Newsroom

Press Releases

STAMFORD, Conn., February 2, 2015

At Least 5 Percent of Card Issuers Will Suffer Fraud on EMV Cards Due to Improper Implementations By The End of 2015


Following some high-profile data breaches in 2014, U.S. payment card network participants began heavily endorsing Europay, MasterCard and Visa (EMV) chip cards as an important way to prevent damage from payment card breaches. However, criminals have taken advantage of poor implementations of EMV chip payment applications, committing extensive fraud that defeats EMV controls for everyone in the payment card ecosystem.

In her research note “Avoid Pitfalls with Payment Card Security Technologies and PCI,” Avivah Litan, vice president and distinguished analyst at Gartner, points out some of the hidden problems with payment card security technologies and the payment card industry (PCI). By year-end 2015, at least 5 percent of card issuers will suffer fraud on EMV cards due to improper implentations, up from a handful today.

In today’s blog post, Ms. Litan shared some of the findings from her report. Ms. Litan said:

EMV chip cards, already adopted in the rest of the world, have proven to dramatically reduce counterfeit card fraud because they are significantly harder to clone than magnetic stripe (magstripe) cards, which are still used throughout the U.S. Nevertheless, the adoption of EMV is relatively slow and as a result, payment card network participants must prepare for at least five more years of support for EMV chip as well as magstripe protocols on a single payment card.

Card data breaches have pushed U.S. banks, card networks, mega-retailers and other payment card acceptors into more aggressively adopting two further key security technologies in addition to EMV cards - tokenization and point-to-point encryption (P2PE).

Although these three security technologies have been around for years, interest in them soared after the breaches, and many enterprises have developed much more aggressive implementation timetables than they would have otherwise. However, in the march to rollout these enhanced security systems some vulnerabilities and conflicts have surfaced. This calls out the need for all players in the payment ecosystem to work together on open security standards, streamlined certification processes and shared education on best implementation practices.

EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations. Merchants who use their own tokenization system, and also accept Apple Pay or other EMV token payments, will end up with multiple tokens for one card number, defeating a major reason why many merchants adopted tokenization in the first place.

As far as point-to-point encryption (P2PE) is concerned, P2PE can usually be turned on within 3 months if the solution uses remote key injection and management. Physically injecting keys into each card reader in a “safe room” under its own “lock and key” obviously takes much longer. Once deployed, P2PE can help protect all card transactions against data breaches. Retailers we regularly speak with say they will turn on EMV acceptance “later”. They rightfully view EMV as mainly helping the card brands and issuers, although when EMV becomes ubiquitous it will help everyone.

More detailed analysis is available in the Gartner report "Avoid Pitfalls With Payment Card Security Technologies and PCI." The report is available on Gartner's website at http://www.gartner.com/document/2960533.

Payment card security will be discussed further at the Gartner Security & Risk Management Summits taking place June 8-11 in National Harbor, Maryland, July 13-15 in Tokyo, August 10-11 in Sao Paulo, August 24-25 in Sydney and September 14-15 in London.  

About Gartner

Gartner, Inc. (NYSE: IT), is the world’s leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities today and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We are a trusted advisor and objective resource for more than 15,000 organizations in more than 100 countries — across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit gartner.com.

Contacts