EMV Chip Card Security Vs. Magnetic Stripe Card Security
By: John McNamara
Feb 12, 2018
In October 2015, the liability for credit card fraud shifted away from the card issuer and towards merchants as the USA transitions to EMV (Europay, Mastercard® and Visa®) credit and debit card standards.
Restaurants and nearly all other merchants should consider re-evaluating their existing payment practices and possibly even their current POS system in preparation for this change. A compelling reason for this switch is thesecurity of each system. Let’s compare magnetic stipe credit cards and EMV chip cards to understand the approach each takes to protect card data and transactions, as well as their respective shortcomings.
Credit cards are simply an electronic storage device. On the back of each card is a magnetic strip very similar to a piece of cassette tape storing information on three tracks. Track one contains specific bank information such as account number, a holder’s name, expiration data, and security codes. Track two contains general bank industry information plus a Card Verification Value (Pin) number, and track three is generally not used. Data stored on the magnetic strip is unprotected and never changes. The Toast POS system introduces an additional layer of security by providing end-to-end encryption of this data on any transaction.
Credit cards work because merchants trust the holder’s card is valid and the issuing bank will make payments. Over time, two things have contributed to eroding this trust:
1) The security methods protecting customer data have not kept pace with technology, making them too vulnerable to hackers.
2) The theft of payment data from millions of cardholders dramatically increases the potential for future fraud. Only the belief that credit card issuers will make good on fraud holds this system together. The root of the problem is inadequate credit card security.
When a credit card is swiped through a reader, the information on the magnetic strip is transmitted to an Acquirer, a company which collects credit card requests, verifies the request, and guarantees payment to the merchant. With each request the acquirer checks the merchant ID, card number, expiration date, card limit, and card usage.
Other credit card security features are specific to card issuers such as holograms, illustrations, ultraviolet ink, and embossed data. Additionally, all valid credit card account numbers will pass a mathematical algorithm check called MOD 10. Since physical features represent the strength of the credit card security, the USA lost $5.3 billion in fraud in 2012 compared to $6 billion for the rest of the world and is the only country with consistent fraud growth year over year, according to a Nilson Report. To restore trust and improve security the USA is adopting EMV, which is the predominant system used by the rest of the world.
EMV Chip Cards
EMV (Europay, Mastercard, and Visa) incorporates a computer chip, an application, and encryption to store and protect customer data. In addition there are unique instructions each bank requires the card to follow. At its simplest, EMV enabled devices communicate to a chip in the holder’s EMV card. The chip contains information needed to authenticate the card after a holder enters a pin or provides a signature to validate that they are the true card holder.
Each time the holder presents the card for purchase and ‘dips’ (inserts the EMV into the card terminal), the chip communicates with the merchant’s EMV terminal and validates the card. In an EMV transaction instead of swiping a card and returning it to the holder an EMV card remains in the terminal until the transaction is complete. The card and terminal communicate and agree on the application to run; the card identifies a list of instructions or restrictions, which have been defined by the bank. The cardholder’s information is protected by cryptographic keys, which ensure transactions are marked with a dynamic data authentication key (DDA) making it unique. When first introduced in the USA, EMV cards will use signatures to verify transaction, but that will be replaced over time with a four to six digit PIN. The holder’s data is protected because of encryption and the dynamic key, making duplicating of the card extremely difficult.
EMV cards have reduced fraud in all areas of credit card use among the 28 countries of the European Union. Despite efforts to improve fraud prevention by banks and credit card companies, the rate of data theft and fraud continues to increase in the United States. It only makes sense to adopt EMV as it has already gained worldwide acceptance and offers significant improvements to the existing payment environment in the U.S. For restaurant guests, payment with EMV chip cards will be different from the existing swipe and sign method as the entire transaction will take place at the table without the EMV cards ever leaving the guests’ sight.
As secure as the EMV cards are, they are not a total solution to card fraud. While the holder’s personal data is protected to a greater degree - it is far more difficult to duplicate EMV cards, EMV cards never leave the cardholders sight during a transaction - EMV card security measures will not address fraud perpetrated online. From a security standpoint, EMV is definitely a good step forward for card security and fraud prevention in the U.S., but likely not the final one.
DISCLAIMER: All of the information contained on this site (the “Content”) is provided for informational
purposes only and not for the purpose of providing legal, accounting, tax, career or other professional
advice. The Content is provided “as-is” without any warranty of any kind express or implied, including
limitation any warranty as to the accuracy, quality, timeliness, or completeness of the Content, or fitness
for a particular purpose; Toast assumes no liability for your use of, or reference to the Content. By
accessing this site, you acknowledge and agree that: (a) there may be delays in updating, omissions, or
inaccuracies in the Content, (b) the Content should not be relied upon or used as a substitute for
consultation with professional legal advisors, (c) you should not perform any act or make any omission on
basis of any Content without first seeking appropriate legal or professional advice on the particular facts
circumstances at issue and (d) you are solely responsible for your compliance with all applicable laws. If
do not agree with these terms you may not access or use the site or Content.