Spurred by a spate of data breach headlines, the U.S. is moving to new chip-based smart creditcards and an EMV (EuroPay, MasterCard and Visa) system to increase the security of credit card transactions.
Most U.S. credit card transactions today consist of a swipe-and-signature process. When a credit card is swiped through a point-of-sale (POS) terminal, the magnetic strip containing the primary account number (PAN) is read, and a signature is recorded to authenticate the transaction.
In the Target and Home Depot breaches, 40 million and 56 million credit card numbers, respectively, were stolen by criminals who were able to access the merchants’ networks and install malware on the POS terminals to record each PAN after a card was swiped.
The EMV system is designed to prevent this type of fraud at the terminal by requiring smartcards containing metallic, counterfeit-resistant chips that generate a unique code per transaction. Non-U.S. countries have standardized on chip-and-PIN (personal identification number) transactions that virtually eliminate losses due to physically lost or stolen credit cards. However, the U.S. has opted for chip-and-signature transactions to address the greater risk of fraud due to counterfeit cards.
While the EMV standard reduces fraud in card-present (CP) transactions, it doesn’t address fraud from card-not-present (CNP) transactions, such as fax, mail, online and phone orders. Existing controls include the card verification value (CVV) — the three-digit number on the back of your credit card — that must be supplied during the transaction and systems that examine CNP orders for fraud indicators, such as a first-time shopper using a brand-new credit card to place a very large order that requests overnight shipping. If these three indicators exist in a single order, a confirmation call to the cardholder may be required before it is processed.
Consumers can expect to encounter some bumps in the road as merchants make the transition to EMV and train their staff. The EMV system is not foolproof, but smartcards are more secure than the legacy magnetic-stripe types, so this is a positive step.
Credit card companies require merchants to enable their POS systems to work with the EMV smartcards by Oct. 1. Those who fail to do so will be liable for fraud activity, a huge incentive to get this done before the deadline.
———
Vincent Hoang is an enterprise architect at Hawaiian Telcom, a Certified Information Systems Security Professional, GIAC Systems and Network Auditor and Cisco Certified Network Professional. Reach him at vincent.hoang@hawaiiantel.com.