Are non-EMV merchants really at higher risk of card data breach?

I was discouraged to hear of the Wendy's card data breach earlier this year.  But what saddens me even more is to watch in the aftermath of yet another data breach (this makes over 1,600 breaches since 2014) as otherwise knowledgeable industry pundits make false statements about EMV with respect to data security.  One example is on the left (click to enlarge or mouse over to view comments).

Now, I know that sometimes when industry folks chat, we take for granted that we all know how these things work.  For instance, I would like to give these folks the benefit of the doubt that they were just being funny, or switching back-and-forth between topics.  But this is not an isolated incident, and has been going on ever since Target announced it would solve its data breach problem by installing EMV terminals(!).  It is past time that we all get one thing straight:

EMV and the RECENT liability shift haVE almost
nothing to do with credit card data security.

To make sure we're all on the same page, let's talk briefly about what EMV does and doesn't do:

The term EMV, which stands for Europay MasterCard Visa (the three card brands that initially develops the specification) generally alludes to the acceptance of chip cards (although EMVCo actually administers other standards besides the chip).  Even though the EMV chip standard was initially developed 20 years ago, it is without a doubt  decades ahead of even more ancient magnetic stripe technology (the same technology used in audio cassette tapes).  And it does a lot of really great things:

What EMV Does Do:

1. The microchip in the card is a full-fledged computer;  also called a smart card or ICC.   When you insert your credit card into a payment terminal, the terminal actually provides power to the chip which "boots it up" and immediately begins exchanging information.  This technology allows for a card to store information about recent purchases, keep track of its own credit line, and solve some tricky problems for cardholders and card issuers -- such as performing real-time risk analysis and authorization even when a POS system doesn't have a persistent Internet connection.

2. The chip also has a special cryptographic function that allows it to generate a code, called an iCVV (Visa), Chip CVC (MasterCard), or iCSC (American Express) -- collectively referred to as a Chip Card Security Code -- that is unique with every transaction.  This three-digit value is a transaction fingerprint that is very difficult for hackers to reproduce, so that an issuer can be close to 100% certain that a transaction containing a valid code belongs to an authentic chip card.

Now, hearing words like "cryptographic" makes this sound super secure, and it is -- in a manner of speaking.  This process is so secure that the entire world is pushing this technology to solve a specific set of problems pertaining to preventing counterfeit fraud.  But...

What EMV Does NOT Do:

1.  ...protecting your cardholder data is NOT one of the problems that EMV solves.  The Chip Card Security Code and other cryptographic security functions are designed merely to catch fraudsters when they try to use a counterfeit card at a point-of-sale.  That's it.

2.  EMV does not encrypt any of the other valuable card data, with the exception of the Chip Card Security Code.  This three-digit value, which replaces the "Card Security Code" that would normally appear in the track data, is based on an DES encryption scheme (similar to PIN).  But no other cardholder data is being encrypted.   Use of EMV (without P2PE or other PCI controls) will not protect a merchant -- Wendy's or otherwise -- from a data breach.

Here is a list of the values PCI considers account data, cardholder data, or sensitive authentication data --  values that PCI states must be removed, encrypted or protected in order to reduce the risk of data breach:

• Primary Account Number (PAN) or the 13-19 digit credit card number
• Expiration Date
• Cardholder Name
• Service Code
• Discretionary Data

See for yourself direct from EMVCo's specification. Tag 57 from the EMV message is the big culprit, although tags 42, 55, 56, and 5A may contain cardholder data as well:

3. Speaking of PCI, because the cardholder data are still left in the clear, EMV provides absolutely zero benefit to a merchant's PCI DSS compliance.  Before, during, and after your move to EMV, you will still have the same requirements pertaining to protected the PAN, expiration date, cardholder name, service code, service code, discretionary data, and track equivalent data.

4.  BONUS:  While we are on the subject of what the chip does not do, I would be remiss if I didn't mention that here in the United States, "chip-and-PIN-without-the-PIN" (also called "chip-and-signature", "chip-and-sig", or "chip-and-why-are-we-doing-this-again?") is worthless to prevent lost-or-stolen card fraud or shift liability associated with these transactions.  But that's another discussion for another day.

"But, Sam," you might say, "as long as the stolen card information cannot be used to create a counterfeit card, then it is of no value to the hackers, right?"

If only this were true.  While card data from a chip card is indeed less valuable than that from a mag stripe (because chip data cannot be used to make a fake physical credit card), it is still very valuable to hackers because they can take the PAN, expiration date, and cardholder name, and purchase valuable products online.  And because the hackers are getting more and more resourceful, stealing your data for CNP fraud is still a very profitable enterprise.

Put differently, ask yourself if your customer base would forgive you for losing their data if you told them "it's okay, the bad guys won't be able to use your stolen data to buy stuff in stores, just online and through mail order."

This is not just theory.  In fact, Europe has been well-aware of this behavior for over a decade.  The graph below shows card-not-present fraud for the year that the UK first implemented EMV, and the years following.   Note the sharp increase in fraud as thieves simply moved their fraud operations to the Internet:

Takeaways:   EMV is designed to prevent physical card-present counterfeit fraud.  EMV does not encrypt or otherwise protect sensitive cardholder data like PAN, expiration date, cardholder name or service code.  EMV doesn't prevent data breaches.  EMV doesn't reduce PCI scope or render an environment more compliant.  So the next time someone falsely equivocates a merchant's failure to respond to last year's EMV liability shift as being the reason for their data breaches, you can step in and and alert them to what EMV does and does not do.