Target, Wal-Mart On EMV: The Metric System Of Payment

EMV may become the metric system of payment, a process that almost everyone in the world adopts, with the U.S. stubbornly refusing. In a panel discussion on Wednesday (April 27), Target and Wal-Mart agreed that EMV Chip-and-PIN is an extremely desirable way to go. But hardly anyone has a concrete plan for making it happen in the U.S.—in a meaningful way—anytime soon. Still, both chains were certain of one thing: If magstripes could magically be made to go away tomorrow, the retail world would be a happier place.

"If we can envision a world where magstripe doesn't exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs," said Mike Cook, Wal-Mart's VP and assistant treasurer. "So you no longer have to have your database encrypted. You no longer need to have the secure lines. You're no longer storing data that could be used by somebody else. The PCI costs become significant cost savings."

Panelists agreed that dynamic data is the key, suggesting that static data authentication (SDA) is inherently inferior to today's dynamic data authentication (DDA) chips.

"We should stop wasting money propping up and trying to secure the existing fraud-prone magstripe and signature system that exists in the U.S. today and move to two-factor authentication," Cook said, stressing what he did not want one of those factors to be. "I don't think there's anyone in this room who would believe that signature is an appropriate form of authentication. We haven't hired a handwriting expert at Wal-Mart in years."

Target's Marc Black, the chain's guest data security director, was asked what it would take before Target would start purchasing EMV-friendly POS units. "Part of that investment decision will be how terminal manufacturers incorporate smartcard readers in their products. We need a firm roadmap, so we can guide our investment. This is not the only new payment technology out there," he said, referring to near field communication (NFC), among others.

Wal-Mart's Cook added that retailers should also refrain from trying to cheap-out on the chip costs too much. "The PIN must be encrypted between the device and the card itself. That means we'll need slightly more costly chips to accept that encryption," he said. "We'll also need offline PIN authentication, so that whenever it is sent up for authorization—through our host, out to the acquirer—the validation of the PIN takes place at the point of sale, not that we have to transmit that PIN and expose it anywhere along the line, even if it is encrypted. Also, two-factor authentication."