Payment Method Security and the Expanding Role of Chip & Pin

Posted by Craig CarpenterWith the increased awareness of major data breaches and the ever-expanding prevalence of credit card fraud, payment transaction security has become an important discussion in this country. A significant portion of this discussion has revolved around the role of EMV or “Chip & Pin” technology for credit cards as a more secure payment method.EMV payment technology uses credit cards with an embedded microprocessor (the “Chip”) to securely store payment information and provide for card authentication. The Chip card is then combined with cardholder verification, either by signature or pin number (the “Pin”), to create a more secure payment method.  Today, most credit card transactions in the United States are performed using standard magstripe cards in which all of the account and cardholder data is stored in a magnetic strip on the back of the card; however, there has been a significant push for the United States to move to EMV technology for card transactions due to the increased security it provides at the point of sale. In light of this, Thompson & Knight’s most recent CyberSecurity roundtable focused on payment method security, and specifically the role of Chip & Pin.The roundtable featured William Tran of Gemalto North America, the world’s largest supplier of EMV chips and a world leader in digital security products and solutions. Mr. Tran presented on “The Role of Chip & Pin Technology in Transaction Security.” Mr. Tran provided the history of the EMV standard, dating back to the joint effort among Europay, MasterCard, and Visa (hence “E.M.V.”) in 1994 to develop the specification, and its early adoption and fraud prevention success in Europe.  However, despite the prevalence of this technology elsewhere around the globe, Chip & Pin technology has been largely ignored in the United States until recently. Prompted largely by the increased prevalence of massive retailer data breaches and an overall increase in concern about payment security, Visa and MasterCard started pushing for EMV adoption in the United States in mid-2013 as a way to increase the security of credit card transactions. To do this, Visa and MasterCard announced that they would begin shifting the liability for fraudulent transactions to the commercial party in the transaction that has the least security and support (rather than just putting the liability on the bank that issued the original card, as the default). This could put fraud liability on merchants that do not deploy the more secure EMV point of-sale (POS) terminals. This fraud liability shift is scheduled to take effect on October 1, 2015 for POS transactions.Mr. Tran discussed the benefits of EMV Chip & Pin technology, versus the existing magstripe technology, including: –          Increased global interoperability;-          Enhanced payment security;-          Online or offline authorization; and-          A technology platform for new payment channels (e.g., contactless payment, mobile payment, eCommerce).EMV technology is lauded as a more secure payment method because the secure microchip dynamically communicates with the authorization system or POS terminal to confirm card authenticity, cardholder authenticity, and transaction authenticity; whereas a standard magstripe card merely transfers the account data from the magnetic strip to the terminal. The extra steps in the EMV method help prevent card skimming, card cloning and man-in-the-middle attacks.Retailers have cited some drawbacks to the standard Chip & Pin payment method, including the potential for an increased transaction time (dip and wait vs. quick swipe) and the potential for consumer confusion resulting from requiring Pin numbers for credit card purchases, but Mr. Tran explained that recent developments in contactless EMV technology should mitigate these concerns. The EMV technology currently being deployed in the United States is also limited in that the technology does not provide added security for online (or “card-not-present”) purchases, but Mr. Tran indicated that solutions to this problem are under development.EMV adoption in America is on the horizon, and while there is no way to create a 100% secure payment method, EMV technology, featuring microchips developed by Gemalto, will provide welcome security and interoperability benefits to American retailers, issuing banks, and credit card users. For more information about Gemalto, visit www.gemalto.com.For more information about Thompson & Knight’s CyberSecurity practice and for information on upcoming Roundtable events, visit https://www.tklaw.com/data-privacy-and-cybersecurity/