The reason: Every EMV card also has a magnetic stripe, and also displays the account number. In every instance in which I used the card the merchant accepting it both swiped the magnetic stripe and placed the card in the EMV reader. At a prominent U.S.-based car rental company, the agent not only dipped and swiped the card, but also made a photocopy of it, front and back!
The cardholder is powerless to keep a merchant from doing this. Thus when the card is swiped, the consumer is exposed to a 30-year-old-plus vulnerability to data compromise created by a non-secure magnetic stripe.
This is a reality that the card industry must take into account before it hang its hat on EMV. The magnetic stripe combined with EMV prolongs and propels vulnerabilities arising from the magnetic stripe.
The bottom line: you can’t get rid of the fraud risk until you get rid of the card.
This is why cloud-based mobile payments can provide stronger security, and thus a much better chance of broad adoption, than EMV deployment will ever have.
EMV deployment is a fatal distraction to both issuers and consumers; a concept advocated by existing stakeholders and chip manufacturers as they attempt to preserve their legacy advantage against new technologies that require neither hardware upgrades for merchants nor the issuance of new cards by banks.
EMV is a flawed approach to begin with; the customer is still handing over the account token, with all of its credentials visible to a merchant, who can record it offline even before dipping it into a reader.
Cloud-based mobile approaches can prevent this risk entirely, changing the security paradigm by storing all payment credentials behind an encrypted firewall accessible only through strong authentication with only indecipherable tokens provided to the merchant — tokens that represent transaction authorization, not actual account credentials. Nothing of value is stored on the mobile phone; nothing of value is transmitted back to the merchant.
Many savvy ATM operators and retail merchants view EMV as a ploy by Visa and MasterCard to preserve their hold on payment systems, and lock merchants into hardware investments that will extend the life of the companies’ control over payments.
Some have gone as far as to say that EMV is a smokescreen intended to create a barrier-to-entry to more deployer- and merchant-friendly — and more disruptive — technology of cloud-based mobile payments.
The smartest merchants and ATM deployers are in a holding pattern when it comes to shelling out money to upgrade existing infrastructure with additional EMV hardware components that support chip and pin.
However, delaying on EMV doesn’t mean delaying on mobile. Major merchants in every major segment — grocery, fine dining, casual dining, QSR, specialty retail, big box and more — are working on their own mobile wallet initiatives, controlled inside their own branded mobile shopping apps, that bypass EMV and NFC in favor of software only, cloud-based mobile payment options that take the transaction out of PCI scope.
These are major material threats to EMV and NFC adoption and have been carefully analyzed, modeled and rigorously pursued by leading merchants and retailer consortiums. Some scheduled EMV deadlines are likely to be rendered irrelevant because mobile banking and payment initiatives underway now are more secure than EMV, less costly to deploy, and reduce — if not eliminate — costly hardware upgrades, PCI scope and the like.
Retailers and ATM operators find themselves at an inflection point in the payments industry. New technologies have made it possible to literally and entirely replace current 50-year-old payment credentials delivery and acceptance infrastructure with customer-owned mobile devices and low cost software solutions.
This inflection point has created an opening for prepared stakeholders to redefine the payments infrastructure in a way that reduces third-party control over the infrastructure used at retail locations — and in the process, reduce costs, increase net new revenue streams, and create a better experience for customers, all outside of onerous hardware mandates for EMV, NFC and other PCI hardware requirements.