The Failed Promise of EMV
Republished from BlockChyp, a payments startup targeting integrated POS. BlockChyp’s technology is based on a proprietary consumer credit blockchain and features advanced encryption and security features not found elsewhere. Demo here. For more information, contact Jon Decker, CEO (firstname.lastname@example.org), Jeffrey Payne, CTO (email@example.com)
Making the move from magnetic stripe cards to EMV was no small feat. Brick and mortar merchants had to upgrade terminals by the millions. Issuing banks had to overhaul their processes from the ground up. Consumers had to be re-educated. Untold sums were spent by everyone involved in the payments industry to roll out this magical, futuristic technology from the early ‘90s. For an industry that innovates slowly and dreads doing any real technical work, EMV was a major undertaking.
We were told all this was done in the name of security, that it would pay for itself in reduced fraud. We take our medicine now, they said, and the payments infrastructure would be safe for generations. Did it work?
Sure, we got a few benefits, but on the whole it was a missed opportunity at best and a massive waste of everyone’s time at worst.
Card present fraud due to counterfeit cards dropped by about $1.9B since the U.S. EMV liability shift in 2015. This seems positive, but fraud from lost or stolen cards remained unchanged, and card-not-present fraud increased by $3.3B over the same period, for a net increase in fraud of $1.4B. On the whole, EMV has made things worse. Once fraudsters figured out the ways around EMV, they quickly realized that there were far more lucrative and reliable ways to steal than making counterfeit cards. EMVco and the card brands could have slammed the door on these paths around EMV from the beginning, but they couldn’t be bothered.
The simple truth is that EMV (in the U.S.) was designed to reduce fraud liability for the card associations and acquiring banks by shifting counterfeit card liability onto merchants. They declined to add any other security features to EMV because it might have reduced transaction volume or benefited the merchants with no corresponding benefit to the acquiring banks or card brands. This should come as no surprise to anyone because ISOs, agents, acquiring banks, processors, and card associations are only innovative when it comes to dreaming up new ways to fleece merchants. They lie, cheat, and steal as a matter of standard business practice, seemingly without remorse. Nearly every merchant processing statement from any of the big acquirers flirts with the dangerous line between shockingly unethical, and flat-out wire fraud.
Don’t look for real technical solutions or security innovation from an industry that sees merchants as a mark in their con game. When you understand how the industry views merchants – as a helpless blood bag begging to be drained – it’s easy to see how the U.S. EMV roll-out was one part cynical ploy and more parts sheer incompetence.
Let’s start with lost or stolen card fraud. Unlike Europe and Canada that mandated chip and PIN, the US industry fought back because it might have reduced transaction volume. As a result, nearly all U.S. credit cards are not encoded with PIN-based CVMs (Cardholder Verification Methods). The good news is that issuing banks could simply add PIN-based CVMs at any time. This is fixable: those who drafted the EMV specifications aren’t at fault here.
But the real scandal (and missed opportunity) of EMV lies squarely within EMVco’s domain of responsibility. After all the work and money spent, EMV doesn’t add a single shred of extra protection for credit card numbers. Believe it or not, for every EMV transaction, whether contact or contactless, a copy of your credit card number or PAN is read from the chip and transmitted to the processor. EMV doesn’t require this number to be encrypted and even if it is encrypted it’s almost always encrypted using the old DUKPT/3DES encryption standard from the 1980’s. You know, the same encryption your ID Tech MSRs were using 20 years ago. Um, what?
EMV’s only real feature is that it provides a reliable method of proving a chip was present. It does this with a primitive digital signature called an Application Cryptogram. Look, digital signatures are a great idea; at BlockChyp we use them for gift card transactions and for point to point (P2P) encryption. But whoever drafted the EMV specifications seems to have completely missed the point of digital signatures.
Digital signatures are typically based on an asymmetric encryption algorithm like RSA or Elliptic Curve. To prove your identity via a digital signature, you must have a secret key (that you never share with anyone) and a public key. When you want to verify your identity, you send a message (the transaction), along with your public key and a digital signature. The recipient of the message doesn’t have the secret key, but they can verify the signature of the message and know that it could only have been created by you (the owner of the secret key). This is not a radical concept: this is running under the hood every time you access a secure web site and every blockchain known to man from Bitcoin to BlockChyp depends on digital signatures.
EMV should have been implemented with a true digital signature based on a secret key other than the PAN or card number. Even a random token other than the PAN would have been preferable to what we’re using now. As it is, if someone manages to intercept an EMV transaction, they get your card number, which can then be used to run card-not-present transactions. Is it any wonder card-not-present fraud has doubled since 2015? Not to those of us who’ve looked under the hood of EMV, it isn’t.
I’m sure I’m not the first to raise this objection to EMV. There are smart people at the big card brands and acquiring banks. Nothing I’m suggesting is really all that innovative or radical, but for reasons we’ve already covered, technical leaders don’t have much pull in the merchant fleecing business.
The fundamental problem with EMV, and our payments infrastructure in general, is a dependence on shared secrets. The 16 digit PAN – sent over the network with every transaction – is a massive security liability and needs to go. Every possible 16 digit PAN can be guessed by a conventional laptop computer in about four and a half minutes (there are roughly 100 quadrillion possible Visa card numbers.) By contrast, if we switched payment cards to use a real asymmetric security standard like RSA or Elliptic Curve, the number of possible account numbers (or secret keys) approaches 10^77 or 100 quattuorvigintillion, which also happens to be roughly the same as the number of atoms in the universe.
An unguessable secret key that’s encoded on the chip card and never transmitted or stored anywhere else is the perfect solution to the industry’s fraud and security problems. There are even ways to incorporate PIN codes into a digital signature based transaction model. RSA and Elliptic Curve encryption are well established and proven technologies. Compared to the hassle of convincing card issuers and merchants to install EMV equipment, moving to asymmetric encryption would have been a relatively minor change with sweeping security implications. This one change would have truly made our payments infrastructure secure for generations while simultaneously eliminating the need for PCI certification – because the math itself provides a fundamental level of security that doesn’t have to be ring fenced by countermeasures. This is how blockchains can be public and still be secure.
Given that the EMV rollout was just a few years ago, there’s no excuse for what the industry forced on us in 2015. It’s a half-finished band-aid that only addresses a relatively minor fraud vector and by shedding a light on EMV’s weaknesses, made our fraud problems far worse. At BlockChyp, we’re stuck working within this system, but all of our transactions are wrapped with multiple layers of additional asymmetric encryption. ApplePay and the other mobile payments providers essentially hacked around the limitations of EMV and they use one-time tokens in place of the PAN for all transactions.
These are just workarounds implemented by the few players in the payments space that are actually trying to be conscientious about security. But the system is rotten at its core and it won’t change as long as people with contempt for technology hold the reigns of the big payments companies. If you’re hoping that the card associations and acquirers will suddenly get religion and start reforming the system, give up hope. The cavalry isn’t coming. EMV was their last big chance to do something right, and they completely blew it.
Whatever change is coming will have to come from the outside. Classic payments.