The EMV Shift Has Not Reduced Crime Risk

The capacity for EMV cards to swiftly and drastically reduce payment card fraud in the U.S. is by no means assured.

About a half year after the shift, there are still breaches, fraud and skimming crimes, and in fact, it’s as bad as it’s ever been. For Europe and Canada (who’ve been using EMV technology for a couple of years now), criminals have simply shifted fraudulent use of payment card accounts to online purchases—where the physical card does not come into play—and, security and banking experts expect a similar pattern to play out in the U.S.

Taking all of these factors into consideration, I’d like to explore the current challenges with EMV technology and its liability shift, and what financial institutions can do to help transition their commercial customers.

Small to medium sized businesses are slower to switch, and particularly vulnerable. Based on the fact that EMV technology adoption is not a mandate, SMBs are methodically assessing the risk versus the reward its adoption. Hacking continues to make headlines, and now that card networks have introduced rules that merchants are responsible for fraud losses, SMBs are at greater risk than they were before. According to Brian Engle, executive director of Retail Cyber Intelligence Sharing Center, many SMBs are going to accept risks of not adopting the EMV technology and move at a rate that’s more appropriate for the size of their organization, from a transactional volume perspective.

In a recent Visa survey, seven out of 10 Americans now have at least one chip card in their wallet. However, a recent survey from Harbortouch shared that the majority of consumers thought swipe cards were more convenient and quicker—revealing that more people were worried about speedy processing times than chip card security or availability of EMV terminals, which could steer smaller retailers away.     

Additionally, many SMBs didn’t understand the importance of switching over to EMV technology and had underestimated the time and expense associated with the switch. Because there have been so many merchants waiting until the last minute to switch, manufacturers of EMV equipment are unable to keep up with the demand.  

These reasons are why only a third of POS machines have been updated to EMV technology, making these merchants more vulnerable to attacks.

Educating merchants and their customers about cryptogram. Unlike magnetic-stripe cards, EMV cards are more difficult to counterfeit because the chip contains a cryptogram. When the card is inserted into the POS terminal—rather than being swiped—the cryptogram creates a token that’s unique to each transaction, and all the information is encrypted as it’s transmitted to the terminal and the bank.

As mentioned earlier, this transaction process takes a few seconds during which the consumer must leave his or her card inserted in the POS terminal. U.S consumers are in the process of modifying their behavior at the checkout stand, but it’s up to the merchant to explain to their customers that patience for a few seconds is required. Those precious seconds of inconvenient waiting represent an investment in tighter security.

Unfortunately, it won’t be as secure as Canada or Europe’s chip cards because EMV cards generate a one-time authorization token and are designed to require the user to enter a PIN as a second factor of authentication. And, PIN compliance was not part of the October 2015 deadline. Thus most EMV in-store transactions in the U.S. still require only a signature, which, of course, any imposter can forge.

Criminals, on the other hand, won’t be able to hack into store networks and steal any useful transactions data. At least not any in which chip cards were used.

The new liability shift. The overall goal for the new liability shift with EMV technology was to provide useful guidance and protocols for businesses in assessing the impact of the liability shift on their bottom line, but do merchants understand this? Financial institutions should make it clear with commercial customers that the liability shift applies to costs of fraudulent transactions made at a POS terminal using a counterfeit, lost or stolen credit card. It does not apply to the costs when a merchant’s network is breached, but this can get confusing.

The recent Wendy’s data breach is just an example of the many caveats and conditions around how liability will be assessed. And, the complexity of the payment chain will make that task even harder, especially as many are still in the process of transitioning over to EMV. In this particular event, the data breach was disclosed after numerous stolen card numbers were subsequently used at other merchants, and the trail led back to Wendy’s. So, if not all Wendy’s restaurants have switched over to EMV, the liability would need to be assessed on a card-by-card, site-by-site basis—a very lengthy and pricey process—and merchants need to be aware of this.

This kind of credit card fraud is exactly why U.S. financial institutions are migrating from the magnetic-stripe cards to new technology that uses a much more secure chip. In fact, Aite Group estimates that EMV will significantly reduce U.S. counterfeit card fraud—from an estimated peak of $3.61 billion in 2015 to $1.77 billion in 2018.

At the end of the day, we’ll most likely continue to see fraud on EMV cards if the data is compromised and then used online or at a retailer that doesn’t have a working EMV terminal. Fraudsters will utilize POS malware until they can’t, and SMBs are going to continue to be in their cross-hairs, as the ability to impact these merchants at a high rate is very profitable for them. So it’s up to the financial institutions to properly educate their commercial customers on the importance of adopting EMV technology and properly explain the liability shift to ensure EMV technology is successful.

Eduard Goodman is Chief Privacy Officer at IDT911.