Payment Security: Are EMV Cards Safe?

Consumers across the country use credit cards every day, but even with technological developments in card security, a user’s confidential financial data can still be compromised. One of the answers to this threat is Europay, Mastercard, and Visa (EMV) microchip technology. Certain credit and debit cards now contain a visible chip that helps further secure a customer’s financial information beyond the magnetic stripe on these cards.

Although gaining in popularity in the United States, the wider implementation of the chip has yet to constitute a cure-all, as payment card fraud remains a considerable hazard even with this new technology, leading some to wonder, “Are EMV cards safe?” Because of the increased adoption of and struggles with EMV technology, there will be an increased demand for cybersecurity professionals to help keep these cards — and the financial data they hold — safe. Individuals who want to join the burgeoning information security field can enroll in a graduate-level cybersecurity degree program to learn about the issues affecting the security of credit and debit cards. The technology underpinning credit card transactions has advanced by leaps and bounds in the decades since Frank McNamara and his Diners Club imprint facilitated their industry-wide breakthrough in 1950. Considering their origins in the 1920s as metal-plated “courtesy cards” and “charge plates,” issued by major U.S. oil companies and department stores — as documented by Encyclopedia Britannica — today’s magnetic stripe- and chip-based credit and debit cards are practically the apotheosis of personal financial security.

However, the plastic credits cards that are linked to 374 million accounts in the U.S. alone, per survey data released by the American Bankers Association in 2019, are far from invulnerable. The Federal Reserve Bank of Boston additionally noted in a separate finding that of the 13.1% of consumers who had experienced card theft, fraud, or loss that year, 5% had their credit cards compromised, and 3.5% suffered such an incident affecting their debit cards. Another 18% of surveyed consumers had experienced identity theft, while 20% said it had happened to someone they knew well.

In an interview with Information Security Media Group, former Europay International executive Philip Andrae explained that EMV technology was in the conceptual and planning stages as early as 1993 — more than a decade before the chips were introduced into European credit cards. Nevertheless, chip-based credit and debit cards — originally called “smart cards” but now more commonly known as chip cards or chip-and-PIN cards — were not brought into the U.S. and Canadian markets for almost 10 years after their debut on the other side of the Atlantic. This delay has likely made some Americans and Canadians wonder whether EMV cards are safe.

October 2016 marked a watershed moment in the emergence of EMV technology. According to Square, after the first of that month, fraudulent EMV card transactions at businesses that were not yet set up to handle EMV payments — thus requiring the card holder to swipe — became the responsibility of those companies. This “liability shift,” an effort by payments industry leaders spearheading the EMV transition, dramatically accelerated the pace of adoption. As of June 2019, Visa stated that 521 million of its chip cards were in circulation throughout the U.S.

Chip cards are more secure than magnetic-stripe cards, simply because a microchip’s complexity far exceeds the physics behind magnetism-based processes. As noted by Square, chips in today’s EMV cards immediately encrypt transaction data before transmitting it to a card reader. A magnetic stripe simply transmits the data required to complete a sale, and if the reader is compromised, that information heads straight to the malefactor who has hacked it. The same principle would apply to ATMs exploited by cybercriminals.

Chip cards are more secure than magnetic-stripe cards, simply because a microchip’s complexity far exceeds the physics behind magnetism-based processes. As noted by Square, chips in today’s EMV cards immediately encrypt transaction data before transmitting it to a card reader. A magnetic stripe simply transmits the data required to complete a sale, and if the reader is compromised, that information heads straight to the hacker. The same principle applies to ATMs exploited by cyber criminals.

While magnetic stripes aren’t primarily used with chip cards, they’re still present, as they’re necessary at merchants that haven’t upgraded to EMV point-of-sale kiosks. And the stripe is still detected by chip-card terminals. According to CNN Money, stripes on EMV cards are designed to instruct the machine to draw data from the chip, but if the stripe’s code is infiltrated and altered, the POS system might take the transaction from the stripe — at which point the card can be hacked. If that’s the case, are EMV cards actually safe?

EMV proponents state that their various safeguards would eventually detect something wrong with the data from that sale, so the consumer would ultimately be protected. Nevertheless, retail industry advocates, such as the National Retail Federation, remain dubious, according to CNN.

Patrick Watson, a researcher employed by payment tech firm NCR, who discovered this flaw in August 2016, simply told CNN, “There’s a common misconception that EMV solves everything. It doesn’t.”

Identity theft and card fraud won’t ever completely disappear. As recently as 2019, reported incidents of consumer fraud and identity theft numbered 13 million — down from 14.4 million the previous year — according to information released by Javelin Strategy and Research. However, during the same time, fraud losses actually grew by 15% to $16.9 billion.

Card-not-present (CNP) fraud, in which a consumer’s card numbers and security code are stolen rather than a card’s stripe or a chip being compromised, constituted a significant portion of that increase. EMV technology is secure and represents a real leap forward for the payments sector, but it can’t protect anyone from CNP fraud simply because of the methodology involved. Are EMV cards safe? Yes, but there are still some risks.

It’s clear that there’s a great need for cybersecurity professionals to work diligently on devising new encryption algorithms and techniques, as well as other methods of improving payment security. Maryville University’s master’s in cybersecurity program strives to prepare students for a career in cybersecurity in which they can help mitigate the hazards affecting millions of consumers in the U.S. and worldwide.

Sources

Bank Info Security, “The History of EMV”

CNN Money, “New Security Flaw in Credit Card Chip System Revealed”

Consumer Affairs, “2020 Identity theft statistics”

Encyclopedia Britannica, “Credit Card”

Federal Reserve Bank of Boston, “Consumer Payment Choice for Bill Payments”

Javelin, “2020 Identity Fraud Report”

NerdWallet, “The History of the Credit Card”

Square, Inc., “Chip Card Security: Why Is EMV More Secure?”

Square, Inc., “The State of the U.S. EMV Migration: When Will Everyone Have Chip Cards?”

WalletHub.com, “Number of Credit Cards and Credit Card Holders”