For retailers that do not yet accept EMV cards — credit and debit cards with chips embedded in them — a spine-tingling deadline arrived last week. Liability for any payment fraud that results from acceptance of old-school plastic shifted to them.
The magnetic chips in EMV (Europay, MasterCard and Visa) cards will reduce in-store payment fraud, which affected 62 percent of companies, according to the 2015 Payments Fraud and Control Survey report from the Association of Financial Professionals, or AFP.
Ninety-two percent of the survey respondents believed EMV-enabled credit and debit cards would help reduce point-of-sale fraud.
EMV cards “are safer for two reasons — they make the physical card harder to counterfeit, and instead of sending all your credit card information to a merchant when you buy something, they send a unique code that a hacker can’t use if they find it,” said Matt Schulz, senior analyst at CreditCards.com.
The code won’t work if a hacker tries to use it to make a fraudulent purchase later, he told the E-Commerce Times. “It’s like stealing an expired password.”
EMV cards also make mobile payments processing safer, Shulz added.
How EMV Cards Work
EMV is an open standard set of specs for smart card payments and acceptance devices.
An EMV card contains an embedded microprocessor that secures payment transactions in three areas: card authentication, cardholder verification and transaction authorization.
EMV cards are personalized using issuer-specific keys.
EMV transactions create unique transaction data. Transaction authorization uses issuer-defined rules and works both online or offline.
Sauntering to Safety
Only 40 percent of MasterCards in the United States have EMV chips embedded, and just 26 percent of national and regional stores and restaurants with multiple locations have begun accepting such cards, according to MasterCard.
The outlook for the industry as a whole isn’t good. Only 36 percent of U.S. credit card holders have a chip-enabled card, CreditCards.com found.
The eight US. Institutions making up the Payments Security Task Force, which represent about 50 percent of U.S. payment card volume, in June reported that only 30 percent of their credit and debit cards contained EMV chips.
The slow pace is the fault of card issuers, which “have prioritized their richest customers,” CreditCard.com’s Shulz remarked. “Those with an annual income of over $75,000 are more than twice as likely to have an EMV card.”
Who’s Gonna Pay?
To date, financial institutions and merchants have borne the cost of card fraud, but as of last Thursday, only retailers will be liable if they haven’t installed EMV readers, or if they have installed them but aren’t using them.
“If the merchant has installed the reader and has turned on the chip capability, the terminal will reject a transaction if a customer swipes a chip-enabled card,” Visa spokesperson Jennifer Morris told the E-Commerce Times.
However, some customers won’t use the EMV terminal even when it’s there, noted John Gunn, vice president at Vasco Data Security.
That will change over time.
“Because EMV cards are nearly impossible to counterfeit, banks will prefer these as a means of verifying an identity over a state-issued driver’s license, which is easier to fake,” Gunn told the E-Commerce Times. “Magnetic strip card readers will eventually go away.”
New Avenues for Fraud
Card fraudsters will change their tactics to get around the security restrictions of EMV cards, Gunn predicted.
“Hackers will come in with counterfeit EMV cards where they will disable the EMV chip and tell the merchant they don’t know how the card got damaged,” he hypothesized. “They’ll ask the merchant to process the card using the magnetic stripe, which will still be on the new cards that are being issued.”
EMV cards will reduce fraud in stores, but that could spark an increase in fraud in other areas. Gas stations don’t have to upgrade to accept EMV cards until 2017, CreditCard.com’s Shulz pointed out, and the chips won’t have any effect on online transaction security.