Skip to Content

Cybersecurity & Standards, Government Surveillance, Privacy & Data

Exploring the Future of Payment Security

For anyone that has traveled or lived abroad, you’ve probably noticed that most of the rest of the world has chips in their credit cards. These chips are soon coming to the United States (some are already here, and many retailers will have chip card readers in place by October 2015), and they are just one of the ways that payment security is being enhanced nationwide. This week, CDT hosted a session on Capitol Hill for Hill staffers that addressed the future of payment security.

The event, which was supported by Visa, featured CDT’s Chief Technologist Joseph Lorenzo Hall, Kim Lawrence from Visa, and John Breyault from the National Consumers League.

The panel discussing secure payment solutions.

The panel discussing secure payment solutions (John Breyault, Joseph Lorenzo Hall, Kim Lawrence).

Kim kicked things off by discussing the EMV chip, which is the microprocessor that will soon be in all Visa cards. Some of these cards are already available to consumers, and she recommended getting in touch with your credit card provider to ask for one. Visa developed a handy fact sheet on the EMV chip and an infographic on how chips enhance security. The short of it: chips create unique, encrypted identifiers for each transaction you make with a card, instead of sharing your credit card details directly with the merchant. This makes chip-enabled cards nearly impossible to counterfeit, unlike the magnetic strip cards most of us currently have.

Chip technology won’t solve everything though. As Joe and John pointed out, chips can’t address any of the e-commerce fraud that occurs when a card isn’t physically present to be read by a chip terminal in online, mail, or phone transactions. Chip technology also would not prevent the mass breaches that recently occurred at Target and Home Depot, but as more chip cards are introduced and readers installed, hopefully any information stolen will be much less valuable. Regardless, John stressed the need to have better practices in place for responding to data breaches after they happen and advocated for a national data breach standard.

Also, with chip-enhanced cards, it’s important to remember to always dip and not swipe. Yes, chip cards will still have the magnetic strip, and if you use that to pay, you get none of the benefits of the chip security. So as the new reader terminals for cards roll out, be conscience of using the chip reader (dip!) when available.

Chips are just one way that payment security is being upgrading. In his remarks, Joe highlighted contactless payment options such as Softcard, Google Wallet, and Apple Pay, noting that Apple Pay even has simultaneous biometric fingerprint authentication built in.

As new options for secure payments emerge, including digital currencies like Bitcoin, it’s important to remember that any legislative or regulatory approaches on the issue should avoid mandating one technological solution. As we have seen in the past, when one solution is proposed, the technology is often obsolete before the ink dries on a bill. Rather, setting strong, clear performance requirements and process-based assurances leads to more innovative, secure solutions that benefit the consumer.

We’ll be doing more work on consumer privacy and security in the financial sector in the coming months.