The Chip And PIN Debate – Part 1

Wednesday, September 08, 2010

PCI Guru


Based on the comments posted to my blog, my Chip and PIN post has really hit a nerve.  As a result, I thought I should go back and re-examine that post as well as provide some additional information and analysis based on the comments left here.

First, I want to clarify that the PCI DSS and the rest of the PCI standards have nothing to do with the type of credit cards used by customers.  Yes, the PCI PTS indirectly deals with the card because it is all about terminals that read the card, but the PTS does not issue standards regarding the card itself. 

So, whether we are talking about a traditional credit card with a magnetic stripe or the latest version of EMV (aka Chip and PIN), the PCI standards do not care.  And I challenge anyone to show me any PCI requirement that specifies anything regarding the security of the physical credit card.  Such a requirement does not exist and that, in and of itself, should be very telling. 

The PCI standards do not discuss the type of credit card because, at the end of the day, the credit card is not the problem the PCI is meant to address; it is the data contained on those credit cards that get processed, stored or transmitted through applications and networks that the PCI standards are concerned.

Next, I want to reiterate that EMV was developed to address an immediate problem that was occurring in Europe in the late 1980s and early 1990s.  You see, EMV pre-dates the Internet, in fact, the original standard, v3.2, was issued just as the Internet was getting off the ground. 

The problem EMV was developed to address was high rates of fraud with card present transactions.  This was just after the fall of the Iron Curtain and face-to-face transaction fraud was rampant by bankers’ standards.  However, let us be clear, it is not that EMV cannot be used to address issues with on-line transactions, but that is not what EMV was originally intended to address.

Has EMV been successful in addressing the original problem of card present fraud?  No doubt.  Europe’s card present fraud rates have dramatically dropped.  However, why has the discussion about bringing EMV to the masses of the world stalled?  It is because there is no driver for the banks to incur the costs related to such a conversion. Why?  It all comes down to numbers. 

According to The Nilson Report released in July 2010, while card fraud grew 7% in 2009, losses related to fraud as measured against total amounts charged actually dropped 0.1% to 4.7%.  And if you think bankers are interested in making changes when their approval ratings are sitting around that of used car salesmen, think again.

As I stated earlier, the only way banks can do such a conversion is to absorb the cost of the conversion, and that just is not going to happen at this time.  In addition, even with Wal*Mart’s chest thumping about EMV, the cost of converting all of the terminals in their stores to support true EMV is mind boggling. 

But you say, “When Wal*Mart made their announcement they said their POS was EMV enabled.”  Sure, Wal*Mart’s POS is EMV enabled because all EMV cards come with the requisite magnetic stripe to be compatible with non-EMV terminals and their POS already supports PIN entry, so they are good to go. 

What people did not hear from Wal*Mart is that they would still take about 5 to 8 years to convert all of their terminals to pure EMV starting with their major metropolitan stores and then throughout the remainder.  “And that,” as Paul Harvey used to say, “is the rest of the story.”

What I think confuses people is that the dollar amounts we are discussing are huge, some would argue obscenely huge.  In the immortal words of US Senator Everett Dirksen, “A billion here, a billion there, and pretty soon you’re talking about real money.”  And that is exactly what is going on with the dollar amounts behind these percentages. 

The total amount of charges made in 2009 totaled a staggering $16.6 trillion US dollars.  Yes, that is trillion with its 12 trailing zeroes.  Fraud for all of 2009 amounted to $7 billion dollars which is a pittance when compared to the total.  Yes, these are all very, very large amounts of money.  But in an analysis, the size of numbers does not matter; it is all about the relationships between those numbers.

When a banker looks at the fraud losses, they see two numbers; the monetary loss and the percentage that loss represents.  At 4.7%, fraud losses are considered manageable and can be appropriately compensated for by interchange and exchange fees as well as chargeback fees.  That may be a cold way of looking at things, but that is how business is done.

Cross-posted from PCI Guru

Possibly Related Articles:
PCI DSS Banking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.