Relief is in sight for the beleaguered U.S. Payment Card Industry (PCI). By October 2015, chances are that America will no longer have the dubious distinction of leading the world in credit card fraud.Well, maybe.A year from next month, the 1960s-vintage \u201cswipe-and-signature\u201d magnetic stripe card system is expected to be yielding in a serious way to EMV (named for its original developers, Europay, MasterCard and Visa), also known as \u201cchip and PIN\u201d \u2013 a smart-card system that has been in broad use in Europe and other parts of the world for nearly two decades.The much-anticipated, and debated, shift will not be because of a mandate. But next October marks the so-called \u201cliability shift\u201d \u2013 a clear incentive for merchants and banks to make the transition if they haven\u2019t already.[ How to reduce credit card fraud ]As MasterCard\u2019s\u00a0Carolyn Balfany explained\u00a0it to the Wall Street Journal earlier this year, \u201cwhat will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.\u201dSo, if a customer has a chip card but a merchant has the old, swipe-and-signature technology, the transaction will still work, but if it is fraudulent, the merchant will bear the cost. Or, if the merchant has a new terminal but the bank has not issued an EMV card to the customer, the bank eats the cost of any fraud.The intent of EMV is to prevent skimming by replacing the magnetic strip with an embedded microchip. It also requires the user to enter a PIN, much like a debit card, to authenticate a purchase.According to advocates of the change, it should dramatically improve credit card security in the U.S., now home to about half the world\u2019s credit card fraud, even though only about a quarter of all transactions take place here.According to EMV Connection, the UK Card Association reports that, \u201closses at U.K. retailers have fallen by 67% since 2004; lost and stolen card fraud fell by 58% between 2004 and 2009; and mail non-receipt fraud has fallen by 91% since 2004.\u201dIt said Canada saw similar improvements after rolling out EMV in 2008.But critics say that doesn\u2019t tell the whole story. Security blogger Brian Krebs noted last May that EMV terminals would not have prevented the catastrophic breach at Target late last fall. \u201cWithout end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions,\u201d he wrote.Also, a UK research firm at the University of Cambridge released a paper\u00a0earlier this year titled, \u201cChip and Skim: cloning EMV cards with the pre-play attack,\u201d in which they said they had discovered serious vulnerabilities that would allow criminals to clone EMV cards even if they did not have physical possession of the cards.They agreed that EMV had made, \u201cusing counterfeit and stolen cards \u2026 more dif\ufb01cult,\u201d but noted that \u201ccriminals adapted,\u201d by turning their attention to attacking \u201ccard-not-present\u201d (CNP) transactions, which are beyond the scope of EMV.The bottom line: \u201cEMV did not cut fraud as its proponents predicted,\u201d the team wrote.EMV Connection acknowledges that attackers have migrated to CNP transactions \u2013 although it points to the MasterCard Chip Authentication Program (CAP) and the Visa Dynamic Passcode Authentication (DPA) as improvements to security for EMV cards in online transactions.But the recent announcement by Apple of its Apple Pay system, which will come with the iPhone 6, would bypass the need for the card entirely, by having the user load the card information into the phone (where it is then encrypted) and then authenticating a purchase with a fingerprint and by placing the phone next to the near-field-communication (NFC) receiver at participating merchants. Reportedly, Visa, MasterCard and American Express have already agreed to participate with it.While Apple Pay has not yet been tested in the real world, that and other advances like My PinPad in the UK have had people like David Froud, blogger and founder of Core Concept Security, declaring that it makes sense for the U.S. to save itself the billions it will cost to move to EMV and simply move directly to more secure mobile payment options. Estimates of the cost to make the shift, for credit cards, point-of-sale (POS) devices and ATMs ranges from $6 billion to more than $8.6 billion.\u201cWhy would the banks make this expense when the main driving factor behind EMV is being negated on a daily basis by innovations in payment technology?\u201d Froud wondered in a July post, noting that EMV is not exactly cutting edge, since it was introduced in France 21 years ago.But a number of other security experts, while they agree that EMV is not perfect, say it is demonstrably better than the mag stripe, and well worth the expense.