In a recently published article on the American Banker website, Mark Horwedel, chief executive of the Merchant Advisory Group dispelled some points he called “myths” about EMV and the use of PIN numbers as part of authentication for transactions made with EMV cards. There does seem to be plenty of confusion and misinformation surrounding the efficacy of EMV cards when it comes to security and authentication, especially when it comes to the potential for a large data breach, like the type suffered by Target and Home Depot a few years ago. Below are what Horwedel believes are the top myths about EMV, with additional commentary about each one:
Myth #1: PIN doesn’t prevent online or mobile fraud. While it is true that in countries where EMV has been implemented, card-not-present (CNP) fraud has increased, that is due largely to the dramatic reduction in card-present fraud. The increase of online and mobile transactions and the lack of a PIN requirement for these transactions are also responsible for the rise in CNP fraud. There are companies that sell technology to help reduce CNP fraud, and more organizations are working on developing solutions that will allow the use of PIN and help keep consumer’s CNP purchases safe.
Myth #2: PINs were compromised in the Target and Home Depot data breaches. In both situations, criminals got PIN numbers, but they were encrypted and the fraudsters were unable to decrypt the numbers. Therefore, the cards requiring PINs at the time were not compromised and there was no need for the banks to reissue those cards. However, other cards not requiring PINs were compromised and were reissued. It is believed that if PIN numbers were required at the point of sale – even if the cards were standard magstripe cards – the data breach would not have had as great an impact.
Myth #3: Consumers are harmed more when PINs are compromised. Because PINs are encrypted, it is unlikely that fraudsters can access the PIN either to withdraw cash from an ATM with a stolen card, access bank accounts or to make purchases. And the card companies know that requiring a PIN number enhances the security of any transaction. In his article, Horwedel quotes from a submission to the Australian Competition Commission: “the decline in Lost/Stolen and NRI [Not Received as Issued] fraud ... is considered by Visa to be substantially, if not entirely, attributable to mandatory PIN@POS.”
Myth #4: American consumers cannot remember multiple PINs. Some experts say that because most Americans carry an average of six cards which may require a PIN number, that would be too many PINs to remember so most people would use one PIN for all six cards, meaning if one card’s PIN is compromised, they all are. However, we are already dealing with multiple passwords (just how many email accounts do you have, by the way?) and access codes, which most of us have no trouble remembering. Also, they state that because consumers pick numbers that are easy to remember, they can be easily figured out, like birthdays, anniversaries, house numbers, phone numbers, etc. It may be more effective if consumers use a random numerical sequence or a bank-issued PIN.
Myth #5: The chip in an EMV card alone is sufficient to verify the cardholder. While it is true that chip cards are far more secure than traditional magstripe cards simply by virtue of having a chip, the chip alone doesn’t do the whole job. The chip is there for authentication of the card, meaning the chip verifies that the card is a real card and not a duplicate or counterfeit. In other words, not stolen. However, the cardholder also needs authenticating, and that can only be done with something not on the card that only the cardholder has, knows, is or does, like a PIN, a thumb- or fingerprint, or even an iris or facial scan. Additionally, most CNP fraud or situations in which the card was lost or stolen is of the type that may be prevented with a PIN number or other authentication, and not by the chip itself.
The bottom line is, chip cards have shown to be much more secure than traditional magstripe cards. Countries that have already gone through EMV adoption, have seen significant reductions in card-present situations and the United States can expect to experience the same. Ditto on the increase in online and CNP fraud. However, there are people working to reduce CNP fraud and we may soon see products like personal card readers that plug into our computers and let us swipe our cards when making online purchases, or the requirement of some kind of authentication, like a PIN or password. Whichever way it goes, EMV is here to stay, and that is a good thing. The chip alone won’t stop all fraud, but it is much better than traditional magstripe cards, and the potential exists to make EMV cards even more secure, for both consumers and merchants.