Over the past several months, Visa, MasterCard, American Express and others have replaced magnetic stripe cards in the United States with “EMV” versions.
Chip cards are already the standard in Europe and other parts of the world, where they have proven to be far more expensive and difficult to counterfeit than magnetic strip cards. Card companies say the change is needed because while just over a quarter of the world’s credit card transactions originate in the United States, the U.S. accounts for almost half of the world’s fraudulent transactions, a disparity many attribute to obsolete technology.
The change is being touted as the dawn of a new era in credit card fraud prevention. However, there are doubts it will make a significant difference.
For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15% of credit card fraud in the United States. The bigger problem, by far, is first-person fraud. Cardholders refuse to pay what they rightfully owe, which accounts for roughly half of all fraudulent transactions.
EMV also fails to address another significant source of credit card fraud: lost or stolen cards. Other countries have addressed this by pairing the counterfeit protection of EMV with the user-verification protection of a PIN. U.S. card issuers, reasoning that Americans would balk at being asked to do two new things, split the difference, opting for chip-and-signature instead of the more-secure chip-and-PIN.
Finally, it will have no effect on the third and fastest-growing type of card fraud – online and phone transactions, where the merchant never sees a physical card. By all accounts, card-not-present fraud has been rising exponentially as other fraud avenues become limited.
There is no mistaking that EMV is a positive step. It’s high time the United States join the rest of the world. Yet some retailers may be reluctant to invest in what amounts to a stop-gap solution with limited protection.
Yes, under the new rules, retailers will be liable for fraudulent card purchases, but given the credit limits on most cards and the need for a fraudster to be physically present, the actual exposure is going to be relatively small. So small that it may not justify the investment in new point-of-sale technology.
Of note, we expect there may be an initial run on fraudulent activities immediately after the deadline that will likely tail off over time.
Credit card security is a moving target. Fraudsters are resourceful and persistent, which means there is no single magic bullet that will fix this problem. Merchants and card companies both need to be constantly vigilant and use a layered security approach that combines data encryption with user verification and behavioral analytics that screen every transaction against prior purchases to flag aberrant activity.
Like it or not, that’s the price of playing the game.
Scott Laliberte is a Managing Director with Protiviti.
