The U.S. accounts for more credit card fraud than the rest of the world combined, so it should come as no surprise that the country is moving to embrace more secure EMV-enabled credit and debit cards. What may, however, be surprising is that the move began not five or ten years ago, but at the beginning of October, about a decade or so behind Europe and much of the rest of the developed world.
EMV is a technology that has virtually eradicated card-present credit fraud elsewhere, but in the States it’s off to a tepid start, with neither consumers nor retailers particularly keen on switching out payment cards or investing in new, EMV-compliant terminals. But thanks to new rules that shift fraud liability from card issuers to retailers, the question of technology adoption is no longer a matter of “if,” but “how quickly?”
As it turns out, the answer to “how quickly” is “well beyond the deadline,” with the mass migration to EMV underscoring just how difficult it is to replace an estimated 1.2 billion credit cards and 15.5 million points of sale. Meanwhile, a pressing question remains: with cyber crime on the rise, what security challenges won’t be solved by EMV?
A brief history
Until the mid 1990s, all credit and debit card transactions were processed in one of two ways: A) via the magnetic stripe on the back of the card or B) through a physical imprint of the raised numbers and text on the front. While the latter method has mostly fallen into disuse, magnetic swipes are still far and away the most common method for processing transactions in the U.S.
There are a number of security flaws inherent to magnetic swipe transactions. Someone who’s learned to forge the signature on a lost or stolen card can easily use it to make purchases and, often enough, merchants don’t bother to verify the signature in the first place. In recent years, it’s also become increasingly simple for fraudsters to obtain technology enabling them to read a magnetic swipe at the point of sale, and then copy that information to a blank card, in effect cloning the user’s credit card.
Founded in 1994, originally the acronym “EMV” referred to Europay, Mastercard and Visa, who together created the standard to provide better card security and overcome some of these inherent challenges. Today it is managed by a consortium called EMVCo, comprising the original members plus American Express, China Union Pay, JCB and Discover/Diners Club International.
Early success – and U.S. resistance
Practically since day one, EMV-enabled cards have had an enormous impact on credit and debit fraud worldwide. In France, where an early form of smart cards first appeared in 1992, card fraud has dropped by more than 80 percent.
“Outside of the U.S. where they’ve implemented EMV technology, card-present fraud has been virtually eradicated,” said John Bourke, cyber insurance leader, financial institutions for Aon Risk Solutions. “Obviously there are other avenues, but it’s like locking your car. Let the thief steal the car that’s open or the one with the keys in the ashtray.”
MasterCard’s liability shift for most of Europe occurred on January 1, 2005, while Visa’s took place a year later. Many African and Asian countries transitioned around the same time. In every region where it has been introduced, card fraud has fallen.
Yet despite EMV’s early success in curbing card-present fraud around the world, American businesses, banks, card issuers, as well as consumers all resisted the move to new standards. This can be ascribed to a number of factors, albeit anecdotally. Bourke says the primary reasons were aversion on the part of retailers to invest in new POS terminals, and fear of alienating customers by disrupting entrenched transaction habits (i.e. swiping as opposed to dipping).
No silver bullet
While the switch to EMV compliance is sure to reduce card-present fraud in the U.S. as it has in other countries, it’s important to note that it’s far from a catch-call solution. In the UK for instance, while certain kinds of card fraud dropped 67 percent in the years following EMV adoption, incidents of card-not-present fraud exploded.Many in fact argue that overall card fraud is still just as prevalent – it’s simply shifted to alternate channels.
But most strikingly, the U.S. card industry has mandated only chip and signature cards, whereas the rest of the world utilizes chip-and-pin EMV cards. In effect, this means that EMV protections will do nothing for lost and stolen cards. The industry defends this by claiming that fraud from lost and stolen cards makes up a relatively trivial percentage of overall fraud, but some estimates peg the number as high as 35 percent.
In either case, and in spite of the October 1 deadline, the rollout of millions of new POS terminals – not to mention the more than 1 billion cards that need to be replaced – is likely to be a protracted one.
While the U.S. rollout continues, Bourke notes that there are many unanswered questions: What happens the next time a major case of card-present credit fraud is caused by a non-EMV compliant terminal? Will credit fraud begin bankrupting retailers? Will the rise of cyber risk – which entered the top 10 of perceived risks in Aon’s Global Risk Management Survey for the first time this year – mean that even EMV begins to be perceived as insecure, and demand for biometric security begins to rise?
None of this is outside the realm of possibility, but for now, there’s little to do but wait and watch as events unfold – while keeping an eye on the emerging hacks that could make even today’s improved financial security as safe as a purse with a hole in it, and the emerging technologies that could make our money more secure than ever before.
“The real problem is that there are still very few EMV-certified solutions available. Merchants with the most simplistic of point of sale configurations, a cash register and a terminal, can buy EMV-ready terminals. But these are the same merchants that are most likely to drag their feet through the upgrade process as the business case is not very strong for low-volume merchants who don’t see a lot of chargebacks.” – Rick Oglesby, partner at Double Diamond Research
“While many of the major retailers transition to new point of sale systems, the question for small to mid-size retailers is whether or not the benefits of chip technology are reason enough to invest in new POS terminals immediately. Since this is the first change in credit card technology at mass scale, we are interested to see if consumers are more apt to utilize the transition time to explore new payment technologies such as NFC and other contactless payment methods.” – Kevin Levitt, vice president of business development at Credit Karma
“Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware. Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.” – U.S. Federal Bureau of Investigation
“It does seem somewhat puzzling this didn’t happen sooner, especially when you consider the cases where massive retailers have been breached and the issuing banks effectively got stuck with card reissuance costs, lots of costs that technically they probably did not have to eat. It was just a matter of time before the banks had to say, ‘Hey, wait a minute.’ If we’re not all using the latest and greatest technology and as a result of that there’s fraud, then someone’s got to pay.” – John Bourke, Cyber Insurance Leader, Financial Institutions, Aon Risk Solutions