\u201cFor some weird reason, a lot of people in security equate \u2018not a panacea\u2019 \u2013 and these don\u2019t exist in infosec \u2013 with \u2018has no value,\u2019\u201d said Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals.\u00a0\u201cWhat if AV catches just 30% of viruses? Would you rather deal with a third more of them? It\u2019s the same with EMV \u2013 there is reliable data from the EU that EMV has reduced card-present fraud.\u201dFor some weird reason, a lot of people in security equate \u2018not a panacea\u2019 \u2013 and these don\u2019t exist in infosec \u2013 with \u2018has no value\u2019.That is the argument Jacob Ansari, director of technical services at Sikich LLP, makes as well, that while EMV is effective only with \u201ccard-present\u201d transactions, that is the major kind of fraud now happening in the U.S.\u201cAttackers looking to perpetrate card-present fraud in the U.S. can do it ridiculously easily,\u201d he said, adding that the results in countries that have adopted EMV indicate that its adoption in the U.S., \u201cwould lead to a marked decrease in card-present fraud.\u201dJulie Conroy, analyst at Aite Group, said, \u201cthere is no technology that will wipe out all fraud,\u201d and that while EMV would not have prevented the Target breach, \u201cit would have significantly impeded the criminals\u2019 ability to monetize the breach, by making it very difficult to use the stolen data at the point of sale.\u201dWe have yet to see consumers embrace mobile payments,\u201d she said. \u201cThey are very comfortable with their plastic cards.Regarding the findings of the British research team, Conroy said EMV, \u201chas not been compromised outside of a university lab environment.\u201dThe cost to make the transition, she said, is more than worth it. \u201cThe credit card fraud problem alone is $3 billion, and growing rapidly,\u201d she said. \u201cDebit card fraud is also into nine-figures, and growing at an equally rapid clip.\u201dConroy also contends that it will be less expensive than some estimates that put the cost of issuing EMV replacement cards at $3-$5. \u201cFor the largest issuers, who represent over 80% of our card market, the cost is around $1.30 per plastic,\u201d she said.[ Choke point: Preventing credit card fraud ]Adrian Lane, analyst and CTO at Securosis, said while Internet purchase fraud rates, \u201ccontinue to climb everywhere,\u201d that does not mean EMV isn\u2019t worth it. The cost, he said, \u201cis not such a big issues, as the major point-of-sale terminals have been updated to accept smart cards and NFC by the large retailers already.\u201dChuvakin calls the cost of the transition, \u201cincredibly cheap, given that the current system with a magstripe reader at almost every merchant took nearly half a century to build.\u201dStill, why spend all that money if better, more secure alternatives are either here already or on the horizon?Lane said he thinks it will take considerable time \u2013 four to 10 years \u2013 for that technology to become commonplace. In the interim, there are billions to be saved with EMV credit cards.\u201cChip and PIN or Smartphone\/secure element payment both require NFC terminals,\u201d he said. And while merchants are already installing NFC technology, \u201con the consumer side, how many years will it be before every user has a smartphone with a secure element?\u201dHow many years will it be before every user has a smartphone with a secure element?Lane said consumer habits may play a major role in how EMV deployment plays out. He said Visa and MasterCard announced earlier this year that they will market EMV cards, but ones that will still use a signature, not a PIN, because otherwise consumers won\u2019t use them.\u201cThe issuers argue that setting a PIN is too much hassle so people won\u2019t use the cards at all. They believe overall transaction volume would fall off \u2013 a no-no for the card brands,\u201d he wrote in a blog post.Conroy agreed. \u201cWe have yet to see consumers embrace mobile payments,\u201d she said. \u201cThey are very comfortable with their plastic cards, and we\u2019ve seen time and again that it takes powerful incentives to get them to change that behavior.\u201dThere is general agreement among experts that there should be no expectation that EMV will magically solve the problem, but that it can play a significant role in reducing fraud losses.\u201cCard fraud is a war with many fronts,\u201d Conroy said, and besides EMV will require tokenization and point-to-point encryption (P2PE), more robust fraud analytics into the CNP channel and possibly more intrusive authentication methods.Ansari agreed. It will take, \u201ca mix of controls: technical, operational, legal and regulatory," he said.