Author: Conleth O’Connell
The EMV chip card is one small part of a much bigger security picture but I believe there are bigger advances that will quickly surpass this change. The biggest difference between the magnetic strip and the chip is that the chip cannot be easily scanned and it is encrypted so it can only be read by approved chip readers. While this is an improvement, I believe chips will soon be surpassed by improved three-factor security checks used in mobile wallets.
There are three-factors currently used for validating authority to use a credit card after you enter the card number online or swipe it at a register:
- Something you have – Such as the CVV on the back of the card or a one-time use pass key sent to your phone
- Something you know – Username, pin/password or your zip code
- Who you are – Fingerprint, voice recognition
Matching two of the three provides a level of security but having all three is optimal, at least two-factors should be the minimum requirement. Using a fingerprint or voice is much better than a code that can be stolen, but even a code is better than nothing.
What We Have Now – Single-Factor and Two-Factor
The U.S. predominantly uses card (what you have) and signature (who you are) for validation. Europe uses card (what you have) and pin (what you know). Aren’t they the same? No, because we’ve had swipe and sign for decades now. However, I have yet to see the signature pad return an error message of “Please try again. Your signature didn’t match the one we have on file”. When was the last time a vendor checked to see if your card was signed on the back of the card and compare that signature to the one on your receipt? So even with the EMV chip, the U.S. is in no better a spot than it was without it. It is only using single-factor security – what you have with the illusion that we are also using who you are.
When you pay at the gas pump, you are using two-factor security. You present your card (what you have) then you have to provide your billing zip code (what you know). If you pay at a register with a debit card, a pin has always been required. The major difference now is that the encoding information used to verify the data is in a chip instead of a mag strip. While this is better than the non-verified signature requirement, using a fingerprint or voice recognition would go a long way toward reducing unauthorized credit card use.
The Future – Mobile Wallets
Led by ApplePay, mobile wallets are growing in popularity because they offer even better security than the “what you have” and “what you know” options. They also include “who you are” into the mix by supporting fingerprints and picture validation. After signing into your mobile wallet (what you have and what you know), you authorize the purchase by swiping your fingerprint (who you are) which is matched to the one on file. Using actual pictures within the app that look like you (vs. the grainy blurs that appear on some cards) means servers can easily verify that you are the person authorized to use the card. Three-factor security is what will gain the trust of cardholders and vendors to propel mobile wallets from being a hip alternative to a mainstream payment method.
Why Should I Care?
Credit card companies are using a carrot-and-stick approach to make us feel more comfortable spending money with our credit cards. The stick is new service agreements that are shifting the financial responsibility from the credit card companies to the point-of-sale merchants. If a merchant initiates the transaction, they are responsible for performing the security checks necessary to ensure the card is being presented by an authorized user. If the transaction proves to be fraudulent, the merchant will have to absorb the loss instead of the credit card company. This will hit the smaller merchants hardest because they don’t have the buffer that larger corporations have to eat the charges.
The carrot is that as we improve security and reduce the amount of fraudulent charges, vendors will be able to confidently accept credit cards without the fear that they will be ripped off. One would even think that by shifting the risk to the merchants, that the fees for using credit cards would be reduced because the credit card companies can no longer use that as their excuse for keeping fees high.
For now, single-factor security is still the norm in the U.S. and new chip cards have yet to fulfill their promise of improved security. Going forward, mobile wallets appear to hold the best promise for improving security for both vendors and cardholders.
About the Author
Dr. Conleth (Con) O’Connell has over 25 years of executive experience in Software-as-a-Service (SaaS), enterprise and mobile technology for high-growth companies where he developed and delivered superior user experiences across a variety of market segments. Conleth holds a Ph.D. in Computer and Information Science from The Ohio State University, is a published author, holds multiple patents across several technical disciplines and is a sought-after speaker on Web technology, enterprise content management and social media.