable of fully encrypting card data; in fact, it's probably capable of doing away with card numbers all together and using the concept of certificates, like computers. It's probably also capable of knowing the difference between normal EMV and better, encrypted, U.S. EMV 2.0 technology. And, if it doesn't, we are starting to see solutions from other companies such as iTunes, Google and PayPal that are coming up with ways to protect credit-card data through the use of smartphone apps and online wallets. Mobile payments are just waiting for the spark that starts everyone using their phone to pay for purchases.
U.S. merchants don't want old technology. U.S. merchants want the next generation of EMV. We want a technology that protects the card number. The U.S. is a clean slate. Where is EMV 2.0? Give us the next-generation approach.
Merchants have spent the last five years spending money to protect the credit-card companies' even older technology—the magstripe. Now we're being told to spend even more money on an inadequate technology that doesn't address these same problems. This must stop. Give merchants a solution that fixes the data security of the cards. Give merchants a solution that eliminates PCI and addresses online fraud.
EMV is old, costly and inadequate. Visa needs to stop dressing this up as a fraud technology for consumers, merchants and banks. Visa, stop pretending this lipstick addresses the data security problem.
What do you think? Have I overstated the case? Please E-mail me at email@example.com and let me know.