How will EMV impact fraud in the US?

This post originally appeared on Alaric’s blog.

The EMV roll-out in the US is building speed at long last. It’s been a long bumpy road to get to where we are today, and there is fair bit to go yet. Given all the effort so far it’s important that EMV has the desired effect; to reduce fraud.

But just how will the change impact card fraud as EMV is rolled out across the US? We recently looked at this issue in a whitepaper entitled EMV in the US – how far have we come and where are we going?

Where are we?

A recent report from EMVCo shows a sharp rise in the cards worldwide. There were 2.37 billion EMV payment cards globally, excluding the US, by the end of 2013, up from 1.62 billion 12 months prior.

But so far virtually nothing in the US. However, as the whitepaper shows, things are turning around. From October 2015 the liability for domestic and cross-border card-present transactions will shift to merchants. “The party that is the cause of a chip transaction not being conducted (either the issuer or the merchant’s acquirer or acquirer processor) will be held financially liable for any resulting card-present counterfeit fraud losses,” says Visa. In other words it will be merchants who have to foot the bill if they do not have a suitable terminal for the EMV card.

Jane E. Cloninger, partner at Edgar, Dunn & Company, tells us there is now “very little now to suggest that the timetable for implementation will be blown off course”. A recent Javelin Strategy & Research report suggested the US would achieve EMV “parity” with the rest of the world by 2018.

So if EMV in the US is a done deal, what will the effect be? How will it impact fraud?

Let’s look again at where we are. Right now more than 90 per cent of fraudulent transactions in the US used credit, debit or prepaid cards. Fraud on plastic cards costs more than ACH or check/cheque fraud. The Nilson Report reckons losses for the US payments industry from card fraud could hit $10 billion a year by 2015.

EMV will change the landscape. It will direct fraud away from the card-present sphere just as we have seen happen in other markets where the standard has been adopted. But this time we won’t see the same increase in cross-border fraud. Instead, card-not-present payments, identity theft, internet banking and corporate payments will be targeted.

As the whitepaper point outs, this means it becomes “critically important” for payment service providers, independent sales organisations, processors and acquirers to ensure they have effective fraud detection systems that can protect all channels, all accounts and all payment types from a single platform.

The fact is that EMV doesn’t eliminate fraud; it fragments it. This can be a challenge for organisations that have legacy systems that cannot adapt to the changed environment.

Even in the card present area we can’t expect the EMV wand to eradicate fraud as if by magic. Figures from Visa on EMV transition in other markets indicate merchants can be slow to get ready. If past experience is anything to go by we can expect just 50 per cent of US merchants to be prepared for the liability shift when it happens.

So EMV is not a silver bullet to fix all our payment fraud worries. Some people have even wondered if it’s worth skipping out EMV altogether to focus on new technology that could cut fraud losses. However, I’m certain that without EMV card fraud losses would be significantly higher.

For now I can’t see any point in hanging around to see what happens. Late adopters to EMV will be easy prey for criminals; whether you’re a financial institution or merchant, don’t be the one who’s left with the check at the end of the party.

To learn more, check out NCR and BAI’s webinar on Changing the Game in Fraud Detection.

Why Hasn’t the U.S. Adopted EMV?

EMV chip technology is not new, but why hasn’t the U.S. gotten on board?

With advanced security, endless technology benefits and success in many other markets, it can be confusing as to why Americans are not already seeing widespread use of EMV technology. After the 2013 breach of Target credit cards during the holiday shopping season, business leaders, including Target’s CFO, are now calling for acceleration adoption of the technology.

So why isn’t this more widespread? This infographic breaks down the benefits of the card and some potential  reasons why the payment technology hasn’t been widely adopted in the US.

What do you think about EMV? Will it still be Europe-only?

 

Smart Cards
Source: ComputerScienceDegreeHub.com

How the U.S. Payment Industry Can Cut Through EMV Challenges with Education

Mobile LifeStyleWith the October 2015 deadline for financial services providers (banks, credit unions, merchants, etc.) to fully implement EMV, many industry insiders are facing the challenge of adapting this new technology to the still-developing regulations. Overhead costs, implementation strategies and regulatory relations are all top of the list concern for executives. Further complicating matters is the lack of a centralized project management office to coordinate migration that other countries, including Europe, have the luxury to look to for guidance.  As a result, U.S. providers are forced to deal with 18 regional debit networks that, due to the Durbin amendment, require each acquirer to route transactions via a minimum two competing networks – severely increasing the difficulty of the task.

Not to worry! As with any new product, service or process implementation the proper education and guidance will lead to the desired results, and luckily we can simply look across the pond for experienced help.

First, let’s start with a quick background.

EMV 101

EMV is the technology commonly used in the developed world, less the United States, that replaces the magnetic stripe in credit and debit cards with chip technology. The EMV chip technology reduces credit card fraud to make consumers transactions safer and also provides global interoperability. According to the U.S. Fed, the total number of unauthorized transactions (third-party fraud) in the United States during 2012 was an estimated 31.1 million, with a total transaction value of $6.1 billion; up nearly 10% from 2011. High profile security breaches are becoming far too common, such as the ones recently experienced at Target, Marriott, and Neiman Marcus. Discover Financial Services found that after the EU completed its migration to EMV, the region has seen an 80% reduction in credit card fraud while, comparatively, the U.S. has witnessed a 47% increase.

