Payments

EMV Vs The UPT, Can We Fix The #FAIL?

Union BankDirector (SVP), Cybersecurity

Well, it has struck again. Remember how I told you guys about some of my EMV experiencesnow that I have a card with the chip in it? Well, it struck again… but not in the place y0u might think!

Chip, by Declan Jewell

I’m here in Salt Lake City, Utah, and I decided to take advantage of the lovely public transit (UTA) by hopping on the light rail into downtown. The weather is amazing here, and I wanted to walk a bit as well! So, I go up to the terminal to pay for a ticket, and guess what? REJECTED. Tried in the other machine… REJECTED. Tried another chip card… REJECTED! Then I tried a card that did not have a chip in it, APPROVED!

The implementation of EMV here in the states is done as chip and sign, just like an existing swipe credit card. My guess is that it is done this way so as not to confuse the US consumer with a debit transaction—typically done with a PIN (although you can do a signature for debit too… did you know that?). So we are adding the security of EMV for card present transactions, but the implementation here in the US has a massive hole in it. Unattended payment terminals, or UPTs.

The way that EMV enabled readers work is they require that cards with a chip always present the chip for tender. This means that you cannot use the mag stripe to swipe a card with a chip embedded into it. An EMV enabled reader will only process a card with a chip in it if you present the chip for tender—otherwise it is rejected right there at the terminal. But since we are doing chip and sign here in the US, there is a requirement (today) for some kind of signature capture to be presented with the actual transaction. So even though you can swipe at a UPT without signing (think about a gas pump or train ticket kiosk), you cannot present an EMV card using the chip because there is nowhere to sign. Instant rejection.

For the record (because I know some of you who read this might get offended), EMV is a good technology. It’s implementation for US cardholders is not. If I had only chip cards in my possession, I would now be forced to use cash for any UPT purchase which means less money earned on interchange. So for you EMV lovers and supporters out there, it would be smart to figure out how to fix the US implementation of this so that you don’t lose market share to alternative payment schemes like SMS or NFC. And this isn’t just something that impacts us here in the US, it impacts US cardholders GLOBALLY. So when I head over to Amsterdam for RSA EU this month, I can’t use my EMV-enabled cards at any UPT.

Hopefully the powers-at-be will figure out this conundrum, but for you UPT owners that are looking for alternative payment schemes, now might be a good time to review your strategy.

Save

Branden Williams

Union BankDirector (SVP), Cybersecurity

Branden Williams has 15+ years of experience in technology and information security‹. Branden recently was designated as a Fellow of the Information Systems Security Association (ISSA) and was also an Adjunct Professor at the University of Dallass Graduate School of Management where he taught in their NSA Certified Information Assurance program ‹. He c‹o-authored a book on PCI Compliance.

Apply to Become a Contributor