The Green Sheet Online Edition
December 28, 2015 • Issue 15:12:02
U.S. EMV - outside looking in
The shift to the Europay, MasterCard and Visa (EMV) protocol has been in motion for over a decade. Numerous countries outside the United States adopted the standard as early as 2005, and many others quickly followed suit. By international standards, the United States and Mexico, both of which recently began migration to EMV in earnest, are latecomers.
Nevertheless, being one of the last nations to adopt EMV chip card issuance and acceptance has advantages. Payment professionals across the globe have gathered a great deal of data on the EMV migration process, and several trends have emerged. Most such trends emerged as each country transitioned to EMV and this provides a sound idea of what the United States can expect both while the country is shifting to EMV and after the technology has become the prevalent type of card issued and accepted here.
Given that a major selling point for EMV chip cards is that they cannot be duplicated easily the way mag stripe cards can be, it is not surprising that one trend seen from other EMV implementations was an immediate decrease in card-based fraud.
"In the EU when EMV protocols were introduced a decade ago, there was a marked and sustained drop in counterfeit and stolen card fraud," said Christoph Tutsch, founder and Chief Executive Officer of Munich, Germany-based ONPEX, the Online Payment Exchange. "The EMV security and encryption made cards virtually impossible to clone and the PIN is, of course, far more secure than the signature as a method of authentication."
However, when criminals encounter effective anti-fraud measures in one sphere, they migrate to less secure types of transactions elsewhere. According to Tutsch, fraudsters "didn't go away" after EMV cards were implemented in the United Kingdom; they focused on other avenues. "In the UK, card fraud figures were £479 million," he said. "Of [which] £331.5 million was for card-not-present fraud and, of this, £217.4 million was via e-commerce."
Signature versus PIN
Tutsch and others predict card-not-present (CNP) fraud in the United States will rise, as well. But card-based fraud might not be eliminated as rapidly here as in other countries due to a lack of continuity in U.S. authentication methods.
David Poole, Business Development Director of UK based myPINpad, a provider of multifactor authentication solutions for unsecured touchscreen devices such as mobile phones and tablets, said the United States "is not adopting Chip and PIN, as we have in Europe, but Chip and Choice." Thus a large number of U.S. merchants are requiring only signatures for chip card transactions, not PINs. And it is far easier to forge a signature than it is to steal a PIN.
Some analysts see this as an open door for fraudsters to attack merchant systems that use chip and signature for authentication. "While the encryption chip undoubtedly prevents cards being counterfeited so easily, signature, if checked at all, is still easy to fake," Poole said.
Debate is ongoing in the U.S. payments community about the merits of chip and signature versus chip and PIN. In a June 2015 blog post, Total System Services Inc. called the debate over the two authentication methods a "rivalry." And according to a recent article published in Nerd Wallet, chip and signature's popularity as an authentication method is "due to its low cost and ease of use."
Also, because e-commerce transactions are increasingly global in scope, observers expect a sharp rise in U.S. CNP fraud will have a strong impact worldwide. Don Bush, Vice President, Marketing of the software-as-a-service risk management platform Kount, said, "If the European experience of EMV is any guide, there will be not only a U.S. spike in CNP fraud, but also a global one. At a time when data breaches are becoming, sadly, more common, merchants will find themselves under attack, as never before. … Merchants, not just in the U.S., but globally, have to get ready to fight off these attacks."
Thus, the need for strong transaction authentication is pressing. "With the expected rise in e-commerce fraud, anticipated as a direct consequence of EMV adoption, the industry must take seriously the challenge of adopting global standards for authentication, both for face-to-face and online transactions," Poole said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.