So after all of the investment in EMV, many people including the ECB and Europol are asking why do cards still need a magstripe – but is it the really the big problem that people suggest?
The continuing use of magstripe maintains two well-known security loopholes in the cards system – the ability to easily capture data through skimming, and the ability to replay it into the system through the use of easily cloned cards. However, with increased focus on anti-skimming programs and banks now allowed under scheme rules to employ geographic declines, this loophole is being made smaller.
It seems that preventing the initial loss of data is a key factor in stopping fraud – whether that be card data, internet banking credentials or other identification data – which is why many see the magstripe as a weak link. However, some of the largest leaks in recent times have been due to the lack of data security at retailers and the lack of end-to-end transaction encryption. To counteract this, in May 2010, following launch of the PCI PTS standard v3.0, SPVA launched a set of recommendations for terminal vendors and retailers known as the End-to-End Security Requirements. These requirements seek to encourage the encryption of data in storage or transmission throughout the transaction process and so prevent it from being usable by hackers even if systems are breached. If, as the international schemes have mandated, merchants, providers and banks also adhere to standards such as PCI DSS, the reduction in fraud could be considerable and the method used to introduce it into the payment system becomes much less important.
In all markets, innovation continues unbound in the race to further secure all consumer-bank interaction channels. In face-to-face card transactions EMV-based contactless cards are being rolled out directly with CDA for the contactless interface, by-passing both SDA and DDA to maintain the gap with fraudsters. This essential ‘breathing room’ has been made possible by the necessity to rollout new terminals and/or readers for the contactless interface. It consequently means that despite consumer fears, EMV contactless cards used above the no-CVM limit (normally around 20 EUR) are considerably more secure than traditional chip cards using SDA or DDA.
However, in order to maintain the ‘customer need’ for global interoperability, the major payment schemes are mandating continuing support for magnetic stripe transactions for their global brands, and also data comparative to the stripe to be held freely available on the chip. Preliminary research has concluded that cards without a magstripe may be feasible in some markets – although the majority of ATMs still use magstripe for card verification. Visa have created a scheme, VPay, specifically for the EMV-only markets in Europe, within which the card is not mandated to carry a full magstripe. It allows a limited magnetic stripe (or short stripe) with only a ‘start sentinel’ that is needed for ATM activation to be issued – although clearly it cannot be accepted at locations without a chip reader such as in the USA. The net effect though is to reduce the number of cards with magstripe and therefore reduce the ‘pool’ that can be defrauded in this way.
Unfortunately the initial problem with magstripe still exists – it is easy to read and easy to copy. While it is still essential for global interoperability, it isn’t essential for everyone. Perhaps, as in the US where travellers are being issued with EMV cards by some of the more broad-minded banks, banks in EMV countries should be focussing on which of their customers really need global interoperability and only supplying it where necessary. So in essence it isn’t magstripe that is the biggest problem, it’s the provision of global interoperability particularly where it isn’t necessary that causes a lot of the card business’ ills.