Countdown to the EMV Deadline: Who's Ready, Who's Not
NCR and Diebold the two largest ATM manufacturers in the U.S. report that skimming is getting worse. One likely reason: the adoption of harder-to-skim EMV chip cards in this country starting in October.July 30
Large banks and card issuers are ready for the U.S. shift to chip-and-PIN technology, according to a report issued Wednesday. But the drop in fraud that is expected to result is unlikely to come any time soon.March 18
Retailers will no longer be easy pickings for cybercriminals once chip-and-PIN technology is widely adopted. All well and good, but bankers fear hackers will redirect their energies to infiltrating banks.December 24
The big moment is just a few days away.
For several years Oct. 1, 2015, has loomed as a turning point in the U.S.'s migration to EMV chip-and-PIN cards — the cards with computer chips that have already been deployed in most parts of the world.
Rules set by Visa and MasterCard suggest that by Thursday, ideally, banks will all be issuing EMV-compliant cards and retailers will have the technology to accept them. If one party is supporting EMV and the other is not, the delinquent entity will have to cover the cost of any fraud that ensues.
It is an enormous change, with the potential to disrupt bank card issuers, retailers and consumers as everyone learns to deal with the new technology that requires consumers to insert their cards and leave them in the store machines throughout a payment transaction, rather than swipe.
Here's what we can expect to see on EMV migration day:
Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN.
Some criticize banks' adoption of chip-and-signature, arguing that signatures are useless as a fraud deterrent.
"Our position in the U.S. has been that the chip helps eliminate the vast majority of fraud, and we wanted to get the chip deployed as fast as possible," said Mark Nelsen, senior vice president of risk products and business intelligence at Visa.
For Visa, that means replicating the current environment for consumers, which means debit cards will have PIN numbers associated with them, and credit cards will have a signature.
"We felt that was the fastest way to get chip deployed," Nelsen said. "We absolutely support issuers who want to deploy a PIN on their credit card."
Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work.
But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting.
"A big portion is because the merchants don't understand the risk associated with this," said Wade Barnes, director of retail banking at 1st Mariner Bank in Baltimore. The $850 million-asset bank has about 25,000 debit cardholders and 10,000 on credit cardholders.
"Target, Walmart, they get it, they've been involved with enough card issues that they understand the risk it presents," Barnes said.
One of his bank's customers is a bar that is not going to upgrade because its owner sees no reason to do so since the business has not experienced any losses.
"We remind them that, you wouldn't know of any losses because in today's world, it comes directly back to the bank," Barnes said. "Moving forward, that liability will be on the merchant if the customer presents an EMV card. They don't realize what the impact is going to be to them. I don't think most merchants understand the amount of fraudulent transactions that actually happen."
Counterfeit card fraud should drop. For years, criminals have had a relatively easy time of "skimming" the data off traditional magnetic-stripe cards, using easily obtained devices that cost about $20. About $3 billion worth of counterfeit credit card fraud took place at the point of sale last year, according to Aite Group's estimates. That was out of $16 billion in total card fraud.
Duplicating the chip on a chip card is difficult if not impossible. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically you could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip.
However, in the scheme of things, counterfeit card fraud represent only about 37% of overall card fraud in the U.S.
Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018.
Many point to the U.K.'s experience in switching to EMV cards: online e-commerce fraud rose 79%. Other countries have experienced similar post-EMV effects.
However, as Nelsen points out, the U.K. adopted EMV in 2006, when online e-commerce was just getting under way. So the escalation of Internet fraud was natural as everyone, including fraudsters, recognized all the possibilities of website commerce.
He also points out that fraud detection and prevention methods have come a long way since then.
"The technology available to ecommerce merchants is vastly different to what they had then," he said. "Large, sophisticated merchants have access to a lot of tools to find suspicious activity."
For instance, they look at device analytics. They examine how fast the user navigates through the shopping cart.
"If you're buying an expensive TV, it might take you three minutes or more to go through the buying process," he said. "A criminal has an automated process that could be two seconds." Merchants also look at factors like the user's location and the operating system he's using, for signs of fraud.
At the same time, card issuers have gotten better at issuing e-commerce fraud alerts, and giving consumers a quick way to respond if a transaction was not theirs. Visa studies have shown that total card losses on accounts reduced 40% where there was this type of customer interaction.
Some say merchants ought to be required to make online shoppers provide the "card verification value" code on the back of the card, a piece of data generally not captured in data breaches. Some do not, in the interest of making payment as quick and easy as possible.
"In cases where cvv codes are already used, you see a drastic decrease in card fraud," Barnes said.
And online merchants may start to use mobile devices for authentication. Amazon, for instance, lets mobile device users approve transactions with a thumbprint.
Lost or stolen card fraud may not change much, at least initially. A thief who steals a chip and signature card may be able to use it without challenge, since no one ever really checks the signature during a card transaction (and cashiers generally aren't trained in handwriting analysis anyway).
However, lost and stolen fraud has been decreasing for a number of years, and it's currently about 11% of total fraud in the system, according to Nelsen. And here again, risk scoring techniques have gotten better at identifying lost and stolen cards. Visa has launched a geolocation tool that can match the merchant's location against the location of the consumer's cellphone, he said.
"You get on a plane and travel to Brazil, Visa knows the phone is in Brazil," he said. "It's a much less risky transaction."
EMV holdouts will be fraud targets. Observers are concerned that the small merchants who haven't adopted EMV, and the banks and card providers that have resisted the transition, will be fraud magnets.
"My biggest concern is for smaller mom-and-pop merchants, who are either unaware or unthinking through the consequences of this," said Barnes.
The same could be true for smaller banks that have not issued chip cards. Fraudsters could target their cards for counterfeiting, knowing that they can still get away with it.
Eventually the shift to EMV should drive a dramatic reduction in card fraud. In spite of the delays in this country's EMV migration, there should be a gradual reduction in card fraud over the next 12-18 months, Barnes said. "It's going to take time for the technology to be adopted," he said.
Over time, sophisticated authentication technologies such as biometrics will help increase the security of card transactions. Device-based verification could be easily incorporated in an EMV transaction, said Jamie Topolski, director of alternative payment strategies at Fiserv.
"In the latest conversations with banks, they have expressed interest more in using the phone as a biometric," Nelsen said. For instance, banks might require fingerprint recognition in a store transaction.
"It's all going to depend on what is the most convenient way to access your funds," Nelsen said. "The nice thing about biometrics is it's meant to enable more convenience and stronger security."
And the initial confusion and technical glitches that are bound to occur as everyone gets used to this new way of using cards will fade.
"There are going to be some hiccups," said Topolski. "You wish it would be perfect from the get-go. But the pain points will melt away."