June 22, 2015
By Karisse Hendrick, editor-at-large, CardNotPresent.com
When it comes to credit cards, the U.S. market has been utilizing the same magnetic-stripe technology for the last 40 years to transmit payment data from the cardholder to the card-present merchant. As with any 40 year-old technology, time has caught up with and passed it by in some ways, including how the industry handles security and fraud. One of the biggest pain points that magnetic-stripe credit cards pose is how easy it is to counterfeit cards for use in card-present environments to make fraudulent purchases. According to some reports, counterfeit-credit-card fraud accounts for approximately 40 percent of total credit-card fraud in the U.S.
Due to this large expense, as well as growing security concerns, the card networks have been driving the adoption of EMV (Europay, MasterCard and Visa) chip enabled credit cards for the last four years. But, there has been a bit of a chicken-and-egg standoff between the card issuers and card-present merchants. Issuing banks are not eager to spend the $2-$4 it costs to produce each card (in comparison to $.15 for cards with magnetic stripes) if merchants do not have the upgraded terminals to process these cards; likewise, the retail industry does not want to spend the estimated $35 billion to implement the terminals needed to process these cards because the financial benefit isn’t clear to them.
To loosen the logjam, the card networks imposed a deadline of October 1, 2015 for merchants and issuers to be prepared to process the new cards. While there are definite financial incentives for both parties to be ready, this deadline is not backed by law. According to MasterCard rules on the matter, the solution is simple: “The party, either the issuer or merchant, who does not support EMV, assumes the liability for counterfeit transactions (on outdated magnetic stripe credit cards).” Visa’s mandate is the same.
Until now, issuers have footed the bill for the estimated $3.8 billion in annual counterfeit card losses. But, the opportunity to pass this cost on to merchants has finally gotten the ball rolling on converting to chip-enabled cards. According to a report by Boston-based Aite Group, by the end of 2015, 70 percent of U.S.-issued credit cards and 41 percent of all U.S. debit cards will be chip enabled. [hide for=”!logged”] Although card-present merchants have never had to deal with these chargebacks, the threat has been enough to persuade a majority of merchants to convert their terminals before the deadline. In the same report, Aite predicted 59 percent of all credit card terminals in the U.S. will be chip enabled by October 1, 2015.
Many experts have cautioned that counterfeit fraud in the card-present environment will not end overnight or even in the next few years. The U.S. is the largest and oldest credit-card market in the world. According to a recent study performed by Javelin Strategy & Research, there are 15 million point-of-sale devices, 360,000 ATMs and 1.1 billion credit cards in the U.S. market. If Aite’s prediction comes to pass, that will still leave millions of credit cards and POS terminals not enabled for EMV at the deadline and beyond. With fraud traditionally finding the path-of-least resistance, non-EMV compliant card issuers and merchants most likely will see the majority of counterfeit fraud migrating to their systems. For the foreseeable future, chip-enabled terminals must still be able to process mag-stripe cards and chip cards must still work at non-EMV POS terminals. As long as there is a way to bypass the chip-enabled system, counterfeit cards can still be used, even if both the issuer and the merchant have migrated to the EMV system.
Chip-and-PIN vs. Chip-and-Signature
Currently, 40 percent of the world’s credit cards and 70 percent of all POS terminals outside the U.S. are chip-enabled. Europe, Canada, most of Latin America and Asia Pacific are either fully or almost fully integrated with chip technology. These migrations have happened over the last 10 years, and have been credited with significantly lowering card-present fraud rates and losses. But, despite a history of success around the world reducing counterfeit fraud, there has been much criticism regarding how the U.S. is utilizing this more secure technology.
Most markets that have adopted chip-enabled cards have required PINs at the POS as an additional authentication factor, replacing the traditional signature on mag-stripe transactions. The majority of card issuers in the U.S., however, are not replacing signature authentication with PINs, making the American implementation chip-and-signature not chip-and-PIN. While chip-and-PIN authenticates cardholders using “something you have” (the chip) and “something you know” (the PIN), the majority of all chip-enabled transactions in the U.S. will rely only on “something you have.”
The U.K., for example, saw both their counterfeit-card and lost/stolen card fraud in the card-present channels greatly decrease over a seven-year span as chip cards were adopted. The EMV migration in the U.S. is not expected to see such a decrease in the second category.
The Card-Not-Present Conundrum
While migrating to chip cards will reduce one category of fraud, in one channel, many experts believe that this massive integration will not greatly decrease the $10 billion in total credit card fraud the U.S. experiences annually. Instead, it is believed that it will merely alter the predominant type of fraud to card-not-present and change who gets stuck with the bill.
The implementation, which has become a major expense for retailers required to upgrade their POS systems, has caused many critics to observe that scarce resources devoted to EMV-compliant systems could be used to increase security and fight fraud in more effective ways.
“The single biggest problem with the EMV mandate is that it is focused on trying to solve last century’s problem and completely ignores the reality that retailers are facing today,” said Greg Buzek, president of IHL Group, a Franklin, Tennessee-based retail market research firm. “Twelve years ago when EMV was introduced into Europe, it made tremendous sense. Today, it stands in the way of real data security by stealing critical budget away from focusing on the risks that retailers face from online hackers.”
Next week in this space, look for Part 1 of our three-part series on how retailers are coping with new security requirements promulgated by PCI SSC. Part 2 of our series on EMV returns on July 6, with a look at how EMV affected card-not-present fraud in countries around the world, and what they did to respond.