EMV’s role in fraud prevention has long been a heated debate in the U.S., but it took a data breach that compromised the personal and financial information of up to 110 million Target customers to put EMV on the priority list of everyone from lawmakers to major retailers. This new-found notoriety has brought on a firestorm of opinions around EMV’s place in the U.S. payments ecosystem. The debate won’t be cooling down anytime soon as other retailers, such as Neiman Marcus, Michaels and Sally Beauty, have since fallen victim to security attacks.
Javelin Strategy and Research reports that 13.1 million consumers suffered identity theft in 2013, the second highest level on record, and card fraud was a significant contributor to that number. The damage caused by data breaches will only increase as hackers get more sophisticated and it’s vital that steps are taken to protect all parties involved. Many believe that EMV is one of those steps, but unfortunately not all of the rhetoric out there related to EMV is accurate, mostly due to the fact that the implementation of EMV in the U.S. is not a black or white issue. Here, we outline some of the most common myths around the standard:
Myth: EMV would have completely prevented the recent high-profile breaches.
Truth: Although EMV would have lessened the aftermath of the recent breaches, it would not have prevented them from happening. Hackers gained access to Target’s network using login credentials stolen from a heating, ventilation and air conditioning company that does work for the retailer. The attackers then uploaded malware programs on the company's Point of Sale (POS) systems that stole the debit and credit card data.
Even with EMV in place, a portion of the card-related data can still be unencrypted, or transmitted in plain text. The benefits of the EMV standard would only have kicked in after the breach occurred, by preventing the reproduction of cards from the stolen data. Today, the information encoded on the magnetic strip of a payment card (known as Track2 data), can be captured and then sold to thieves who produce a piece of plastic that can be used to make purchases in-store. EMV cards cannot be reproduced due to the additional encryption, the embedded chip and the cardholder’s personalized PIN needed to make a purchase.
While EMV would have prevented fraudulent plastic cards from being created with the data, card-not-present (CNP) fraud, such as online transactions, would still have been possible. This highlights the importance of EMV not being viewed as the answer to preventing fraud, but instead seen as an integral part of a layered security approach.
Myth: EMV is powerless in the face of growing CNP fraud and should therefore be skipped as we move toward a more e-commerce consumer environment.
Truth: It is true that EMV does not have much impact on CNP fraud, but that by no means suggests the standard should be ignored. Even though online transactions are increasing, the use of plastic cards in-store is not going away anytime soon with purchases made by cards expected to reach $7.1 trillion in 2017, rising to take 50% of the personal consumption expenditure in the U.S. Yes, major advancements are being made on the mobile and contactless payments front, but it will be quite some time before these technologies are adopted on a mass scale.
Skipping over EMV to shore up defenses around mobile and contactless payments would be irresponsible. Leaving cards vulnerable will drive fraud to that payment channel, much as criminals are targeting the U.S. because it is the only major country without EMV. The various channels must be approached through a layered security strategy that assumes any layer could be infiltrated, but has additional safety nets built in to protect sensitive customer data. This strategy should be integrated and cover a range of measures across multiple channels, transaction types and objects (card, account, cardholder, merchant, etc.)
These layers include the perimeter, or the first layer of defense against fraud attempts involving phishing and malware. Browser protection services, security certificates, malware detecting software and anti-phishing solutions are used to ward off attacks, but this remains one of the most easy to penetrate areas.
If the perimeter is breached, user authentication safeguards customers’ account details from malware and phishing attacks, or significantly limits the damage if the fraudster has already obtained these details. This can include multi-factor authentication, for example, asking a customer to verify a site image before logging in. 3D secure and virtual cards are additional lines of defense against CNP fraud. 3D Secure provides online transaction authentication with opt-in from the customer. A virtual card is a one-time-use “card” that is issued online or at an ATM, with disposable details.
If the perimeter has been breached and user authentications fail, limits and customer notifications serve as simple but important methods to limit the damage. Email and SMS notifications can be used to alert a customer to unusual account activity and provide them the info to contact the institution’s fraud department. Financial institutions should also be able to set and revise card usage limits to enact automatic blocks if needed.
