EMV Gets U.S. Debut
It’s usually better to show up late to the party than to miss it altogether. In the case of adopting Europay, Mastercard, and Visa (EMV) technology, the United States strained the boundaries of “fashionably late” on this concept by rolling into the party about 10 years behind most of the industrialized world.
Every time a credit or debit card transaction occurs, two technologies are present: the card itself and the point-of-sale (POS) technology that allows the merchant to process the card’s information. For the last 40 years in the United States, the card technology in the transaction was magnetic stripe, and POS terminals were designed to process the information it held.
However, magnetic stripe technology had numerous vulnerabilities that fraudsters could easily take advantage of. They could skim the information off cards at POS terminals, steal cards out of the mail, hack into a retailer’s system to gain access to card numbers, or simply copy the card number down to be used at a later date to make a fraudulent purchase online.
To combat this, Europay, Mastercard, and Visa created a new card technology: EMV. Instead of storing payment information in a magnetic stripe, EMV cards use secure microprocessor chips that store information and perform cryptographic processing during a payment transaction.
“Unlike a magnetic stripe card, it is virtually impossible to create a counterfeit EMV card that can be used to conduct an EMV payment transaction successfully,” according to the Smart Card Alliance, a multi-industry association that promotes understanding, adoption, and use of smart card technology.
Along with the chip, EMV cards also require a second consumer authenticator—typically a four-digit PIN—to complete the transaction. This helps ensure that even if the physical card is stolen, it cannot be used to make a fraudulent purchase. As a less secure alternative, EMV cards can also use signatures in place of PINs, requiring consumers to sign that they accept the charge before the transaction is finalized.
France rolled out EMV technology using chip-and-PIN cards almost 20 years ago, and the rest of Europe and the United Kingdom followed suit in 2006 by implementing a “liability shift” (legally shifting liability for fraud to the party in the transaction—the card issuer or the merchant—with the least secure system). Since then, Canada, Latin America, Africa, the Middle East, and the Asia Pacific have adopted the technology. As of December 2014, there were 3.4 billion chip payment cards in use globally, and most POS terminals in the implementing regions were capable of processing them.
The United States, however, was left behind until October when it implemented a liability shift similar to Europe’s that is designed to encourage card issuers and merchants to use EMV technology. But some experts are questioning how effective the shift will be and whether the United States is following best practices to prevent credit and debit card fraud.
For example, if a consumer uses an EMV-enabled card to pay for something, but the merchant doesn’t have an EMV-enabled POS system and instead processes the card as a magnetic stripe transaction, the merchant will be held responsible if the purchase was fraudulent, explains Randy Vanderhoof, executive director of the Smart Card Alliance.
Some large merchants—like Target and Walmart—rolled out their EMV-enabled POS systems prior to the deadline, but many other vendors did not. In fact, Vanderhoof estimates that only roughly between 35 and 50 percent of U.S. merchant locations were EMV-enabled by October.
Merchants may not have met the deadline because changing their POS systems is a complex process where they have to physically replace terminals and install the necessary software to process chip card transactions, he says.
Additionally, this is a once-in-a-lifetime change for most merchants, who’ve used magnetic stripe technology since their inception, Vanderhoof adds. “This is not something they normally do; it’s not something they have a lot of expertise in.”
By not installing EMV-enabled POS systems before the deadline and continuing to slowly roll them out, however, the United States will likely continue to see hacks into major retailers to obtain card information because merchants will still process transactions using magnetic stripe technology, says Martin Warwick, FICO’s European fraud chief.
“We’re going to constantly see these hacks into major retailers just to get ahold of card numbers where they can make purchases,” he explains. “I think that’s where the trends will push towards, especially for the United States.”
And Vanderhoof has a similar assessment, saying that many experts are warning merchants that if they fail to upgrade their systems to the EMV technology, fraudsters who used to have many merchant targets to go after to create counterfeit cards are going to have fewer and fewer locations where they’ll be able to use those stolen credentials.
These fraudsters “will seek out those merchants that haven’t upgraded their technology because they know they can still get away with those cards working in those retail settings,” Vanderhoof explains. This will create a greater financial incentive for merchants to upgrade, he adds, as more fraud begins to show up in their stores, and which they are liable for if consumers don’t use EMV-enabled cards.
Despite the limited progress made by merchants, card issuers have done slightly better because replacing cards is a routine aspect of their business. By the end of 2015, 600 million of the 1.1 billion U.S. credit and debit cards in circulation will be EMV-enabled, said William Boger, senior vice president and chief legislative council for the American Bankers Association, at an event hosted by Protect My Data in August. Boger further predicted that card issuers may be able to issue EMV-enabled cards to all U.S. debit and credit card holders by the end of 2017.
One concern that experts are raising, though, is that most U.S. card issuers are not issuing the more secure chip-and-PIN cards to consumers. Instead, Liz Garner, vice president of Merchant Advisory Group, said at the event with Boger that card issuers are “doing a disservice to the American consumer” and issuing chip-and-signature cards. “That’s a business-driven decision, not a security-driven decision,” she added, as she explained that card issuers are afraid they will lose business because consumers will not use the PIN versions of cards.
Warwick is familiar with this position; card issuers floated that same concern when the United Kingdom was switching to chip-and-PIN cards in 2004. However, he says that refusing the PIN cards or failing to remember PINs hasn’t been a problem for U.K. consumers.
Furthermore, by adopting chip-and-PIN cards, the United Kingdom was better able to combat counterfeit card fraud, because fraudsters could no longer steal cards and forge a signature to complete the transaction process. According to FICO’s research, Warwick says, counterfeit fraud in the United Kingdom dropped to £72 million (approximately US$117 million) in 2006 from £218 million (approximately US$335 million) in 2004 after chip-and-PIN cards were adopted.
The United States will not be as effective in countering this kind of fraud because fraudsters could still steal cards and use them to make purchases. It’s “not really going to be that good for lost and stolen fraud, and it’s not going to be that good if you send the cards out in the post because [fraudsters] could still steal it and use it,” Warwick says.
Another area of concern with the U.S. adoption of EMV is that, unlike in Europe, U.S. ATMs and automated fuel dispensers—self-serve gas station pumps that accept credit and debit cards—were excluded from the liability shift until 2017. This could make them major targets for fraudsters looking to skim cards, Warwick says.
“When you think of how criminals go after money, one was they want the cash so they’d love to have the ATM and the cash,” he explains. “And then they like to compromise card details, and petrol stations or gas pumps—especially the automatic ones—are a nice area for people to compromise and that was happening across Europe.”
FICO also addressed this trend in a recent white paper on EMV card fraud and the rise of skimming in the United States. “The United States has seen an unprecedented increase in attacks on ATMs through skimming,” according to the white paper. “This implies that criminals are making the most of magnetic stripe technology fraud before it becomes far more difficult to get away with in the United States.”
So why has the United States made an exception? “I’d imagine it’s again commercial reasons with the all the petrol stations saying it costs so much to replace these expensive, unmanned petrol terminal pumps,” Warwick says. “So they’ve negotiated an extra couple of years to get all that done. And the same with ATMs, because nothing in this transition is cheap.”