CIO Magazine: Is EMV the Silver Bullet to Credit Card Fraud?
Your holiday shopping experience will be different next year — at least in how you pay. By October 2015, most retailers in the U.S. will have switched to accepting EMV (EMV stands for Europay, MasterCard and Visa, and is already a standard worldwide).
But EMV, which relies on a chip in a credit card instead of a magnetic strip, is not going to be the magic cure for stopping credit card fraud, experts say. It will tamp down some efforts by hackers, but fraud will still continue — just elsewhere.
Past Point-of-Sale Woes
Despite a common narrative that the adoption of EMV is a response to major retailer hacks like those at Home Depot, Target and Neiman Marcus, the EMV switch has been in the works for years.
In 2012, Visa, MasterCard, American Express and Discover set the Oct. 1, 2015, date as to when liability for fraud would shift from the credit card issuers to retailers if those retailers had not adopted EMV payment terminals (the only exception is pay-at-the-pump gas station terminals–that liability shifts in October 2017).
EMV cards most likely wouldn’t have prevented the recent spate of big hacks, but those hacks did have banks asking about EMV sooner than they might have otherwise.
“Although the Target breach had very little to do with counterfeit fraud, it was the catalyst for many of our clients to pick up the phone and say we want EMV now,” says Bob Legters, senior vice president for product at FIS, a banking and payment technology company.
“If you don’t do it, you will be one of the only guys who is not,” Legters says. “The fear would be if I’m the only guy on the street without bars on my windows, I’m going to be the guy who gets robbed.”
He says his clients are ramping up for next year and will wrap up issuing chip-enabled cards by September. Most will be sending out replacement cards with chips first, then reissuing to other customers even if their cards are not expired.
The only exceptions are clients that currently serve a globally minded customer base, like a pilot’s credit union FIS works for. The credit union has already gone to EMV because customers wanted chip-enabled cards that they would be able to use in Europe.
“It does create a global standard, and that is a good thing,” Legters says.
What Fraud EMV Stops — and Doesn’t
EMV goes miles to halt a very specific kind of fraud: counterfeit fraud. That’s when someone clones your card, and then uses a duplicate of your card to make purchases in your stead.
Right now, it’s easy to steal information from a credit card using a skimmer that reads data from the magnetic strip, which fraudsters use to creates a card with that information. It will be exceedingly difficult to do the same with a chip card.
EMV may also offer protections on what kind of data can be scooped up from a point-of-sale hack. “If EMV had been installed and everyone was using an EMV card, then that data that was stolen could not have been used as easily,” says Rush Taggart, chief security officer of CardConnect, a payment technology company.
But the technology will not stop fraud from card-not-present transactions (CNP), which leaves the entire ecommerce market wide open to fraud.
CNP fraud spiked in Europe and Australia after EMV was widely adopted. In the U.K. alone, CNP fraud was 157 percent more prevalent in 2012 than it was in 2001, making up 63 percent of credit card fraud losses that year versus 23 percent in 2001.
“It’s definitely an improvement, but it’s not the silver bullet for all credit card security because it doesn’t do anything for the ecommerce side,” says Taggart. “It doesn’t help because in a chip card, you still have your 16 digits printed on the front.” If hackers steal data about your card from a database, then they can use it online, whether they have a physical card or not.
Customers Up for Grabs
While some retailers have already installed EMV-ready terminals, the big push will come in 2015. If the transition to EMV does not go smoothly, consumers could look for payment alternatives, whether that’s with another card or with a different way to pay, like a mobile wallet.
“EMV is going to be disruptive to the market,” Legters says, because it’s a “change to the consumer experience, and any time you change the consumer experience, you put [customers] at play.”
Legters says that FIS has been stressing to its clients that they can’t just issue new chip-enabled cards; they need to inform their customers about what the new cards are and how they work. Otherwise, they could lose their customers to other credit card issuers.
The EMV switch could give a boost to payment mechanisms that don’t require you to have your card with you, like Google Wallet or Apple Pay.
“The wallet is going to be very dynamic for the next year,” Legters says.