Debunking 11 EMV Card Myths

Though some credit unions are already releasing their next generation of chip cards and members know the dip-and-wait purchase approval process, there are still many misperceptions about the technology.

Princeton Junction, N.J.-based the U.S. Payments Forum created a guide, “Debunking EMV Myths,” aimed at separating fact from fiction for all stakeholders about contact and contactless payments cards when it comes to the tech’s security features and fraud effects.

“Consumers in the U.S. are now used to paying with chip cards in stores for enhanced security, and contactless payments are starting to take hold for added speed and convenience. This is why it’s more important than ever that we’re all relaying reliable information about the technology and its security features,” Randy Vanderhoof, director of the U.S. Payments Forum, said.

The guide deals with some common myths regarding chip technology:

1. EMV will eliminate all payments fraud. “The chip technology was introduced to eliminate the growing issue of counterfeit card present fraud and has been extremely effective.” To protect payments outside of card-present transactions, such as card-not present fraud, merchant identity fraud, phishing and more, experts recommend a layered security approach such as encryption, tokenization and multi-factor authentication.
2. Chip card transactions use encryption technology. EMV chip technology uses cryptographic card authentication to help protect against the acceptance of counterfeit cards. EMV does not encrypt any card data during the chip transaction process.
3. EMV was implemented in the U.S. to shift fraud liability from one party to another. The technology was introduced to incentivize both merchants and issuers to make the transition to the more secure technology; the party with the less-secure technology is responsible for the cost of a fraudulent transaction.
4. EMV only prevents fraud with chip and PIN. This is inaccurate. The chip on its own is the primary mechanism for preventing card present counterfeit card fraud. EMV chip technology provides dynamic data for every transaction to the card issuer. Adding PIN to the security features of EMV adds another layer of security.
5. Payment fraud just shifted to CNP and net fraud is going up. With chip card payments reducing fraud at the point of sale, criminals are looking for new avenues, including buy online pick up in store fraud, and CNP fraud and at automated fuel dispensers, where EMV chip upgrades have not yet occurred. “Statistics are actually showing that the overall proportion of CNP fraud is actually staying relatively even – and perhaps even decreasing – as a percentage of online sales.”
6. A thief can easily electronically pickpocket a contactless card/device. While smart phone apps enable the phone to read some of the data from a contactless enabled card or device, they can only read the account number and expiration date. Plus, the thief would need to be physically close to the card to get this information.
7. A thief with intercepted contactless information, can create a counterfeit card and successfully use it to conduct in-store transactions. During a contactless transaction, the payment device – card, mobile device or wearable – provides a dynamic, one-time use code necessary to successfully complete the transaction. A thief with someone’s contactless card information would not be able to create a counterfeit card that could replicate the one-time code needed for a successful in-store transaction. The information is also not sufficient to create and use a magnetic stripe card for a transaction.
8. Even if a thief can’t counterfeit a contactless card, they can make purchases online or by phone. For a purchase to be authenticated and authorized via phone or online, typically several pieces of information must be presented – including the three-digit code on the back of a card and the cardholder’s name and billing address. Since the card or device does not send this information, the thief won’t have the information typically needed to conduct payment transactions, either in person, on the phone or online.
9. In addition to stealing card data, thieves can also steal identities. Contactless cards and devices do not transmit information about the cardholder such as name or address to mitigate the chance of identity theft.
10. Thieves can create usable counterfeit cards through shimming. Shimmers that collect card data from an EMV chip card inserted in a terminal do exist, the usefulness of the data collected is severely limited because EMV chips create dynamic data unique for every transaction. “Without the chip’s cryptographic keys, it’s not possible to create a functioning counterfeit version of a chip card to be used through the contact or contactless interfaces.” Issuer financial institutions and merchants also use 3D Secure, CVC2, address verification and other techniques to prevent the use of shimmed data.
11. Cardholders are responsible for purchases made by thieves if they steal card information. Issuers have zero liability policies, so cardholders are not liable for fraudulent charges. For specific policy information, cardholders should contact their financial institution.