EMV for Fraud Control in United States
“We saw a decrease in fraud of about 75%,” says Vivienne Nicol, senior manager, fraud operations, at ATB Financial in Calgary, Canada. She attributes this achievement to the bank’s embrace of EMV, the chip-based encryption technology that has dramatically reduced fraud in Europe.
With EMV cards adopted in Europe, and now Canada, organized fraud rings have moved to the U.S., where most cards still use the older and more vulnerable magnetic stripe technology. The need for U.S. card issuers to migrate to EMV will be discussed at BAI Payments Connect 2014 in a March 12 presentation entitled “EMV and Fraud: Lessons Learned and Looking Forward.” Along with Nicol, the panelists will include Dan Heimann, vice chairman of the EMV Steering Committee of the U.S. EMV Migration Forum and solutions consultant at ACI Worldwide and Tim Webb, senior vice president, fraud management, RBS Citizens Financial Group.
Heimann says the tide has turned strongly in favor of EMV in the U.S. “Everybody acknowledges we have to do something. The talk has moved away from people wondering if were going to do this to one where people are saying it’s inevitable – we’ve got to do it.”
An added urgency was created by the recent massive breach of 40 million credit card accounts and 70 million customer contact records at Target, followed by breaches at other major retailers. “While EMV wouldn’t have prevented the breach itself, with EMV it would have been impossible for the fraudsters to generate counterfeit cards from the data that was stolen. That’s a key message,” Heimann says.
Making the Deadline
ATB Financial converted to EMV technology in 2012 with personal information numbers (PINs), as required for all banks in Canada by that nation’s Interac Association, a bank-sponsored organization that operates Canada’s electronic payment card system. ATB Financial has 622,000 customers, 171 branches and 272 automated banking machines (ABMs), the Canadian equivalent of U.S. ATMs. The switch to EMV cost about $2 million for 645,000 cards, according to Nicol.
The concerted migration to EMV was made possible in Canada because all debit cards run on a single system and because there were fines for those banks that did not meet the deadlines, according to Nicol. Furthermore, you could be removed entirely from the Interac system for failure to comply. “You’d be out of business if you did not meet deadlines. That’s how hard these dates were,” she says.
In Canada, debit card issuers had to work with acquirers, the intermediaries that connect terminals to central data centers, to make sure that, after ABMs were enabled, “there was no fall back,” says Nicol, meaning that users of debit cards could not use the vulnerable magnetic stripe at ABMs. ATB’s cards still come with a magnetic stripe, which allows the card to be used at Canadian retailers, who have until 2015 to adopt the chip technology.
EMV compliance by Canadian banks is very high. Approximately 94% of all POS terminals and nearly 100% of all ATMs are chip-enabled in Canada, according to Nicol. Fraudsters are skimming information in Canada from point-of-sale locations and the few remaining ABM machines without EMV. “Then they’re doing all the spending down in the United States,” she says.
Banks, retailers and other credit and debit card-issuers, who may have hesitated to improve card security technology because of the cost, are now seeing that any further delay could have significant consequences in the ongoing efforts to mitigate fraud. For example, Target CEO Gregg Steinhafel, who resisted adopting EMV-chip technology in the past has reversed his earlier doubts and embraced the more secure technology. Visa, MasterCard, Discover and American Express have all set timelines for most merchants to accept EMV cards by October 2015 (with gas stations having until 2017).
All four card processors also expect to eventually implement a counterfeit card liability shift policy for merchants, which will put more pressure on merchants to comply with their EMV deadlines. “If your point-of-sale terminals are not EMV-capable and someone comes into your store with an EMV card and swipes the card at the terminal, liability shifts from the card issuer, who has been eating all that fraud, to the merchant,” Heimann says.
Beyond EMV, card issuers and merchants are likely to also incorporate tokenization technology for online purchases. Even with EMV chip technology, fraud can be committed online using stolen information and tokenization prevents that from happening, according to Heimann. “Rather than passing the actual card information, what the point-of-sale machine does is assign a token value to the card number,” he says. “Then the token value, which is encrypted, is what gets passed around and stored in the different systems so that the actual card number is no longer exposed.” This protects cards when information is both “in flight” and “in storage,” points where it could be vulnerable to hacking, according to Heimann.
Indeed, EMVCo, the organization that maintains and modernizes the EMV specifications, has announced that it is looking into building tokenization into the EMV specification. “It’s another measure to further lock a lot of these things down,” says Heimann. Tokenization, for example, could have prevented the kind of card-not-present breach that occurred at Target, he says.
Mr. England is a contributing writer to BAI Banking Strategies and the author of Black Box Casino: How Wall Street’s Risky Shadow Banking Crashed Global Finance.