EMV is Not a Security Technology

So why do the banks and card brands want you to use it?

July 1, 2015 • Published by


You are probably aware that chip cards (EMV) will ultimately replace magnetic stripe cards. You are also likely aware that if your business accepts credit cards then you must be able to accept EMV cards by October, 2015, or you may have to pay the cost of fraudulent transactions in addition to fines and fees should your business suffer a breach.

You may have heard that EMV is a safer technology, which is why the banks and card brands want you to use it.

So why would I say that EMV is not a security technology?

Think of security technologies as those that protect data at rest or in transit. Tokenization and Point to Point Encryption are two great examples of this.

Tokenization: This process replaces a credit card number with a “token” that can then be stored and used later, for example when a guest checks out of a hotel. Now, if someone steals that token, they really can’t use it. This technology secures the credit card number primarily when it is at rest.

Point to Point Encryption (P2PE): This process encrypts a credit card number so that it can only be deciphered by someone who has the proper "key," and it is encrypted from the point of swipe all the way to the card processor, who has the key. If someone steals an encrypted number, unless they have the key, the number can’t be used. This technology secures the credit card number when it is moving from the point of sale (POS) to the payment processor.

What is EMV then?

EMV is a fraud prevention technology. If someone steals a credit card number, they cannot then use that number to manufacture a fraudulent EMV card. In other words, the EMV technology ensures that the card being presented is not a fraudulent card.

EMV is therefore not a security technology:

  • Once an EMV card is used, the credit card number still has to get to the processor and can still be stolen.
  • EMV's fraud prevention capability only works in card-present scenarios (where the buyer uses an EMV-capable POS device), so stolen credit card numbers can still be used in e-commerce transactions.

What is the secure solution? The solution is to layer up!

  • Use EMV terminals to stop fraud at the front door;
  • Use encryption, tokenization or other security technologies to protect card data being stored and/or transmitted; and
  • Consider a PCI program that also includes data breach reimbursement for added peace of mind.

Subscribe to this blog for additional tips and webinar announcements.