Over the last seven years, the amount of fraud from stolen credit card data has doubled in the U.S. This has been the primary driver pushing American credit card companies and retailers into adopting the use of credit cards with computer chips in them. The problem with the old magnetic stripe credit cards we are so familiar with is that the data on the magnetic stripe is static – it never changes. Because of this, fraudsters have been able to simply copy the magnetic stripe data from your card to a blank one, and then use the new card to make purchases. The computer chips in Europay, MasterCard and Visa (EMV) cards, on the other hand, set up a one-time transaction code that is useless to intercept or copy. If a thief attempts to make another transaction using this information, the transaction will simply be denied.
These kinds of credit and debit cards have been used in Europe for decades, and have greatly reduced the amount of credit card fraud there. But the American versions of these cards are going to be different for some years to come. For one thing, EMV cards issued to Americans are still going to have the magnetic stripe on them until at least 2017. This is to give retailers a chance to install the necessary (and expensive) equipment needed to process EMV cards. Also, even though most retailers are supposed to have EMV card reader hardware in place as of October this year, gasoline retailers are not required to change their pump card readers until 2017.
Another difference is the use of a PIN with the cards. In Europe, they have found that requiring a 4 to 6 digit PIN number when cards are used greatly adds to the security of the transaction (just like inputting a PIN when you use your debit card here does). But most companies in America are just going to require a signature, and are not going to allow the use of PINs with these cards for a while. This is not only to spread out the cost of re-equipping for the merchant, but is also to allow American consumers to get used to the new cards. Eventually, America will probably be using the same setup they currently use in Europe, but until then, remember that your cards will still suffer from some of the same old vulnerabilities as always.

As a risk management guy, I’m often asked why I think information security programs fail or are less effective than they should be. There are certainly a number of answers to that question, but I think one of the main causes is lack of management participation in the program.
First, it should be recognized that these programs are driven from the top down. Upper management must demonstrate real interest in the infosec program to make it work. Right or wrong, people take all their main cues from upper management, and an apathetic CIO or CEO is a death knell for an infosec program.
Once you have achieved high level buy-in, it is very important to ensure that mid and operational level management are also properly involved in the program. Managers on these levels need to demonstrate their interest in the infosec program just as upper management does. However, beyond that, these individuals should also be involved in the program in a much more direct way.
It isn’t enough that information security policies and procedures have been established and communicated to all appropriate personnel. There also needs to be regular documented processes in place for management oversight of the information security program. Managers sometimes tend to become complacent about the information security program; they don’t really demonstrate interest in it and don’t seem to check up much. And if managers become complacent about infosec, you are safe to bet that the personnel in their purview will as well.