Retailer pushes for chip and PIN while first domestic EMV issuance begins
Last year there were 944 million EMV cards in circulation worldwide, according to EMVCo, virtually none of which were issued in the world’s largest payments market: the United States.
With the rest of the world now upgraded to a higher security standard, the U.S. has a critical decision to make on when, how and if it wants to make the migration to EMV.
Enter Walmart. Already offering EMV payment in its European Asda stores, the retail giant is planning a big push for the technology in its American outlets and wants the rest of the U.S. retail market to follow. “We’re interested in helping to migrate EMV to the U.S. market,” says Jamie Henry, director of payment services with Walmart treasury organizations. “We view it as a much more secure transaction, and we want to provide our customers with the most secure transactions in the market place.”
There are 716 words in the rest of this article …
Library Access Required
Library subscribers have access to the full archives of more than 10,000 original news items and feature articles published by AVISIAN’s suite of ID technology publications (ContactlessNews.com, CR80News.com, DigitalIDNews.com, FIPS201.com, NFCNews.com, RFIDNews.org, SecureIDNews.com, and ThirdFactor.com).
For just $49, you receive unlimited password-protected access to content on all of AVISIAN’s sites for an entire year. Your subscription helps fund the continued creation of independent, insightful content. Find out more.
Sign in as a Subscriber
If you are already a subscriber, you may sign in now. Enter your Email Address and Password and click Sign In.
If you have forgotten your password, enter just your Email Address, and click Send Password.
Firstly, I wish to applaud Walmart's leadership in pushing for EMV in the U.S..
I understand that sometimes the message is simplified for the mass consumer public, however this often leads to misconceptions. So please humour me and let me clarify the following:
EMV is about the messages that makes up a payment transaction between a smart token and a terminal (ATM or POS). EMV supports contact, contactless and dual interface cards, as well as contactless interfaces on NFC mobile phones.
That being said, there are different grades of EMV, namely magstripe grade and full grade. Magstripe grade includes dynamic generated CVV/CVV codes using a secure key inside the chip, and is quite safe for use in online transaction authorisation environments such as the U.S.. Full chip grade includes additional security methods for offline card authentication as well as counters and limits to control offline spending. Full grade is recommended for environments with poor or expensive telephony as well as for low value transactions in order to reduce transaction fees (lower interchange).
Some people consider the fact that you can read the contents of a contactless card as a risk, however as mentioned before the CVV is not that which is printed on the back of the card, and the cardholder name is not present in the contactless interface. The security risk here is not actually with the card, it's with the complete lack of security employed by some card not present (internet, mail order, telephone) merchants that process transactions without checking the security code - I urge all payment schemes to ban these types of transactions, and consider these practices a threat to society in general.
The design of EMV is such that the card number is not a secret, the security proves that the chip is authentic, and thus you know you can use the card number for a transaction. The card number is like the address on an envelope, trying to keep it secret is impossible since you need to look at it to know where to send it...
Another incorrect assumption is that EMV supports only PIN. EMV supports a sophisticated set of rules and multiple cardholder authentication methods that enables the terminal to select the appropriate method that fits best with the particular transaction. For example: PIN when withdrawing cash, PIN for transactions over $50, Signature when the POS doesn't support PIN, PIN and Signature for transactions over $300, and no verification for transactions less than $10...
Hope this puts some light on the subject, I hope that was not to technical...
After reading the article again, I realised there are several more points clarify, but wont bore you with them here. If you are interested about EMV migration in the U.S., please download my 39 page white paper called "6 Myths Preventing EMV Migration in the U.S." from http://www.bellid.com/white-papers/84-emv-migration-in-the-united-states, or click on the link below...
Interesting information! However, the EMV protocol used on the smart card has serious issues when used in the online environment. There is another protocol that can be used on a smart card called PIV (Personal Identification Verification). In this protocol the user is positivly verified as being the authentic person authorized to use the card and that the card has not been duplicated. Based on this information a payment instruction could be sent to the issuing bank without ever allwing the users personal financial information to be placed out in the open for fraudsters to steal. There is little doubt that EMV could reduce fraud in the United States, but PIV is probably in a much better position technically to provide a solution that is safe in both the brick and mortor environment as well as in cyber space. Look for it in the future. It will be used for the most secure transactions!
Just a side note. The fact that a contactless card can be read from 50 feet with an antena built for under 100 dollars and could fit in a hand bag, makes me nervous.