The technology underpinning credit card transactions has advanced by leaps and bounds in the decades since Frank McNamara and his Diners Club imprint facilitated their industry-wide breakthrough in 1950. Considering their origins in the 1920 as metal-plated “courtesy cards” or “charge plates,” issued by major U.S. oil companies and department stores – as documented by Encyclopaedia Britannica – today’s magnetic stripe- and chip-based credit and debit cards are practically the apotheosis of personal financial security.
However, the plastic charge and credit cards that fill the wallets of about 72 percent of Americans, per survey data collected in 2014 by the Federal Reserve Bank of Boston, are in fact far from invulnerable. The Boston Fed’s findings noted that of the 13.1 percent of consumers who experienced card theft, fraud or loss that year, 5 percent had their credit cards compromised and 3.5 percent suffered such an incident affecting their debit cards. Additionally, about 18 percent of surveyed consumers experienced identity theft and another 20 percent said it had happened to someone they know well.
Many of these instances can be attributed to credit cards that do not include the latest Europay, MasterCard and Visa (EMV) microchip technology which is considerably more secure than magnetic stripe-based credit and debit cards. Although gaining in popularity, the wider implementation of chip technology has yet to constitute a cure-all, as payment card fraud remains a considerable hazard. It will behoove students looking to join the information security field by enrolling in a graduate-level cybersecurity degree program to understand the full complement of issues affecting the security of credit and debit cards.
The evolution of EMV
In an interview with the Information Security Media Group, former Europay International executive Philip Andrae explained that EMV technology was in the conceptual and planning stages as early as 1993, more than a decade before the chips would be introduced into European credit cards. Nevertheless, chip-based credit and debit cards – originally called “smart cards,” now most typically known as either chip cards or chip-and-PIN cards – were not brought into the U.S. and Canadian markets for almost 10 years after their debut on the other side of the Atlantic.
October 2016 marked a watershed moment in the emergence of EMV. According to Square, after the first of that month, fraudulent transactions from EMV cards at businesses that were not yet set up to handle EMV payments – thus requiring a swipe – became the responsibility of those companies to repay. This “liability shift,” an effort by payments industry leaders spearheading the EMV transition, dramatically accelerated the pace of adoption. As of June 2016, Visa stated that 326 million of its chip cards were in circulation throughout the U.S.
Questions of chip security
Chip cards are more secure than magnetic-stripe cards, simply because a microchip’s complexity far exceeds the physics behind magnetism-based processes. As noted by Square, chips in today’s EMV cards immediately encrypt transaction data before transmitting it to a card reader. A magnetic stripe simply transmits the data required to complete a sale, and if the reader is compromised, that information heads straight to the malefactor who has hacked it. The same principle would apply to ATMs exploited by cybercriminals.
While magnetic stripes aren’t primarily used with chip cards, they’re still present, as they’re necessary to use at merchants that haven’t upgraded to EMV point-of-sale kiosks. And the stripe is still detected by chip-card terminals. According to CNN Money, strips on EMV cards are designed to instruct the machine to draw data from the chip, but if the strip’s code is infiltrated and altered, the POS system might take the transaction from the stripe – at which point the card can be hacked.
EMV proponents state that their various safeguards would eventually detect something wrong with the data from that sale, so that the consumer would ultimately be protected. Nevertheless, CNN reported that retail industry advocates like the National Retail Federation remain dubious.
Patrick Watson, a researcher employed by the payment tech firm NCR, who discovered this flaw in August 2016, simply told CNN, “There’s a common misconception that EMV solves everything. It doesn’t.”
Avoiding fraud in uncertain times
Identity theft and card fraud won’t ever completely disappear. And as recently as 2016, 15.4 million Americans fell prey to these crimes, according to a study conducted by Javelin Strategy and Research – a 16 percent increase over the previous year. Card-not-present (CNP) fraud, in which a consumer’s card numbers and security code are stolen rather than his or her stripe or chip being compromised, constituted a significant portion of that increase. EMV technology is undoubtedly secure and represents a real leap forward for the payments sector and all consumers, but it can’t protect anyone from CNP fraud simply due to the methodology involved.
It’s clear, then, that there’s a great need for cyber security professionals to work diligently on devising new encryption algorithms and techniques, as well as other methods of improving payment security. Maryville University’s Master’s in Cyber Security program, strives to prepare students for a career in cyber security where they can help mitigate the hazards affecting millions of consumers in the U.S. and worldwide.