Despite the superior security features associated with EMV technology, the Federal Bureau of Investigation (FBI) has issued a warning that the new chip cards currently making their way into American wallets may be vulnerable to certain types of fraud.
In a public service announcement released in October, the FBI warned law enforcement, merchants and cardholders that no one technology eliminates fraud, and that cybercriminals will continue to look for opportunities to steal payment information.
“Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction,” notes the FBI. “Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware. Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.”
Chip cards get their name from their embedded microprocessor chip that that offers a greater level of security than possible with the previous standard, the magnetic strip. This is because the chip generates a unique code for each individual transaction that cannot be used again, rendering any stolen transaction information useless to thieves. This so-called “dynamic data” has been proven to be extremely effective in reducing counterfeit card rates in countries where it is used.
Until the transition to EMV in the U.S. is complete, chip cards will also feature a magnetic stripe. Although EMV cards are available as either “chip-and-PIN” (requiring the cardholder to enter their personal identification number to complete a transaction) or “chip-and-signature” (requiring the cardholder’s signature), U.S. banks have primarily chosen to issue “chip-and-sig” cards for now.
Consequently, if a chip-and-sig card is lost or stolen, a fraudster can use it at the point of sale by sliding the mag stripe edge of the card through the card reader at the terminal and forging the cardholder’s signature. As always, cardholders should closely safeguard their payment cards and report any lost or stolen cards to the issuer as soon as possible.
Additionally, the FBI encourages merchants who deal in card-not-present (CNP) transactions to handle an EMV card and its data with the same security precautions they use for standard credit cards. “Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions,” it advises. “At a minimum, merchants should use secure servers and payment links for all Internet transactions with credit and debit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers. Credit card information taken over the telephone or through online means should be protected by the retailer to include encrypting digital information and securely disposing written credit card information.”
Retailers and service providers who deal in card-present transactions are reminded that upgrading to EMV terminals at the POS is the best way to protect their customers and their business from fraudulent transactions.
EMV is a registered trademark or trademark of EMVCO LLC in the United States and other countries. www.emvco.com