Payment Card Security and the Arrival of EMV
The risk of payment card fraud is real, driven by the momentum of eCommerce and its cashless consumerism, reliant on payment cards to perform so many transactions. However, the incidence of payment card fraud is expected to change.
In 2009 a hacker embedded malware on the point-of-sale (PoS) equipment at a Seattle eatery known as the Broadway Grill. According to news reports, every credit card number swiped at the restaurant between December 1, 2009, and October 22, 2010 – more than 32,000 unique credit card numbers – were simply saved to a text file stored on the restaurant’s computer. The hacker then placed the stolen card numbers on “carding” websites and forums, where they sold for $20 to $30 with a “95 percent chance of validity.” Those with a “65 percent chance of validity” sold for $7.
In late 2016, the hacker, Roman Seleznev – alias “Track2,” was found guilty of 38 counts relating to fraud and theft and awaits sentencing.
The risk of payment card fraud has and is real, driven by the momentum of eCommerce and its cashless consumerism, reliant on payment cards to perform so many transactions.
However, with the arrival of the Europay, MasterCard, Visa (EMV) chip technology to the United States, which was officially rolled out in October of 2015, it won’t be so easy, if possible at all, for hackers to do the damage that Seleznev pulled off and many other before him were responsible for.
The magnetic strip on the back of traditional credit cards has personal information about the cardholder that is static and does not change. This had been how cards were authenticated at PoS terminal. With an EMV card, the technology on the microchip makes it more difficult for someone to steal another’s identity. The PoS reader may complete a transaction with a personal identification number (PIN) or a signature and the transaction uses code that is unique to that particular transaction, making it less vulnerable to criminal activity, identity theft or fraud.
The EMV Chip: Off and Running
The full infusion of EMV chip cards is still taking place. Not only did new cards need to be issued to millions of users, but also card readers that accept the chips must be purchased and installed, posing more burdens on merchants and retailers. This burden is outweighed though by an expected reduction in payment card fraud. There are now some 300 million-chip cards in market. About 1.2 million merchant locations are now accepting chip cards. An average of 23,000 new merchant locations become chip-ready each week.
But has it truly knocked down the incidence of fraud?
According to a study by ACI Worldwide and Aite Group of more than 6,000 consumers across 20 countries, payment card fraud is on the rise. Their research shows that 14 out of the 17 countries surveyed in both 2014 and again in 2016 reported an increase in fraud from debit, credit and prepaid payment cards between 2014 and 2016.
"Card fraud rates are on the rise in the majority of countries included in the survey,” says Ben Knieff, senior research analyst, Aite Group. “The data shows that consumer education and customer service remain a challenge for financial institutions globally, as risky behavior has a direct correlation to experiencing fraud.”
Just as the infusion of chips and chip readers will take time, so will their effectiveness in reducing payment card fraud. A year of run time may not be enough to notice a reduction in incidents, though some say it has already made a difference. Others, namely the FBI, warned from the very beginning that EMV cards were “not a panacea.”
When EMV cards were first rolled out a year ago, the FBI came out with a warning – much to the dismay of bankers who stood to profit from their utilization – that “Implementing EMV alone is not a panacea. Securing the payments system requires stopping fraudulent transactions wherever they may happen (in person, online, via mobile device or over the phone). That requires a layered approach to security, including solutions like tokenization, encryption and biometrics.”
The FBI later retracted their statements, but continued to have backing from organizations such as the National Retail Federation.
“What the FBI is saying is what the rest of the world already sees as common sense,” says NRF Senior Vice President and General Counsel Mallory Duncan. “It’s the right thing to do, and we hope the banks are listening. Retailers are determined to protect their customers. That’s why we are pushing the banks to use all of the security the new cards are capable of providing, not just half. They shouldn’t lock the front door but leave the back door wide open.”
Although incidents of fraud do seem to have increased over the past two years or so, most believe EMV cards are reason for optimism. However, the culture of the entire transaction supply chain – from PoS consumer, to merchant, to processor, to bank and perhaps a few others in between, is not always as cohesive as it could be. Not all stakeholders are fully confident in the technology as well as liability and responsibility by others in the payment card transaction chain.
“For the first time in many years, we are beginning to see levels of card fraud decreasing, providing a needed reprieve for exhausted consumers and financial organizations,” says Andrei Barysevich, Director of Eastern European Research and Analysis at digital security consulting firm Flashpoint. “The rollout of smart EMV cards is finally yielding positive results, as criminals are struggling to find workable solutions to bypass the implemented security controls. “However, despite evident advantages, many business owners remain hesitant to accept smart payment cards, mostly due to flaws in the technology, which requires a much longer processing time, inadvertently risking becoming a target for criminals and putting customers’ information at risk.”
Consumers and end users aren’t fully liable for losses from a compromise of their payment cards. And the larger credit card companies are often insured against loss. Merchants, however, seem to have more liability.
The National Retail Federation’s research indicated that since the implementation of EMV, retailers have been challenged with a higher-than-usual number of charge backs. Under liability changes imposed by the card industry that came with the EMV rollout, merchants must now absorb fraud costs through charge backs when a card is counterfeit and the retailer does not have a certified chip card reader in operation. Before EMV, the bank that issued the card absorbed counterfeit card fraud from in-store transactions.
"These cultural challenges make it difficult to adopt any new security process,” says Nathan Wenzler, Principal Security Architect at AsTech Consulting. “Think of what would likely happen if banks added a mandatory PIN for every credit card use – much like is done outside the U.S. currently. Users who aren’t used to this will complain that they’re being asked to do something inconvenient, the credit card companies will be faced with customers who are upset by the changes, and merchants are now responsible for purchasing and installing the new machines that support entering a PIN number, which if their customers are complaining anyway, may seem like an unnecessary expense caused by the credit card company. The technology to secure credit card accounts is out there, but getting the support to implement these technologies from users, merchants, banks and credit card companies is the key challenge to actually make it happen.”
The Road Ahead
According to joint study by the National Retail Federation and Forrester Research, credit and debit card fraud by implementing EMV chip card acceptance has become retailers’ top payment issue in 2016. However, for most retailers, this is not enough.
More security enhancements such as point-to-point encryption and tokenization to better protect payment card data are required. The study found 93 percent of retailers surveyed expect to have point-to-point encryption in place by the end of 2017 and that 61 percent expect the same for multichannel tokenization.
“The most significant threats we foresee will not be related to the technology itself, but rather to the false sense of security in the minds of business owners and the financial industry, and the disastrous results of a blind faith in the invulnerability of technology,” says Barysevich. “What we see, time and time again, is that once the level of potential payoff reaches a tipping point of ‘too big not to steal,’ criminals always find the resources or the methods to rig the system.”
Where in the World is Payment Card Fraud Most Prevalent?
In 2016, Mexico leads the way at 56 percent, followed by Brazil at 49 percent and the U.S. at 47 percent. In 2014, the U.A.E, China, India and the U.S. topped the list.
The U.S. is the only country to remain on the top three list both years (2014 and 2016), due in part to being a laggard in the roll-out of EMV chip cards, with skimming and data breaches continuing to be security challenges.
54 percent of consumers globally exhibit at least one risky behavior – such as keeping a PIN with the card – which puts them at higher risk of financial fraud, compared to 50 percent in 2014.
Consumers in Brazil exhibit the riskiest behaviors among countries in the Americas: 27 percent of consumers leave their smart phones unlocked when not in use, compared with 29 percent in Spain and 36 percent in Thailand.
European countries experience less card fraud than countries in the Americas, due to earlier adoption of EMV and other security advancements.
Source: ACI Worldwide 2016 Global Fraud Survey