Don Bush explains how a half-hearted and incomplete EMV shift in the US is leaving the door wide open to fraudsters….
The first of October 2015 saw the highly anticipated EMV liability shift in the US. Some ten years after Western Europe, and twenty years after the technology was developed, EMV cards (i.e. payment cards with a chip to encrypt the information held on cards) were finally to become the norm in the US.
The liability shift meant that if merchants suffered card fraud and they did not have EMV enabled card readers then they would be liable for the costs of that fraud.
Prior to the liability shift, the majority of payment cards in the US used the magstrip to store the card information. Given that magstrip technology was invented during the Second World War, it was very much an analogue technology unsuited for the digital age.
Yet it took the USA a long time to adopt EMV technology. EMVCo figures[1] from quarter one of 2014 showed that while 96.33% of all card transactions in Europe Zone 1 (all of Europe save countries in the former Yugoslavia and former Soviet Union) were made using encrypted cards, in the US, this figure was a minuscule .03%.
Why then was there a concerted shift towards EMV? In 2014, there was a significant number of high profile breaches in leading US retailers. Household names such as Target, Michael’s and Home Depot all suffered from damaging data breaches with millions of card holders finding their personal details compromised.
Out of the 1,500 reported breaches last year, 1,164 were in North America, almost 78% of the total number[2].
It was estimated, prior to the liability shift, that the total costs of making the US EMV compliant would be $8.65bn[3], a considerable sum of money. The 2014 breaches clearly convinced US card issuers that this was, finally, a sum worth paying.
On the first of October 2015, the long awaited liability shift happened. What, then, has happened since? Has there been a drop in fraud? Has it been a success?
Card present fraud
MasterCard have recently reported a strong uptake in EMV chip enabled cards, stating that as of June 2016, nine in ten of their cards in circulation in the US have EMV chips[4]. They also announced that one in three US merchants now have EMV terminals.[5]
In terms of fraud, MasterCard have released data which shows a 54% decrease in counterfeit fraud costs between April 2015 and April 2016[6].
Good news all round then and it has been a complete success.
Not necessarily.
Only one-third of merchants have EMV terminals and this 54% decrease in counterfeit card fraud is only for merchants who have EMV enabled payment devices in-store. For larger merchants who have yet to adopt this technology, there has been a rise of 77% in counterfeit card fraud[7].
What, then, could be causing this?
Where there is a window of opportunity then fraudsters will take it. And, in this situation, the opportunity exists to continue to carry out counterfeit card fraud. While MasterCard might be proud of the one-in-three merchants who have adopted EMV payment technology, the fact remains that two-in-three do not. This means that the majority of US merchants are still open to the same old frauds as before.
Chip and Pin.
In Europe, chip encrypted payment cards are given a further layer of security by cardholders having to enter their PIN on the payment device at the point of sale.
In the US, though, this is still far from the norm. For the most part, the authentication of the card holder is still being done via the signature.
While the addition of the EMV chip in cards might help prevent the cloning of cards, by not using the PIN, it is doing nothing to stop stolen card fraud. A signature is easy to forge and, as US shoppers will testify to, isn’t always checked as rigorously as it could be (if at all). So this takes away much of the power of the technology.
Provided that the PIN is kept secure and not shared with anyone, it is a very secure and simple method of in-store authentication. Without this critical part of the EMV equation, payment cards are still far less secure than they could or should be.
There is also a significant amount of anecdotal evidence that where EMV payment devices are installed they are still not being used. This could be down to a lack of training for staff and a lack of education for consumers, but it is symptomatic of the fact that the launch of EMV in the US has been, at best, half-hearted.
It is to be expected that the PIN part of the Chip and PIN process will come into play in the US but this will require more education both for retail workers and consumers.
CNP Fraud.
In the run up to the EMV liability shift in the US, fraud experts expected a rise in card-not-present fraud. Drawing on the example of the UK, where in the ten years between 2004, when EMV was first introduced in the UK, and 2014, CNP fraud increased by 120%[8], similar was predicted for the US.
While figures for the last 12 months are, as yet, unavailable, there is some evidence to suggest that the predictions are, sadly, coming true.
Figures from the end of Q2 2015 to Q1 2016 (which takes in six months of post-EMV activity) suggests that there has been a 137% rise in CNP fraud in the US[9].
To put this into context, between 2014 and 2015, the UK, in which EMV protocols are long established, saw a 20% rise in CNP fraud[10].
This triple digit rise in fraud seems to suggest that, as predicted, fraudsters in the US are now turning to online fraud in large numbers as the counterfeit card channel is closed off.
As more figures are released from industry and law enforcement bodies, we can confidently expect to see this trend continue.
The worst of both worlds.
What we have seen with the EMV rollout in the US is, in essence, the worst of both worlds. In Europe, while there was a considerable increase in card-not-present fraud (which was also driven by the fact that online commerce truly took off at the same time), this was mitigated by a drop in card present fraud.
In the US, this is not the case. While fraud where merchants have EMV enabled payment devices has dropped, it is rising where merchants do not have them. And given this, a year after the liability shift, still represents two-thirds of all US merchants, this is a deeply concerning trend.
It is the worst of both worlds because the EMV shift is incomplete and will remain incomplete for some time to come. There isn’t so much a gap left for fraudsters as a gaping door. Coupled with the fact that the PIN is still not commonplace as a method of authenticating face-to-face sales, we are left with a situation where card-present fraud is still rising.
Couple this with the sudden spike in CNP fraud and the outlook for fraud in the US and, indeed, worldwide, is looking concerning.
What, then, is the answer?
In the first instance, the EMV roll-out should be completed and completed properly with no windows of opportunity left open to fraudsters. This means that every merchant should have EMV enabled payment devices and authentication should come via something more robust than signatures. Whether this is PIN, biometrics or something else is for another discussion, though.
Secondly, there has to be a cross-industry drive towards tightening up online security. Banks, issuers, merchants, consumers and law-enforcement agencies must work together to stop fraudsters getting access to personal details and usin
[1] http://www.emvco.com/about_emvco.aspx?id=202
[2] CNET, February 2015
[3] http://www.paymentsleader.com/will-retailers-be-ready-for-emv-by-oct-2015
[4] NFC World, 2016
[5] Ibid
[6] PYMNTS.com, 2016
[7] PYMNTS.com, 2016
[8] http://www.theukcardsassociation.org.uk/plastic_fraud_figures/
[9] Card Not Present
[10] FFA UK, 2016
Donald Bush is the Vice President of Marketing at Kount.
Don joined Kount as the Director of Marketing in October 2010 and became Vice President of Marketing in December 2012. Don attended Brigham Young University studying Business Administration and Marketing.
Prior to joining Kount, Don was the Director of Marketing at CradlePoint, a leading manufacturer of wireless routing solutions in the mobile broadband industry. Don has worked in several management roles within the technology segment for over 20 years with both hardware/software manufacturers and as a partner in two top technology marketing agencies. He has led products launches and marketing programs for dozens of companies around the world such as Citi, HP, IBM, Kodak, Motorola and Weyerhaeuser and co-authored the seminar series, “Common Launch Disasters and How to Avoid Them.”