The EMV train is rolling around the bend — is anyone ready?
EMV cards — the initialism stands for Europay MasterCard Visa — are more commonly known as chip cards, or smart cards. They are dipped rather than swiped, employ single-use codes to make transactions safer, and take much longer to process with each transaction than magstripe cards. They have been common in Europe and Canada for years, and in October of this year, a liability shift will occur in which merchants processing EMV cards as magstripe cards will be held liable if fraud occurs. (Ordinarily banks take the hit.)
Square — currently in an odd position as its CEO Jack Dorsey has taken on an interim CEO role at his old company, Twitter — announced this week that it will release an EMV/NFC reader in the fall. The announcement took place at the same time as Apple’s WWDC, and downplayed EMV in favor of NFC and Apple Pay, but in any event, the device looks like it is built for Chip & Signature, a much weaker security standard than Chip & PIN. Signatures can be faked, and merchants seldom look closely at them in any case. PINs must be known. The Square device does not contain a keyboard for entering a PIN, which would conform to the EMV standard in place in other countries.
Chip & Sig is not secure and has been widely decried by security experts for years, but it’s what many issuers and networks wanted. According to security expert Brian Krebs, MasterCard wanted Chip & PIN while Visa wanted Chip & Sig, and this latter standard seems to have won the day for the moment. But there is a third option, and it is one that Visa could soon be promoting, possibly at the expense of Chip & Sig.
It’s called Chip & MLC, which stands for mobile location confirmation, and is offered by authentication company Finsphere in partnership with Visa. MLC was announced in February and went live in May. It’s a concept with which most smartphone owners are probably familiar by now — using location to confirm identity and authenticate purchases. A customer swipes his card, for example, and instead of having to sign a keypad or type in a PIN, his smartphone will be pinged and confirm that, yes, Joe Customer is in the Blue Bottle Coffee in Rockefeller Center in midtown Manhattan.
Actually, according to Finsphere CEO Mike Buhrmann, the service is less specific than that. “All the bank has to know is that you’re in New York, and that’s enough to re-rate the risk and allow the transaction,” he told Bank Innovation. The process takes an average of 700 milliseconds, near realtime, but may be a privacy concern to some. “You’re giving up where you are,” Buhrmann said, “but we only keep enough information to understand transactions.”
Your bank app, however, as well as your phone manufacturer, your mobile network, a host of other services residing on your phone, not to mention the NSA, and of course the store where you’re buying coffee, know exactly where you are — but consumers still don’t seem to understand this.
If a bad guy has your card and your mobile phone, he could still cause trouble, but in this case, you would likely already be aware of it. Plus, phones can be locked, and remotely shut down.
“This is a simpler, safer way of bringing plastic into the 21st century,” Buhrmann said. “It eliminates the signature for customer authentication.”
Amen to that. As one banker quipped recently, “I’ll trust the signature for authentication when they start allowing it for ATM withdrawals.”