EMV effectiveness driven by implementation quality

Following 2014’s high-profile data breaches, U.S. payment card network participants began heavily endorsing Europay, MasterCard, and Visa—EMV—chip cards as an important way to prevent damage from payment card breaches. However, a Gartner analyst found that criminals have taken advantage of poor implementations of EMV chip payment applications, committing extensive fraud that defeats EMV controls for everyone in the payment card ecosystem.

“Avoid Pitfalls with Payment Card Security Technologies and PCI,” a research note by Avivah Litan, vice-president and distinguished analyst at Gartner, points out some of the hidden problems with payment card security technologies and the payment card industry. By year-end 2015, at least 5% of card issuers will suffer fraud on EMV cards due to improper implementations, up from a handful today.

“EMV chip cards, already adopted in the rest of the world, have proven to dramatically reduce counterfeit card fraud because they are significantly harder to clone than magnetic stripe cards, which are still used throughout the United States,” Litan writes. “Nevertheless, the adoption of EMV is relatively slow and as a result, payment card network participants must prepare for at least five more years of support for EMV chip as well as magstripe protocols on a single payment card.”

Litan added: “Card data breaches have pushed U.S. banks, card networks, mega-retailers, and other payment card acceptors into more aggressively adopting two further key security technologies in addition to EMV cards—tokenization and point-to-point encryption.”

While the three security technologies have been around for years, the breaches created greater interest and spurred aggressive adoption timetables, according to Litan. This urgency has exposed some weaknesses.

“This calls out the need for all players in the payment ecosystem to work together on open security standards, streamlined certification processes, and shared education on best implementation practices,” Litan said.

“EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations,” Litan said. “Merchants who use their own tokenization system, and also accept Apple Pay or other EMV token payments, will end up with multiple tokens for one card number, defeating a major reason why many merchants adopted tokenization in the first place.”

Regarding point-to-point encryption Litan said that it can usually be turned on within three months if the solution uses remote key injection and management.

“Physically injecting keys into each card reader in a safe room under its own lock and key obviously takes much longer. Once deployed, P2PE can help protect all card transactions against data breaches. Retailers we regularly speak with say they will turn on EMV acceptance ‘later’,” said Litan. “They rightfully view EMV as mainly helping the card brands and issuers, although when EMV becomes ubiquitous it will help everyone.”