Avivah LitanA credit union in the United States becomes the first card issuer to issue EMV chip credit cards for its elite members. As reported in the American Banker last Thursday http://www.americanbanker.com/issues/175_91/emv-1019106-1.html, the United Nations Federal Credit Union will start offering Platinum Visa EMV cards this August that its traveling members can use abroad.
Platinum cards are the credit union’s most profitable cards and are used by its top 5000 card holder customers, as reported in the American Banker. The credit union is hoping that more of its 88,000 members and 35,000 cardholders will want to upgrade to these high-status (and presumably high-fee) cards. Gemalto provided the infrastructure for this upgrade as part of its “World Traveler” program.
This move is certainly a step in the right direction for strengthening U.S. card security. Traveling cardholders like the ones at this Credit Union have been complaining to their banks for a couple of years now that their credit cards don’t work when they travel in Europe. They get particularly embarrased when their cards are rejected (especially if they are treating for dinner at some elegant European restaurant). It was only a matter of time before a card issuer listened and reacted.
Interestingly, it’s convenience – and not security – that will likely drive EMV card adoption in the U.S.
But let’s not forget about security. The card brands (e.g. Visa, MasterCard) should give retailers and others struggling to implement PCI card security some compensation for accepting EMV cards, provided magstripe and other card data are not stored on premise.
Visa has limited the scope of PCI audits in some countries where chip card use is prevalent but I haven’t seen that advertised anywhere. Last Spring they told me that they reduced the scope of PCI compliance audits for entities that implemented Chip and where the ICCV penetration in their market is about 75%, meaning there are fewer magstripe transactions floating around. A reduced audit scope here means that these merchants need only validate their compliance with PCI milestones 1 through 4 – rather than all six. Not much of a reduced audit but still something to latch onto.
We’ve been arguing for years that insted of relying on millions of retailers and card acceptors to properly protect card data, the card issuers and the card brands need to work on strengthening the security of the cards themselves so that even if card data is stolen, it can not be used.
EMV chips accomplish just that — unless the thieves manage to steal the cards themselves, clone them and figure out the PINs that are used with them. Possible perhaps but highly unlikely, especially on a mass scale.
Category: Uncategorized Tags:
2 responses so far ↓
1 Sergio Hernando May 18, 2010 at 8:01 am
Hi Avivah,
I’m also looking forward to see movements in US and other countries regarding EMV-enabled merchant POS and ATMs. These can also work doing fallback to magnetic stripe, of course, but that scenario kills extra security features. However, in the scenario you’re describing (US customers using their cards abroad) neither US POS or ATMs need to be capable of handling EMV cards.
Regarding drivers I’m not surprised at all about convenience and not security. Has security ever been a real driver for these businesses?
With regards,
2 Avivah Litan May 18, 2010 at 11:25 am
Good question! I do think security was the driver for the roll-out of EMV cards outside the U.S. The dynamics are obviously different in the U.S.