EMV: One Tactic in the Continuing Quest for Payments Security
It has been a little more than a week since new credit and debit card fraud liability rules went into effect in the U.S. These rules were not promulgated by the federal government but were driven by the card industry in response to persistent fraudulent activity involving magnetic stripe cards. This response also calls on, but does not require, retail merchants to upgrade their payment terminals to support the EMV (Europay, MasterCard, and Visa) chip technology – a potentially costly endeavor. The switch is not a panacea for card payment security, and it will take time to implement given the enormous task of moving from magnetic to chip-embedded cards. Still, it is one step toward greater payment security in the ever evolving game of Whack-A-Mole between payment system stakeholders and fraudsters.
As of October 1, card fraud liability shifts to the retailer or the card issuer, depending on who has the lesser technology when a customer uses a chip-enabled card. However, if both parties have made the upgrade, then the liability remains with the card issuer. This relationship remains in place if people continue to use magnetic stripe cards.
The shift to EMV cards with chip technology is a response to the growing fraudulent activity occurring with magnetic strip cards, with many of us having received new cards embedded with the chip technology. According to a recent study, while the U.S. generates roughly 21 percent of gross card volume globally (~$8 trillion), the country also accounts for nearly 50 percent (~$8 billion) of gross card fraud losses globally. In addition, it is surprisingly easy to make counterfeit magnetic strip cards, especially due to the same static code used in every purchase. Counterfeit card fraud makes up approximately two-thirds of total card fraud occurring in U.S. stores today, according to testimony from Stephanie Ericksen of Visa. The chip technology is able to reduce fraud at the point-of-sale (POS) due to the dynamic security code that follows each transaction—making it extremely hard, if not impossible, for fraud perpetrators to counterfeit chip-enabled cards.
While this technology is new to the U.S., most other countries made the switch to EMV more than a decade ago. One of the reasons for the delay in the U.S., as explained by Scott Talbott of the Electronic Transactions Association during a House Small Business Committee hearing, is the country’s continuous access to the internet, where merchants are able to process and receive authorizations for transactions in seconds. As such, there was little reason for switching to alternative authentication methods at the POS. This contrasts with Europe, where merchants were in need of a verification method at the POS since they used an offline method of authentication where authorizations were cleared in batches at certain times of the day, when the customer was no longer present. This lag time contributed to significant fraud, leading to the creation and adoption of EMV technology.
The switch to EMV will not happen overnight in the U.S., despite the October 1 deadline. According to Ericksen, it will take roughly two to three years before the U.S. sees 60 to 70 percent of its domestic payment volume from a chip card used at a chip terminal, and four to five years to achieve 90 percent – a projection that was also forecasted by Forrester Research Inc.
Adoption of EMV is a daunting task when you consider that banks and credit unions will replace 1.2 billion cards in the U.S. with the chip technology. Roughly 8 million U.S. merchants are expected to make the switch, and consumers will have to learn how to dip vs. swipe. There are some positive signs already, such as the fact that 150 million Visa chip cards have been issued so far. This makes the U.S. the largest chip card market in the world—and part of the roughly 500 million chip-enabled cards estimated to be issued in the U.S. by mid-2015.
That being said, the extent to which small businesses will make the switch is anyone’s guess. While large retailers have or are in the process of upgrading their systems, recent reports suggest that only 25 percent of merchants are likely to meet the October 1 deadline—a far cry from previous estimates depending on the survey/study. The cost to upgrade remains a factor despite efforts by PayPal, Square, Intuit, CardFlight, and others to reduce the burden. The other question from retailers is why upgrade when the use of card-not-present (CNP) transactions is expected to continue to steadily grow for the foreseeable future?
Even with EMV cards, criminals have found ways to make fraudulent purchases. As Europe has experienced, the switch to EMV has led to fraud moving online. CNP fraud is expected to grow considerably in the coming years, with the U.S. expected to see losses of more than $6 billion by 2018. CNP fraud currently represents 45 percent of total U.S. card fraud. The never-ending game of Whack-A-Mole continues.
Source: Rippleshot White Paper: EMV Adoption in the U.S. (2014)