EMV, where art thou?

December 6, 2016 MIKE LEVINE

emv_romeo.jpg

Do you find yourself having to ask a retailer whether to swipe or insert your card at the terminal these days? It has been more than a year since the Visa designated deadline of October 1, 2015 and EMV status in the United States is still greatly in limbo, affecting both consumers and businesses alike.  Since this deadline has passed, the liability for fraudulent transactions shifted to the party responsible for not supporting the chip cards. For example, if a retailer doesn’t have a chip-based terminal where the fraud occurs, the retailer would be responsible. However, if the credit card issuer doesn’t provide a chip based card to the customer, the credit card issuer would be liable. 

One would think this would incentivize both industries, as the credit card industry loses approximately $10.9 billion a year due to fraud (solutions.lexisnexis.com) and since 2003, the United States has consistently accounted for about half of the total global loss, but for only about a quarter of the total volume of card payments (www.fas.org). Even with such staggering numbers, the United States is lightyears behind the rest of the world in its adoption rates. So what can be holding US adoption back considering notice of the requirement was provided back in 2011 and EMV technology has been used in Europe for over the past 10 years? A major factor has been the degree of complexity involved for the US compared to the EU, since the US has a much larger amount of financial institutions that would need to become compliant.

About 37% of US retailers were EMV ready as of January 2016 and won’t reach the 90% threshold until June 2017, according to a survey performed by the Strawhecker Group, (files.ctctcdn.com).  The survey of retailers also reported three major hurdles that delayed the retailer adoption of EMV compatibility. 

The first consisted of processor, gateway, and terminal readiness before the deadline as not all cards were functioning or compatible.  Secondly, it has been reported that there were shortages of terminal equipment by manufacturers. And the third reason reported was the restraints of training employees on the technology, having resources install the equipment, as well as having technicians on hand who can repair broken terminals when required.  This is not including the monetary investment requirements by small retailers. 

To see what the end result might be in terms of fraud mitigation, we can look historically at the rest of the world which has been using EMV for some time.

Figure 5. Country Trends in Card Fraud After Adopting Chip-and-PIN Cardschart1.jpgSource: Data collated by CRS from Chip-and-PIN : Success and Challenges in Reducing Fraud, DOuglas King, Retail Payments RiskForum Working Paper, Federal Reserve Bank of Atlanta, January 2012, frbatlanta.org. Data was collected over different spans of time between 2004 and 2010.

Note: Green cells indicate that a particular type of fraud decreased after the introduction of Chip-and-PIN cards. Red cells indicate that a particular type of fraud increased after the introduction of Chip-and-Pin cards. "Decrease after initial increase" means that fraud initially increases for a period of one to three years and then decreased significantly.

According to collected data, credit card fraud for card-present transactions has decreased for every country after adopting chip and pin cards.  Possibly, the initial increases of fraud reported are due to three possible factors:

  • During large scale EMV transitions, millions of new cards are sent out by the issuers to customers. Fraudsters can potentially obtain customer’s credit cards in the mail before they are received. 
  • Phishing attempts likely increase, with the excuse that credit card information is needed to transition their cards to EMV.
  • Improper disposal of old credit cards before they expire.
  • A surge of card-present fraud before fraudsters have to work harder to commit their acts.

Is EMV actually stopping fraud or just moving it?

Some of these reasons above highlight that the current EMV standard in the US really isn’t even an end-all to fraud once the transition is complete.  The US only requires “chip and signature” and not “chip and pin” that most of Europe requires, which in effect only makes it harder to duplicate or clone physical cards. While “chip and signature” creates headaches for the vast majority of criminals, if someone was to lose their card or have it stolen, it would not be any more difficult for fraud to be committed as the current standard.

The requirement of a pin (and therefore dual-factor authentication to make payments) would drastically reduce that potential risk.  Another issue that can be noticed when analyzing the data above is the increase in several countries of domestic and international Card Not Present (CNP) fraud.  As one form of fraud gets tougher to commit, fraudsters will move to lower hanging fruit such as using credit card information online and over the phone where the actual card is not required and are able to do it at an even greater scale. For France and Australia, even though the Card Present (CP) fraud was reduced, the increase in CNP fraud was so great, that the overall fraud rates actually went up.

It would seem at first glance that the U.K. somehow found a way to avoid the CNP fraud increase the rest of the world experienced by the development of more advanced fraud analytics by issuers and merchants as well as increased use of 3-D Secure technology, however a more updated graph shows that it is on the rebound (emc.com):

Figure 3: U.K. CNP Fraud Losses

chart.jpgHopefully, one day the standard would move to CNP transactions by implementing technology such as one time pins generated on the cards themselves or issuers will continue the route Mastercard and Visa have started with their Chip Authentication Program (CAP) and Dynamic Passcode Authentication (DPA) technology which acts as an at-home chip and pin solution for CNP transactions.

Another deadline looms…

While banks and retailers try to catch up with the overdue requirement of EMV support, the banks will be next up to the plate with the October 2017 requirement for ATM EMV support. In a country where most ATMs still run Windows XP, a 15 year old operating system, the transition may prove even more difficult than the current one.

Previous Article
PCI Risk Assessments – Why Is It Important?
PCI Risk Assessments – Why Is It Important?

The goal of PCI DSS is to reduce the risk of credit card breaches. That, however, is a broad statement inte...

Next Article
Reaching Across the Waters: Tips for Using Your Credit Card Internationally
Reaching Across the Waters: Tips for Using Your Credit Card Internationally

As busy season approaches for many auditors and some personal travel during the holidays, our Ch...