EMV: Why the US migration didn't happen sooner

There's a lot of criticism when it comes to the timing of EMV migration in the US, with detractors often calling the US 'backwards' and 'behind' the rest of the world.
Written by Natalie Gagliordi, Contributor

In a little less than six months, the US will migrate to the global EMV standard for accepting chip cards.

Short for Europay, MasterCard and Visa, EMV is a secure payment standard that reduces fraud in face-to-face, card-present environments via the use of chip-embedded payment cards. The standard was first developed in 1994 and became widely available in the early 2000s. Today, most countries around the world use it as an alternative to fraud-prone magnetic stripe cards.

Generally speaking, merchants and consumers understand key bits of information surrounding EMV migration -- like why it's being done (to reduce fraud) and when it's happening (October 1, 2015).

But there are some interesting misconceptions that seem to crop up in every EMV discussion. Here are two that tend to stick out:

The US is late to the EMV table

There's a lot of criticism when it comes to the timing of EMV migration in the US, with detractors often calling the US "backwards" and "behind" the rest of the world.

Indeed, the US is the last major economy to make the shift to EMV standards. US consumers still use swipe-and-sign credit cards that rely on a magnetic stripe, while countries such as Australia, Brazil, and most of Europe have been using EMV chip cards for years.

But there's a very simple reason as to why the US didn't make the EMV switch in conjunction with other global economies: It didn't need to.

European countries needed chip cards because their telecommunications infrastructures were significantly behind those built in the US. In turn, it became costly and problematic to verify a card purchase with the use of a phone line and a POS terminal.

So merchants would often fall back on batch processing, where card transactions are stored in a POS terminal and sent to the issuer in large groups for verification. This, of course, gave criminals ample time to commit fraud at the POS level.

A PIN matched to a chip on a card, or an offline PIN, was found to solve the problem.

Conversely, US telco networks were available 24 hours a day, seven days a week and could handle massive scale, making the card approval process fairly cheap, easy and reliable -- thereby lessening the need to batch process card transactions.

Therefore, the US did fine without adding PINs to cards.

And then there are the issues of cost and size.

"You have to remember that even with all the breach news of the last 18 months, we still measure card-present fraud -- which is what EMV addresses -- in basis points, meaning pennies per $100 spent," explained James Wester, research director for IDC Financial Insights. "And that's with the current magstripe. When fraud does occur, consumers have near-zero liability and the cost to replace the cards is a couple of pennies. EMV cards are an order of five to 10 times that cost."

What's more, the US market for electronic payments is massive compared to other countries. The US will do an estimated 100 billion transactions this year, Wester said, while all European countries combined will do roughly half that.

"Put the fact that we're doing pretty well on infrastructure and fraud together with the costs to switch and you have a much different cost/benefit analysis than the rest of the world," Wester added. "So we're not behind so much as we're just very different."

EMV is not a panacea for fraud

The migration to EMV standards will in no way eradicate fraud all together. EMV addresses the problem of cloned cards in an offline setting, in other words, card counterfeiting.

EMV cards store cardholder data in an embedded smart chip, which makes forgery far more difficult compared to cards with magnetic stripes. But even with EMV, cardholder data is still potentially exposed and exploitable via fraud or malware on the POS. Furthermore, EMV does nothing to address online fraud in ecommerce situations.

Merchants will need to put in place additional security measures to address more instances of fraud; namely, encryption and tokenization.

Encryption protects data at rest within databases, like when a merchant stores it in a POS. With encrypted data, even if a hacker compromises a system, they will only find an encrypted block of data that is tremendously more difficult to use.

With tokenization, data is protected in motion during a transaction. So when card data is sent to the processor for verification, it is sent as a unique token, making the data unusable by anyone other than the merchant and the cardholder.

However, even with all of those solutions working together in concert, hackers and fraudsters are adaptable, clever and cunning -- requiring the entire financial industry, merchants and consumers to be constantly on guard and using the most up to date best practices.

"Consumers need to be aware that as their lives become a collection of data points in a big data view of the world, no one technology will protect them," Wester continued. "Implementing EMV at the point of sale is great, but if merchants think that absolves them of any more responsibility in protecting data, the result will be ongoing, large-scale data breaches -- and not necessarily of payment information."

Editorial standards