As I pointed out in my last post, EMV would have not stemmed the loss of data in the Target breach. All EMV would have done is restricted where the thieves could use the card data obtained. Even though the thieves can supposedly clone cards from the data gathered, as far as anyone has reported at this point, cloned cards do not appear to be the method of fraud. So the assumption I have is that all, or the vast majority, of the fraud committed to this point has been through card not present transactions.
In response to people clamoring for a solution to the breach problem, Visa and MasterCard have curiously remained silent. I would have assumed that the card brands would have trotted out their press releases touting EMV as the savior. Yet they have said nothing. Could it be that the card brands are actually acknowledging that EMV would have not been the answer? One can only hope.
So what is the answer?
To me the answer is single use transaction codes of 15 to 16 characters in length. With the advent of smartphones and miniaturization of electronics, the ability to create a card or an application that generates such a code is not only possible, but has been demonstrated in recent years. Not only that, but the card brands and banks themselves dabbled with such solutions over 10 years ago but for some reason backed off on pushing such a solution. My best guess is that without a portable method of using the single use code system, there was no point to pushing such a system. But times and technology change.
With the capabilities of today’s technology, the single use codes could be displayed as bar codes so that existing merchant POS systems could scan them and avoid data entry errors. Since they are no more than 16 characters in length, the codes can be stored in applications’ existing fields used to store card numbers without modification. Since the card brands and banks have already developed the algorithms for this approach, they only have to agree on which algorithms to use. But best of all, since the code can only be used once, it can be processed, stored and transmitted wherever and however without fear of a compromise because it can only be used once.
This is just my thought for a solution but there are other people and organizations that have their own solutions to fix this problem. The bottom line is that it is time to fix the problem, not keep kicking the can down the road with a known format that is at the end of its life.
