A technology most Americans have never heard of is helping to reduce fraud in the Payment Card Industry (PCI). EMV technology, or the use of Chip and PIN cards, will soon change the consumer landscape in the U.S. PCI has set an October 1, 2015, deadline for all bank-issued credit and debit cards for MasterCard, VISA, Discover and American Express. In addition, merchants of all sizes are being pushed to upgrade their Point of Sale (POS) networks to accept these “smart cards.”
This day on the calendar also brings with it a “shift in liability” which could mean an acceptance of fraud liability as much $10 billion, according to a recent report from the Data First Corporation. Combine that figure with one found in a new report from Barclaysrevealing 47 percent of the world’s credit card fraud happens in the United States, and it’s clear the days of using the current “swipe and signature” cards in the U.S. are numbered.
We’ll get to more on how those numbers play into a possible high-stakes game of liability poker in a moment. First, SecureStatedoes not believe that EMV tech will save the world, but it will make it safer, meaning it will reduce payment card fraud, but not eliminate it. Indeed there is no silver bullet in cybersecurity. But seeing some level of fraud reduction in the U.S. should lead to less of a land of opportunity for cybercriminals. This type of “smart card” technology has already shown success in Europe over the past decade, (EMV chip and PIN has been around for 20 years) now at an 81-percent acceptance rate, specifically in the U.K. (70-percent reduction in fraud) and France (80-percent less fraud). But it took Europe those 10 years to reach those acceptance levels. Will the U.S. see this level of success? Not immediately, as adoption rates are expected to fall in line with adoption rates around the globe, between 25 and 35 percent at implementation.
Back to the 47 percent figure now: America carries the top payment card fraud level on the planet. Not surprising, really, since the U.S. is the last industrialized nation to adopt EMV tech. The current “swipe and signature” system used at POS merchants is inferior to Chip and PIN. The chip-enabled cards provide extra security, as the chip generates a random number for each purchase, and consumers are required to enter a PIN each time they make a transaction. The chip is more difficult and more expensive to counterfeit compared to a mag-strip card, where the card data can be “skimmed.”
The fast-approaching regulation is voluntary for both bank card issuers and merchants, but the shift in liability is mandatory – and that’s the focus. A white paperwritten by the Mercator Advisory Group for FICO (the people who determine your credit score) outlines the impact. By October, the liability for the acceptance of fraud – and its cost – falls on the industry using the lesser technology. For example, a bank issues a consumer a new Chip and PIN card. The consumer uses that card to make a purchase at a merchant. If there’s a breach and the Chip and PIN card is compromised and counterfeited, the merchant suffering the breach assumes the liability for the fraud, if its POS payment system was not EMV compliant. Now, because the merchant was breached, the EMV card was then compromised and counterfeited, and then used at another merchant to buy goods – the second merchant could then also be liable if it has not converted to EMV POS. The reasoning here is an EMV compliant system would have been able to stop the fraud from the use of a counterfeit card.
Conversely, if a consumer uses an old magnetic strip card at a merchant – because their bank has not issued them a new EMV card – then the bank card issuer is liable should a breach occur at an EMV compliant merchant. If both bank and merchant are using the same technology (regardless of whether it is EMV or the current standard of using mag-stripe cards), liability remains with the card-issuer. However, nothing changes with “card not present” purchases, such as online shopping. E-commerce merchants are not required to make changes to their payment systems. Thus, banks or card-issuers continue to shoulder the liability burden. Also not affected – for another two years – are gas stations with automatic fuel dispensers (AFD), given the difficulty and cost associated with its makeover. Their deadline is October 1, 2017.
Realistically, who can bite off $10 billionin liability and still afford to chew it? LexisNexisand The Small Business Administrationhelps define different levels of merchants. “Mom and Pop” stores, or those with annual revenues below $5 million -- their consumer traffic is not conducive to fraud-seekers taking the time to break down their cyber doors. Mega-merchants, or those with revenues above $1 billion, will also be able to weather this storm because of their assets, and their cyber liability insurance possibly covering most of the cost associated with fraud caused directly by a breach. Caught in the middle are those large merchants (annual revenue $50 million to $1 billion) and medium-sized merchants ($20-$50 million in annual sales). These are the majority of the businesses in the U.S. Their cyber insurance policies won’t be large enough, based on their revenue. Another factor is their ability to be ready for the liability shift. Obtaining or retaining cyber liability insurance could depend on it.
“Carriers are expecting organizations to be moving toward EMV implementation, or at least be able to tell a good story,” said Spencer Timmel, Privacy and Cyber Liability Product Leader with insurer Hylant. What this means, Timmel further explained to me, is merchants of any size will need to communicate with their cyber liability provider on where they stand on making the switch. If they’ll become EMV compliant within several months of the October deadline, they’re likely to be kept on by their provider, and possibly won’t see any increase in their premiums. However, merchants that reveal they won’t make the EMV switch for a year or more, face a significant rate hike, and possibly even losing their cyber policy.
The proven success of EMV in reducing fraud is driving this October deadline. So will migration to EMV stop the appearance of a tidal wave of fraud in the U.S.? No. But it will slow it down.