Using EMV as Part of a Layered Approach to Authentication

By: Nancy Bakanowicz


One of the challenges financial institutions face in today’s marketplace is how to address consumer authentication, especially when it comes to providing merchants and other financial institutions with sufficient protection against potential fraud. Unfortunately, data breaches continue to increase in frequency, as do other types of fraud, rendering traditional methods of consumer authentication less effective than they once were.

These traditional methods generally consist of passwords and knowledge-based authentication methods such as challenge questions (“what was your first phone number?”). Unfortunately they’re just not good enough for today’s mobile-driven world, in which there are more devices carrying more information – financial and otherwise – than ever before. Security professionals suggest a multi-layered approach to security as a way to reduce data breaches and card fraud. This approach entails having consumers provide something they know (a password, PIN number), something they have (a security token or smartcard) and something they are (fingerprints, iris scans). The theory is, that while any one of these three items may not be secure enough on its own, combining two or all three items together exponentially increases the level of security, particularly with the rise of mobile payments and the Internet of Things (IoT).

EMV, which was introduced in the United States in 2015 and has yet to be fully adopted by all merchants, is a powerful tool in the fight against card-present fraud. Statistics show that card-present fraud has decreased dramatically in countries that have adopted EMV. Unfortunately EMV alone is not enough, because its security doesn’t extend to card not present (CNP) environments, in which customers make purchases online, over the phone or through mobile devices.

To be effective, a fraud prevention strategy should combine EMV with encryption, tokenization and other methods, creating a multi-layered approach to security. The key to EMV is the chip embedded in the card, which can store far more data than the magnetic stripe on traditional credit cards, and, unlike the magstripe, it encrypts the information when it communicates with POS terminals and payment networks. It can even be remotely updated by issuers with new data and security commands. Chip cards are especially secure when used with a PIN number, but even the U.S.-based cards, which have a signature instead of a PIN, are far more secure against fraud than traditional magstripe cards.

To help mitigate the lack of security for online and CNP transactions, EMVco (the governing body for EMV) announced it is working with the payments industry in supporting security and authentication for new and emerging technologies in the payments space. This endeavor, called 3D Secure (3DS) allows ecommerce merchants access to interfaces controlled by issuers that enable cardholders to confirm their identities directly with their banks via a one-time password or code.

While EMV will have a significant impact on card-resent fraud, it is not a panacea – although it is far more secure than standard magnetic stripe cards, it is still not foolproof. Combining EMV with encryption and tokenization methods to authenticate the card is an excellent strategy that will help protect payment data as it is transmitted and prevent fraudsters from obtaining what isn’t theirs.