CONTINUE TO SITE »
or wait 15 seconds

Article

EMV chip-and-signature: The mirage of protection

Without a holistic approach to user and transaction verification we're only presenting an appearance of protection — one that will vanish when tested by sophisticated cybercrooks.

November 7, 2014

by Pat Carroll, CEO, ValidSoft

By now, most participants in the U.S. payments industry are finally about to realize that the day of the mag stripe is doomed and that EMV, the secure payment card technology rolled out in Europe nearly a decade ago, is finally about to make its debut in the US.

Incredible as it may seem, the financial integrity of the payment card industry continues to rely on 1970s technology. But what I find even more shocking is that despite all the security breaches, card data thefts and all the evidence that cybercriminals continue to outsmart even the most sophisticated security systems (JP Morgan Chase being the highest-profile casualty), that the majority of credit and charge card issuers in the U.S. haven't pushed more quickly for a complete transition to chip-and-PIN for their entire card estates. Instead, major players like Chase and American Express, amongst many other key institutions, have opted to issue chip-and-signature cards by the millions.

While any attempts to prevent card fraud with enhanced security should be welcomed, we need to be mindful that there are problems to consider as a consequence of the issuance of chip-and-signature payment cards. One of the most obvious being that in countries that have made chip-and-PIN their payment card standard, chip-and-signature payment cards are pretty much useless.

Forget the premise that a signature must be accepted as an alternative to a PIN, because in reality that simply isn't the case. It's a cold comfort to find oneself stranded when trying to check into a hotel late at night, or purchasing a travel ticket at an unattended automated kiosk, or trying to purchase necessities at any late night convenience store, where the transaction cannot be completed or is rejected. Simply put, for the international traveler chip-and-PIN is mandatory. And for good reason.

Chip-and-signature is not as secure as chip-and-PIN — that's a fact. Consequently we shouldn't expect that the benefit of reduced card-present fraud derived from the implementation of EMV chip-and-PIN elsewhere will be realized in the U.S. with the implementation of chip-and-signature.

Fraudsters will always find the weakest link in the process. In this instance, it's relatively easy to forge a signature in the case of a stolen card — or even to intercept the card before it reaches the genuine customer — and the fraudster can simply sign in his own handwriting. (Chip-and-PIN cards, on the other hand, require issuers to assign a PIN before mailing the card and require a cardholder to visit a branch to reset the PIN).

The sad fact is that the critical security benefit that comes with a PIN is seriously undermined by the reliance on an easy-to-fake signature.

As many have written in the past — myself included — EMV is a much-needed security technology that significantly raises the barrier for payment card fraud by virtually eliminating the ability to manufacture cloned credit cards, something that accounts for as much as 45 percent of all payment card fraud today.

While chip-and-PIN is part of the solution in the U.S., it should be noted that it isn't without serious issues of its own, including exploitation by so-called "replay attacks," even before you consider the implementation costs and additional burdens on merchants.

So while I applaud the U.S. in its efforts to adopt more modern consumer card protection scheme, by taking only a "half-step" into EMV with clearly weaker signature authentication, the industry is investing hundreds of millions of dollars into an infrastructure that will not produce the significant security it expects.

This will no doubt confuse and anger consumers who are expecting increased fraud protection. Worse, it might actually exacerbate card fraud through increased physical card theft, putting customers and their money at risk, since the card itself is now the primary authentication factor. Clearly, chip-and-signature is not the answer.

Today, almost two out of three Americans have been exposed to, or have become victims of, data theft and card fraud, subjected to the stress and aggravation of potentially having their accounts unlawfully accessed and their cards replaced, in some cases, multiple times.

The card issuers appear to be accepting this as the status quo, so perhaps what is needed is action, action like the example set by the White House when president Obama signed an executive order mandating the use of chip-and-PIN technology for card payments at federal departments and agencies, and calling for the formulation of new multifactor authentication guidelines to protect personal data online.

One can only hope that this is just the catalyst the U.S. needs to truly move forward and protect consumers against card-present fraud. However, while these measures are clearly a step in the right direction, there's more that can be done.

So, the die is cast and the U.S. will have chip-and-signature alongside chip-and-PIN. There is, however, a solution to the fraud challenge of chip-and-signature. EMV technology can be combined with zero-friction, real-time, authentication technologies such as privacy sensitive proximity and geo-location technology to determine that the genuine customer is at the place of the transaction.

If further user or transaction verification is required, an automated "conversation" can be conducted with the customer through an APP on the mobile phone using voice biometrics, thereby providing the highest level of transaction authentication and verification, but in a totally low-friction format. (It should also be noted that this model could also be used to address the Card Not Present fraud issue, but that's a separate discussion.)

The audit trail resulting from such an approach provides the greatest assurance in the event of a repudiation of the transaction, the bane of the payments industry today for both the consumer and the service provider.

This approach recognizes the importance of authentication — not just for the initiation of a transaction, but all the way through to its completion — via true transaction verification. Underpinning such an implementation is the trusted device, established during the low-friction enrollment and registration process and strongly contributing to the "invisible" security process. This approach represents probably the strongest barrier available today.

As I have said previously, card fraud and security is a complex global problem, one without any single solution. It is therefore incumbent upon the industry, a moral responsibility I believe, to ensure that no stone is unturned in the protection of our customers from fraud.

EMV is one technological piece of the puzzle. Proximity correlation combined with strong user authentication, as well as multifactor authentication and voice biometrics are additional highly complementary technologies for stopping fraud and ensuring that stolen identity and payment card data is rendered worthless to fraudsters.

Without such a holistic approach, we are only presenting a mirage, an appearance of protection, but one that will vanish when tested by today's sophisticated cybercrooks.

photo courtesy of frederic potet | flickr

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Romanian man arrested for alleged cash trapping ATM scheme
Replacing the ATM: Pros and cons of new vs. remanufactured
Chase partners with The Points Guy for Make-A-Wish sweepstakes


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'