I noticed that in some recent comments, MasterCard’s Chief Risk Officer, Christopher Thom, said “not far off is the day when, through the assignment of an ever-changing access code, every transaction will be unique, incapable of being replayed and utterly useless to the criminal fraternity”. I assume that by an “ever-changing access code” he means the EMV cryptogram, so perhaps the introduction of EMV into the U.S. will happen in my lifetime after all. One scenario, which will seem less outlandish once you reflect on it, is that issuers migrate cards to EMV (since they will be adding chips to the cards for contactless migration anyway) but U.S. merchants do not, since all the terminals are online anyway. Instead, EMV in the U.S. makes an impact on CNP fraud because banks who have to comply with better 2FA instructions find it cheaper and easier to send their customers a voucher to pick up a USB smart card reader or token authentication device at CompUSA than to develop yet another security system.
A quick plug: Richard Allen and I will be talking about this and related issues at the European Plastic Card & Online Fraud Detection & Prevention conference in London at the end of the month.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public. [posted with ecto]