Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

EMV transition will still leave security gaps

Maria Korolov | Sept. 9, 2015
This October, US merchants and payment providers are scheduled to switch to new, more secure, chip-based payments.

And it's not just the magnetic stripes that will continue to be supported during the transition period -- so will signatures.

While Europe and other geographics have mostly switched over to chip-and-pin, the US is first moving to chip-and-signatures, since many customers don't have or don't know the PIN number for their credit cards.

"It is still going to be more secure than magstripe-initiated transactions, but does still leave some aspects of vulnerability compared to chip-and-pin," said Wild.

Misplaced loyalties

To really protect themselves from payments-related liability, merchants need to ensure that they never touch any payment data or personally identifiable information at all. This is typically done through a combination of encryption and tokenization.

This is one of the issues that posed the biggest challenges to Elavon, an Atlanta payments provider.

"Traditionally, for a lot of our customers, having information that identifies who their customers are is important," said Lori Haakmeester, Elavon's senior vice president of product innovation. "And now we're saying, don't keep that information, don't transmit that information, keep yourself as protected as possible."

Merchants want to have a relationship with their customer, she said.

"It has really highlighted some of the things about their infrastructure that today nobody wants to have an issue with," she said. "That has posed some challenges."

This is one of the reasons that the migration might take longer than expected, she added.

"October is going to come, but a lot of the work that's going to happen to get everyone fully up and running will continue after that," she said.

"If I go into a shop and pay for something, that moment should not be used to personalize my experience," said Malte Pollmann, CEO at payments vendor Utimaco GmbH. "It is different if there is a second card, a loyalty card, to track some of that data."

Merchants who issue their own credit cards and use them both for payments and to track customers purchase histories should separate them out, he suggested.

"There is no safe way to combine both," he said.

Online migration

Since crooks will now have a much harder time with physical point of sale attacks, they're likely to switch their focus to online transactions.

And this has, in fact, happened in other countries when they migrated from magnetic stripes to chip cards.

In Canada for example, which made the switch in 2008, annual counterfeit card fraud dropped by CA $134 million by 2013 -- while card-not-present fraud actually increased by CA $171 million during the same time period, according to the Aite Group.

Aite predicts that card-not-present fraud, which includes online and phone-based purchases, will double in the U.S. by 2018.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.