The recent $45 million ATM heist is dramatic evidence of the urgent need for improvements to payment card security.
Hackers infiltrating two payment processors in India – ElectraCard Services and EnStage – managed to acquire prepaid debit card data and subsequently increased the credit limits on those cards. In turn, they cloned new cards using that stolen data to ultimately cash out those cards at ATMs worldwide.
U.S. bankers may be wondering if the introduction of Europay MasterCard Visa authentication will be the panacea to reduce fraud resulting from counterfeit, lost and stolen cards. If EMV1 (chip and PIN)- enabled payment cards were widely supported in the U.S., would it have been possible for criminals to withdraw $2.4 million from ATMs in New York City in a matter of hours?
Recently, MasterCard, Visa, American Express and Discover incentivized adoption of EMV by moving to shift liability away from the issuer to acquirers. This means that, after a certain date, if an entity, which owns and operates an ATM or point-of-sale terminal, facilitates a transaction for an EMV-enabled card that turns out to fraudulent, the acquirer can be held liable for the loss. It appears that many banks are freaking out because they feel that the deadlines for EMV adoption set by the card issuers are simply unrealistic. The U.S. chapter of the ATM Industry Association recently sent a letter to global payment networks requesting a more realistic timetable from issuers regarding this liability shift.
According to Diebold, the U.S. is by far the largest ATM market worldwide, with $14 billion in cash transactions annually. Nevertheless, according to the Aite Group, 18% of U.S. banks have ATMs that are 10 years old or older. Therefore, the implementation of EMV-compliant ATMs is a far greater task for the U.S. than any other market worldwide and it could be argued that the timetable for EMV adoption is unrealistic. Moreover, all banks and payment card processors must accept EMV-compliant cards when presented for payment even though the bank or vendor may not be EMV-compliant.
One can certainly argue that improvements are needed. The U.S. is ranked number one in terms of skimmer fraud losses, according to the European ATM Security Team. Europol says 80% of fraud outside the European Union, using EU payment cards, occurs in the U.S., which translates into $1 billion in losses. Criminal gangs, particularly from Eastern Europe, are stealing credit card data from European consumers and using the U.S. non-EMV-compliant ATMs and point-of-sale terminals as lucrative cashing out points for cloned cards.
If EMV-compliant ATMs are successfully implemented, then skimmer and ATM fraud will be eliminated in the U.S., right? Not so fast. If we look at Europe, where 99% of ATMs are EMV-compliant , does ATM fraud still occur? The resounding answer is yes. Cash trapping, card trapping, currency fishing and transaction reversal fraud are all schemes set up to steal money from ATMs in Europe. Card trapping is where a criminal inserts a device into the ATM to trap the customer’s card. Similarly, cash trapping and currency fishing involve the installation of devices to stop the consumer from being dispensed the money. Dramatic increases in all of these fraudulent schemes have been reported where EMV-compliant ATMs are being used. Although these schemes do not reap the same type of rewards as skimmer fraud in the U.S., it should be noted that criminals will always find other ways to steal money from ATMs.
Agreements are always preferred over mandates. If the banking industry and the card issuers can discuss an EMV adoption plan, then a mutually beneficial strategy can be implemented instead of the air of consternation that currently prevails. Banks feel that an unrealistic timetable has been forced upon them. ATM fraud will still occur, regardless of whether EMV is adopted, but EMV will diminish the role of the U.S. as the world's ATM for stolen payment cards.
Darren Hayes chairs the computer information systems program at Pace University’s Seidenberg School of Computer Science and Information Systems in New York.