EMV One Year Later, and the Rise of Card-Not-Present Fraud
October 2016 marks the one year anniversary of the EMV liability shift in the United States, where magnetic stripe credit cards were supposed to be replaced with a credit card with a small computer chip. Retailers were then supposed to swap out their Point-of-Sale readers to accept these so called “chip cards” last October, but here we are, a year past the start of the shift, and according to a recent MasterCard survey, a reported two-thirds still haven’t done so.
What is EMV?
EMV stands for Europay, MasterCard and Visa and is a global standard for cards equipped with computer chips and the technology (payment terminals and ATMs) used to authenticate chip-card transactions. These chip-enabled “smart cards” replace the “mag stripe” technology that was used to read and record account data.
With the old mag stripe cards, the data is encoded in the magnetic stripe and never changes. Cyber criminals were able to intercept the data, making it easy and cheap to clone and use the credit card without the owner’s knowledge. With an EMV card, every time it is used, a unique transaction code is generated and cannot be used again. If hackers stole the chip information from a sale, and made a duplicate card, the card would be denied because the stolen transaction number would not be usable again.
When the card data from the old mag stripe card was stolen and used for fraudulent charges, the bank that issued the card would typically have to pay. The liability shift, then, was that after October 1, 2015, the retailer, if they have not installed the EMV-ready POS devices, would be responsible for the fraudulent charges. Hence, the liability shift.
Is EMV enough?
EMV transactions makes it much harder for criminals to make duplicate credit cards and ring up fraudulent charges due to the unique code that is generated from each transaction. MasterCard stated that fraud data shows a 54 percent decrease in counterfeit fraud costs at retailers post-EMV adoption. However, EMV provides no protection when transmitting sensitive payment information to the acquiring bank. After being swiped in an EMV-ready terminal and the card validated as real, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers despite the use of EMV, and then can use the stolen data for card-not-present (CNP) transactions. CNP transactions typically are online.
When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits, as well as loss of consumer confidence and customers.
Card Not Present
According to CardNotPresent.com, counterfeit fraud at the physical point of sale is dropping, while card-not-present fraud is surging. And based on The Global Fraud Index, a PYMNTS and Forter collaboration, online fraud has jumped by 11 percent since the EMV shift. Digital goods merchants have been most impacted by a 300 percent increase in fraud attacks. Consulting firm Aite Group LLC recently estimated that so-called card-not-present fraud will rise to $4 billion this year from $3.2 billion in 2015. It expects that figure to jump to $7.2 billion in 2020.
That card-not-present fraud in the U.S is surging is no surprise. Earlier EMV adoption in other regions such as Europe and Canada have experienced the same shift to fraudulent card-not-present transactions. EMV makes it much harder and more expensive to replicate a physical credit card, but if fraudsters can steal card-holder data, it is much easier to do online transactions, where EMV does not come into play.
What can be done?
In order to mitigate card-not-present fraud, businesses should implement security strategies that include additional authentication such as 3D-secure, end-to-end encryption, and tokenization. These technologies provide the layered protection that plugs various gaps in the payments transaction data flow. Data-centric technologies like format-preserving encryption provides the security solutions for businesses which are effective, optimal, scalable, and flexible to keep card holder data safe from hackers in case of a breach or attempted theft of data.
Compliance, such as being EMV ready, is not a check-box type of thing, where businesses can say they are now done thinking about security. It requires constant vigilance, innovation and implementation of best practices to payment card systems to stay ahead of the bad guys. Keeping the credit card data out of cyber criminals’ hands is a great place to start in combatting payment fraud.
About the author
Smrithi Konanur, Global Product Management, HPE Security – Data Security, is a frequent contributor to articles and invited panelist at retail conferences. Recent articles include Payment Ecosystem Security in the September 2016 ISSA Journal, and she was a recent panelist at the Mobile Payments Conference in Chicago. Download her latest podcast on CyberWire where she talks about credit card security.