Regulatory Challenges

Changing industry regulations present additional challenges to implementing new payment processes and systems. A recent federal court ruling on debit regulations, while maintaining the current status quo, will affect the EMV migration in two key areas: merchants choice of debit transaction routings (required to choose a minimum of two competitors), and debit interchange fees. How these two issues are decided will affect how EMV processes will be implemented. It will be crucial for industry executives to keep an eye on this evolving process as we move forward.

Smooth Transition

There are many steps industry stakeholders can take now to help make the migration to EMV as seamless as possible. Developing key strategies for full migration is the first step in the process for many in the industry, but they often face a challenge of establishing effective strategies due to a general lack of knowledge of the process. Industry stakeholders must arm themselves with the appropriate educational services to help them formulate a strategic vision that is booth streamlined and profitable. While it may be unfortunate America is the last developed nation to migrate to EMV, it’s actually a benefit in the educational process as Europe and other countries have recently gone through this experience and can provide valuable information transfer.

Industry executives need not worry about the upcoming EMV migration deadline, but focus on implementing key strategies for their organizations. Lucky for them, they are not the first to go through this process and can look across the pond for valuable lessons that will lead to an easy and expedited transition. Once migration is completed, American consumers and businesses will be much safer with their financial transactions.

 

Gokhan Inonu is a global leader with over 25 years’ experience in EMV migration and financial transactions leadership roles. In his current position as President, Cardtek USA, Mr. Inonu heads the American division of Cardtek Group and oversees operations, sales, marketing and partner management. 

Financial Institutions Need a Can-Do Attitude

 “Don’t mistake activity with achievement.”
– John Wooden, former UCLA basketball coach and 10-time NCAA Basketball Champion

Target, Neiman Marcus and Michaels recently compromised sensitive customer data to hackers, joining Facebook, Gmail, Twitter, and Yahoo!. And those are the ones made public.

Financial institutions (FIs) aren’t safe either: Global Payments (processor for Visa and MasterCard), Bank of America, Citibank, JP Morgan, and Fidelity National Information Services all suffered data breaches recently. Hundreds of millions of dollars stolen and boatloads of personal data exposed to criminals.

Companies, especially FIs, are not doing enough to safeguard sensitive information. FIs scramble to buttress their systems to thwart attacks, while criminals easily elude the safeguards.

If you shop online your information could already be on a hacker’s hard drive, waiting to be bundled and sold to another criminal, making you vulnerable to identity theft and other crimes.

The protection plans offered by credit card companies and FIs do provide additional protection. But, it isn’t enough, and why would consumers pay for safeguards that should be provided automatically? Especially when the “safeguards” aren’t really all that safe.

EMV (Eurocard, MasterCard, Visa) (covered on this blog) would be a step in the right direction, erecting additional layers of protection between FIs and hackers. EMV has been adopted by most of the world, but not in the U.S.

EMV replaces the magnetic strip on cards with a microchip used for authentication and  encrypts the information during the transaction, making it more difficult for thieves and card skimmers to steal. Security is further bolstered when used with a PIN or signature. It is by no means a panacea.

Retina scans and fingerprints could also thwart criminals. Those systems require expensive investment in hardware and new software to support them. FIs and their customers should implement anything that makes it more difficult for hackers.

Dual-factor authentication (2FA) is another, more feasible, option. It adds another level to the standard password login. The FI would send a code via text message to one’s mobile phone, which then is entered by the user to execute the transaction.

Ninety-one percent of Americans already have a mobile phone, according to Pew Research. Convenience alone makes 2FA via text message a logical solution.

Sending out text message codes would require investment in software, but the cost would be meager compared to implementing a scanner or other hardware solution. Twitter, Google and Facebook already support 2FA as an option at login. It should be made mandatory.

2FA has been around for decades but never took hold. If a mobile phone was compromised though, it would carry frightening ramifications. And transactions are still susceptible to Trojan horses, Man-in-the-Middle attacks, and other malware. In fact, all computers are vulnerable to these types of attacks.

Tokens like RSA’s SecurID, 1Password, Toopher, YubiKey and the like that provide one-time passwords have weak points as well, which can serve as gateways for criminals. If breached, they would expose all users’ passwords at once. Not good, and hardly safe.

So what’s the answer?

Disappointingly there isn’t one that ensures total protection in all situations. Hackers are clever and will continue to exploit weaknesses in any, and every, system.

2FA is easy to implement with current technology and is a formidable additional security layer.

Coach Wooden said, “Do not let what you cannot do interfere with what you can do.” FIs need to heed this advice.

About David Sutton: David has a BA in economics and a MS in business journalism, and his articles have appeared on Forbes.com and in the Boston Business Journal. David has had a bank account since he was three.