EMV Cards Not Preventing Card Data Theft

The implementation of EMV (Europay, Master Card, Visa) or “chip” cards have not reduced the instances of credit card theft in the US.  The reason:  WE ARE DOING IT WRONG!!  I have been writing about the late implementation of EVM for years, and complaining about the “chip and sign” method we are using in the United States, vs. the much more secure “chip and PIN” method used in Europe, where they have had EMV cards already for 12 years!!

Here are some shocking statistics from a report by Gemini Advisory:

  • 60 million US payment cards have been compromised in the past year.
  • 45.8 million or 75% are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
  • 90% of the CP compromised US payment cards were EMV enabled.
  • The US leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
  • Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.
  • An imminent shift from card-present to card-not-present fraud is already evident with a 14% increase in payment cards stolen through e-commerce breaches in the past 12 months.

There are several problems with the way EMV has been implemented in the United States.

  • Chip and PIN – Back in 2015, when the new EMV standards were supposed to be deployed, the FBI warned that “chip and sign” would not be secure enough, and recommended that the US adopt the European model of “chip and PIN.”  Chip and PIN represents true two-factor authentication; something you have (chip), and something you know (PIN).  A signature is really proof of nothing.  Have you ever had a cashier check your signature against another signature, like on your driver’s license?  Of course not.  The signature is a throwback to something useless that we are contented and familiar with.  It provides NO ADDED SECURITY.
  • Slow deployment – The cost of changing out the point-of-sale systems is a cost borne by the retailers, and I am sure this expense is being delayed a long as possible in many cases.  Retailers pay a slightly higher processing fee to use the old magnetic stripe system, but this expense seems preferably to the hardware and software upgrade required by EMV.  Card criminals are moving from targeting and breaching larger retailers to smaller retailers who are still using the older magnetic stripe systems.
  • No inspectors – It’s been three years since EMV was supposed to be mandatory. but I am still finding “no chip” magnetic stripe only checkouts all over the place, at small and large retailers, restaurants, and gas stations.  There is a requirement that new EMV locations need to be inspected and audited, and these inspectors are in chronic short supply.  Evidently very few are being trained.  Not sure why not.  Of course once all locations have been inspected, I suppose we will not need a huge army of inspectors.
  • The magnetic stripe – The continued presence of the unencrypted magnetic stripe data means that criminals who steal EMV card data can still use the chip data to encode a mag-stripe card and go shopping with it.

The result is that in spite of the improvements that EMV technology, card information theft and card fraud is continuing at the same or even slightly higher levels that in the past.

More information :

  • FBI Recommends Chip and PIN
    The new EMV chip-style credit cards are here, and the FBI has already released a warning about the way they are being deployed in the United States.  The EMV card has been in continuous use in Europe and Asia for over a decade, and has worked well to reduce the amount of credit card fraud there.  …
  • Maybe We Should Take EMV Seriously
    Why are retailers in the US still stuck in the 20th century when it comes to credit card processing?  Why are so many stores still using outdated magnetic stripe card readers, when EMV or “chip” card readers are available?  Who is at fault?  Is it the store or the credit card processi…


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.