I think you are forgetting that EMV cards introduce the concept of digitally signing a transaction. That signature is then checked by the payment card processor and if it matches then the charge goes through. The signatures are performed by the chip on the card using a non-exportable certificate. This provides the "proof of presence" for the card and makes duplicating the EMV portion virtually impossible. This doesn't stop the other portions of the card from being stolen, but if merchants force EMV only transactions, stolen credentials cannot be used. It's a step in the right direction.

It's a step in the right direction, but the current implementations of EMV cards wouldn't have been of any help here.

EMV terminal certification must meet certain PCI standards for one thing. Not sure it would apply in this scenario, it does mention canadian cards affected, but I'm not sure if that's because it was on american machines.

Secondly, if EMV was adopted in the USA, the stolen information would become useless because they wouldn't be able to use the data to produce fraudulent cards.

> Which really doesn't matter since credit cards can be used online

Don't you need the printed CVV for that? Which isn't stored on either the magstripe nor the chip.

edit: 3DSecure would also help if banks cared to push it harder (for instance my bank now disallows all online debit card charges that don't use 3DSecure)

No, you really don't need the printed CVV for that. And several cards have actually had the CVV on the chip.

Also, in many cases the chips actually contain enough information to replicate the magnetic stripe. (Which is well, bad.)

EMV tag 57 [1] generally contains the "Track 2 Equivalent Data", and 5A the account number (PAN) [2]

[1] http://www.emvlab.org/emvtags/show/t57/ [2] http://www.emvlab.org/emvtags/show/t5a/

That's not the same CVV.

Edit: Even having the track 2 data won't do you any good in reproducing an EMV card. The only way reproducing a mag stripe EMV card is useful, is if it is used at a non-EMV terminal and mag stripe is the only option.

I believe Europe has complete banished mag stripe now.

CVV2/CVC2 (visa/mastercard) generation on the back of the card is COMPLETELY different than the CVV on the chip.

http://en.wikipedia.org/wiki/Card_security_code Skip down to Types of Codes

Yes, you need the CVV printed on the back of the credit card to make an online purchase.

And the CVV on the back, is different than the CVV stored on the magstripe/chip.

EMV isn't about securing information, it's about customer/card validation - validating that the person using the card is who they say they are. Therefore you are secure from fraud - as you said, cards are hard to reproduce.

You still need the CVV code to use the card number in a card not present transaction. So not to your point, it is rather secure...

EMV would have helped immensely here, especially considering EMV compliant machines are held to PCI standards as well.