Unfortunately, many financial institutions end their protection at this layer, but fraudsters keep marching on. Further layers are needed, such as transaction flow analysis, which is a methodology that uses the comparison of the parameters of the current and previous transactions as well as a comparison of the statistical parameters. Each transaction is analyzed based on rules and algorithms defined by the bank to detect suspicious transactions. An additional advanced layer is object behavior analysis – the statistical analysis of object activity (cards, merchants, etc.) over a certain period of time that enables the tracking of changes in an object’s behavior. The more advanced capability of machine learned methods can recognize common patterns in both object and cluster behavior.
External threats are not the only risks to consider. Employees can also cause breaches, either maliciously or inadvertently. The internal access rights control layer protects data against internal fraud. The Payment Card Industry Data Security Standards (PCI DSS) is a required layer and mandates security card standards for payment card processing and management. EMV is a global standard for card payments and leverages embedded microprocessor chips that store and protect cardholder data. It serves as a further security layer that reduces physical card fraud, or skimming.
Myth: EMV isn’t worth the time and cost associated with the technology implementation and consumer education efforts.
Truth: Security solutions have to be viewed as worth the investment in order to stop fraudsters and protect customers. Non-financial costs must also be considered as consumers become increasingly skeptical of their data security. Target experienced significant stock price decreases and lower sales as a result of its December 2013 breach. And for some companies, the damage to the brand’s reputation could be worse than the financial costs of a security issue. If a large international business saw such significant impacts, imagine the toll on a smaller retailer or financial institution. Implementing EMV should not just be viewed through return-on-investment (ROI) lenses, but with a focus on customer protection.
Looking at other countries’ success with EMV further demonstrates that the impact reductions in fraud have on revenue could in fact be worth the cost of implementation. Interac Association, a Canadian national payment network, recently reported that debit card fraud losses due to skimming are at a record low and have decreased to $29.5 million in 2013 from a high of $142 million in 2009. Furthermore, only 25% of losses in 2013, or $7.3 million, are the result of fraud taking place in Canada. Canada began its nationwide EMV implementation in 2008.
And let’s not forget the United Kingdom, which has long been referred to as a strong example of EMV success. With the introduction of the new cards in the UK, fraud losses from counterfeit cards fell more than 63% between 2004 and 2010. Card fraud resulting from lost or stolen cards dropped more than 61%.
Only time will tell if reducing fraud losses will offset the financial cost of implementation, but the card brands are creating financial incentives to boost U.S. adoption. Both Visa and Mastercard have introduced programs which waive an annual PCI-DSS audit if 75% of the merchant's respective branch transactions are processed through a dual contactless and contact EMV-certified device.
While cost is always an issue, the other benefits provided by EMV should not be ignored. First, there are travel benefits, as many POS terminals and ATMs abroad will not accept magstripe cards, creating serious inconvenience for U.S. travelers. Second, the chip within the card will enable financial institutions to expand the functionality of payment cards because it offers significantly more memory capacity. Issuers will also have more control over transaction limits, off-line capabilities and the ability to block applications than they do with magstripe. This opens cards up to the addition of loyalty programs, contactless payments (if equipped) and other services. These tools could potentially be used to offset the costs of upgrading to EMV, while creating a far superior consumer experience.
It’s easy to bemoan the U.S. as the last holdout on EMV, but the country’s size and financial system complexity will prove to be a substantial hurdle. Unlike in the UK and Canada, there is no centralized body to oversee the EMV transition. Migrating/upgrading hundreds of disparate technology providers, thousands of independent financial institutions and millions of payment terminals is daunting. But daunting cannot equal impossible. Crime rings can be complex international operations, which require cooperative international defenses to combat them. The U.S. plays a key role in closing a gaping loophole and reducing fraud worldwide. Until this country shores up its defenses with EMV, card fraud will continue to run rampant, with U.S. consumers as the easiest target.
Mr. Genovese is vice president of Consulting Services in North America at Compass Plus. He can be reached at firstname.lastname@example.org.