Home → Magazine Archive → June 2014 (Vol. 57, No. 6) → EMV: Why Payment Systems Fail → Abstract

EMV: Why Payment Systems Fail

By Ross Anderson, Steven J. Murdoch

Communications of the ACM, Vol. 57 No. 6, Pages 24-28

[article image]

U.S. credit card companies and banks are beginning to distribute new credit cards with an embedded chip as well as the magnetic strip that has been in use since the 1970s. Named for its promoters Europay, MasterCard, and Visa, the EMV system augments the old magnetic strip cards with a chip that can authenticate a transaction using cryptography—a so-called "smartcard." EMV was deployed in the U.K. from 2003 to 2006 and in other European countries shortly afterward; it is now being rolled out from India to Canada. The idea was to cut fraud drastically, but real-world experiences turned out to be somewhat more difficult than theory. As shown in Figure 1, fraud in the U.K. went up, then down, and is now heading upward again.

The idea behind EMV is simple enough: The card is authenticated by a chip that is much more difficult to forge than the magnetic strip. The cardholder may be identified by a signature as before, or by a PIN; the chip has the ability to verify the PIN locally. Banks in the U.K. decided to use PIN verification wherever possible, so the system there is branded "chip and PIN"; in Singapore, it is "chip and signature" as banks decided to continue using signatures at the point of sale. The U.S. scheme is a mixture, with some banks issuing chip-and-PIN cards and others going down the signature route. We may therefore be about to see a large natural experiment as to whether it is better to authenticate transactions with a signature or a PIN.


No entries found