The Green Sheet Online Edition
October 27, 2014 • Issue 14:10:02
EMV: A silver bullet in fraud prevention?
Take a quick look around your office. Are you still using technology from the 1970s? Are you putting big floppy discs into your computer or playing a quick game of Atari's Pong to unwind during lunch? And forget about your smartphone; back then you wouldn't have even had a Zack Morris brick-phone to make calls on.
Technology from a time capsule
Now take a look in your wallet, chances are you'll find some technology from the era of bell bottoms and the Jackson 5. Yes, we're talking about that bundle of credit cards running off mag stripe technology. For many years now, those engaged in card fraud have been able to exploit the lack of security provided by the antiquated technology of the mag stripe. This has been done by stealing track data – done with skimmers, hacks or other methods – encoding that information onto fake cards and then making purchases with the counterfeit cards.
To combat this kind of fraud, the United States is adopting Europay/MasterCard/Visa (EMV) chip technology to phase out reliance on the mag stripe. Chip-card technology goes back as far as French field trials of the technology in 1984. In the decade following the inaugural French program, there was so much success that the technology spread to other European countries and then beyond.
Since the adoption of EMV in the United Kingdom, the region has experienced a reduction in counterfeit fraud losses by over 63 percent. Considering it appears that this technology is so successful in fraud reduction one cannot help but wonder, why has it taken so long for it to reach the United States?
A recent white paper from the Aite Group LLC predicted that in 2014 only 25 percent of U.S. cards will be equipped with EMV chips, and 98 percent adoption will not be reached until 2017. Forum user www.paymentlogistics.com weighed in on this question saying, "I think the economics of fraud (the fraud threat helps justify interchange rates) have kept EMV at bay in the United States for a long time, but those economics are changing with the rise of data security breaches over the last decade and the threat of government intervention if the industry does not solve the data security problem on its own."
An excellent theory but something we will never likely be able to confirm.
A game of catch up
While the reasons for the delay in implementation may be debated, the fact is that we stand in the shadow of a host of large scale breaches, such as those experienced by Target Corp., the Neiman Marcus Group and The Home Depot Inc. These have brought significantly more attention to the topic while the biggest milestone in the liability shift for EMV acceptance is about one year away.
October 2015 marks the point when the liability shift for counterfeit cards (excluding fuel dispensers), and lost or stolen cards occurs. MasterCard defined the liability shift as such, "The party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions."
A year is not that far away when you consider that, according to Javelin Strategy & Research there are about 15 million devices that must be either replaced or upgraded, through the use of a peripheral, in the United States.
We asked the forum what their experience with EMV usage and acceptance had been to date. User amsprocessing said, "I reviewed five retail merchants that have been set up with EMV. They are running about 8 percent EMV transactions."
His sentiment was echoed by user mbruno, who stated, "I have an EMV card and still haven't used it live yet. ... I usually ask why [the merchant doesn't] use EMV – I get a mix of confused looks from wait staff or apologies from supervisors [who say,] 'it's coming soon'."
User bbec, too, voiced frustration about how the whole process has been handled by issuers and processors and how it impacts his client base. "Very confusing for me as to what to do with my merchants," bbec posted. "Issuers are not providing their customers with EMV cards as they should when it is getting somewhat close to the deadline in October. … Then I am supposed to let my merchants know that they should be purchasing terminals that are EMV capable only to find out that their customers are still coming in with mostly the old swipe cards."
The general attitude of the forum appeared to be that, while there has been some EMV adoption, overall this topic has not been handled in a way to make all stakeholders properly informed or prepared for the upcoming change.
That said, though, it is definitely time for the United States to catch up with the over 80 countries that currently employ EMV and upgrade our technology to reduce fraud wherever possible. EMV, coupled with near field communication (NFC) -based products like Apple Pay, stands to play an important role in removing a lucrative avenue of opportunity from criminals.
From the frying pan to the skillet?
While anyone who has taken even a Statistics 101 course will tell you that "correlation does not prove causation," there is an important metric we must place in juxtaposition to EMV implementation to make sure the whole picture is taken into consideration. That is the associated increase in card-not-present (CNP) fraud that has occurred parallel to the reduction in fraud based on counterfeit and lost or stolen cards.
Let's return to the previously referenced Aite Group research and its statistics regarding Canadian fraud post-EMV adoption from the span of 2008 to 2013. Fraud due to counterfeit and lost or stolen cards decreased by 54 percent, from $245.4 million down to $111.5 million, while CNP fraud saw an increase of 133 percent, going from $128.4 million up to $299.4 million. This is actually a net increase of $37.1 million in overall fraud over the course of those five years.
This rise in fraud must be put into context, though, as in December of 2013 when MasterCard Advisors reported a trend of 55 consecutive months (4.58 years) of increases in Canadian e-commerce sales. This means the rising CNP fraud that the Aite Group referenced may simply be a reflection of an overall increase in CNP volume that occurred during the same term.
While that is a possibility, the potential for fraud shifting from one avenue to another is something merchants should be aware of and be prepared for. Luckily, there are a good number of prevention tools out there that a CNP merchant can employ to help avert fraud. Some of them are:
- IP Geolocation: This service runs an analysis of how likely a transaction is to be fraudulent based on several factors, including whether an online transaction comes from a high-risk IP address, geographic area known for fraud or an anonymizing proxy.
- Behavioral analytics: This tool monitors the user's session and transactions to detect suspicious activity or patterns. It looks for unusual behavior during the shopping and/or checkout process.
- 3-D Secure: This service refers to authentication based on a three domain model, thus the name 3-D Secure. This has been popularized through Verified by Visa, MasterCard SecureCode and American Express SafeKey.
Staying one step ahead
In this modern age of payment acceptance, thieves and scammers will continue to try and find every way possible to take advantage of security loopholes. Our industry must work alongside merchants and issuers to make sure we do what we can to prevent fraud wherever it arises. While the process of implementation may have left much to be desired so far, fraud reduction though EMV- and NFC-based payments is an attainable goal that we as MLSs can play an important role in.
Through education in both the card-present and CNP environments, MLSs can assist merchants in preventing fraud through their technical resources and personal knowledge. Whatever approach you take to prepare yourself and your merchants for fraud, keep in mind that just because you may not be thinking about it doesn't mean the scammers aren't.
Tom Waters has been dedicated to the merchant service sales profession since 2001. Currently, he is responsible for cultivating relationships with entrepreneurs in information technology, accounting, sales and marketing in his role as Sales Director of Bank Associates Merchant Services (www.bams.com). Using fresh and matter-of-fact training methods, Tom has contributed to the success of thousands of agents, affiliates and clients. He can be reached via email through email@example.com or via phone at 347-651-1065.
Ben Abel is Regional Director at Bank Associates Merchant Services. Since joining the team in 2006, he has risen through company ranks with a paradigm that his success was measured by the success of those around him. Ben is a dedicated, pioneering trainer whose methods of merchant services consultation have helped many agents expand their portfolios in terms of processing volume, deal count and profitability. He can be contacted at 347-866-9571 or firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.