Happy New EMV Year! That’s right, 2015 marks the beginning of a big year for the retail and payment industry as it marches toward the mandatory October 1, 2015 deadline for EMV implementation in an effort to help reduce fraud in the U.S. Given some of the major retail breaches over the last year, many feel this deadline can’t come soon enough. However, this transition will be an enormous one, and many expect to see several hiccups, or in the spirit of the season, a few holiday bulbs broken, along the way.
EMV, which stands for Europay, MasterCard and Visa, (the founding card brands that developed the technology) refers to a global standard for payment cards embedded with computer chips that are used to authenticate card transactions. Why is October 1 so important? This is when fraud liability will shift from card issuers to merchants—unless their terminals are upgraded to accept EMV cards. If the merchants do not comply, they will begin to share in the cost of “card present” fraud (i.e. an in-person transaction). Today, card issuers bear 100% of the liability for “card present” fraudulent transactions. If a merchant does not upgrade its POS software to be EMV compliant, it will be liable for card fraud where the issuer has distributed EMV cards.
The costs tied to meeting this deadline are exorbitant. Banks must replace the magnetic stripe cards with new chip and PIN cards, and retailers must upgrade their POS terminals. No small feat here given the number of credit cards in circulation and merchants in the US.
The US will be the last major industrialized nation to implement EMV, as these payment cards have been successfully adopted in Europe, Canada and many other parts of the world for several years. The chips within these cards, combined with either a PIN number or a signature, offer enhanced security during transactions and the countries where they have been implement have seen significant decline in fraud. That is the good news.
Will EMV Be The Fraud Prevention Magic Bullet?
But as fraud history tells us, locking down one channel just opens up another. That is also the case when it comes to EMV implementation. In countries using EMV terminals, credit card fraud has shifted into the online space. For example in the U.K., “card not present” fraud tripled following EMV adoption.
So although chip-and-signature is more secure than magnetic stripe technology, it will in no way be the end of fraud. In a recent article by IT security research company, Software Advice, our own Bryan Jardine explains that while we can expect EMV to help reduce fraud, it will certainly not be the end of it. Rather it will likely just shift fraud to other forms in the transaction channel such as the “card not present” scenario stating, “ You might reduce counterfeit card [or ‘card present’] losses, but you’re really not affecting overall losses from a percentage perspective. Criminals are interested in low-hanging fruit, he continues, and online fraud is “very simple” to do.”
EMV terminals can only protect against “card present” fraud situations. If a merchant also accepts other forms of payments, such as online payments or even bank checks, the chips offer no protection in these transactions.
As you’ve heard be say before, there is no single solution that is a magic bullet in the fight against cybercrime. EMV, tokenization, and P2PE need work together to fully protect a merchant for the payment. Tokenization addresses the storage of card data, EMV addresses the authentication of the card using a chip, and P2PE addresses the transmission of card data.
So while we should be looking forward to the increased security the mandatory EMV implementation will provide, it is also important to understand that fraudsters are shape shifters and a multi-layered approach is absolutely critical to continue to protect all channels of the payment ecosystem.
Happy New Year!