Scott Laliberte, Managing Director
Leader, Protiviti’s Vulnerability Assessment and Penetration Testing practice
Chip in or shell out. That was the message from major credit card companies to U.S. merchants. Three years ago, card companies gave retailers until October 1, 2015, to install point-of-sale terminals capable of reading next-generation credit cards embedded with security chips. At that point, retailers without chip readers will be liable for purchases made with a magnetic stripe card, as well as for purchases in which a chip card was processed as a magnetic stripe card.
The deadline is fast approaching and, according to published accounts, only about one in four retailers has complied.
Over the past several months, Visa, MasterCard, American Express and others have replaced magnetic stripe cards in the United States with “EMV” versions, named for the three main owners of the chip technology: Europay, MasterCard and Visa. Chip cards are already the standard in Europe and other parts of the world, where they have proven to be far more expensive and difficult to counterfeit than magnetic strip cards.
Card companies say the change is needed because while just over a quarter of the world’s credit card transactions originate in the United States, the U.S. accounts for almost half of the world’s fraudulent transactions – a disparity many attribute to obsolete technology.
The change is being touted as the dawn of a new era in credit card fraud prevention. However, there are doubts it will make a significant difference.
For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15 percent of credit card fraud in the United States. The bigger problem, by far, is first-person fraud – cardholders refusing to pay what they rightfully owe, which accounts for roughly half of all fraudulent transactions.
It also fails to address another significant source of credit card fraud: lost or stolen cards. Other countries have addressed this by pairing the counterfeit protection of EMV with the user-verification protection of a PIN number. U.S. card issuers, reasoning that Americans would balk at being asked to do two new things, split the difference, opting for chip-and-signature instead of the more-secure chip-and-PIN.
Finally, it will have no effect on the third and fastest-growing type of card fraud – online and phone transactions, where the merchant never sees a physical card. By all accounts, card-not-present fraud has been rising exponentially as other fraud avenues become limited.
There is no mistaking that EMV is a positive step. It’s high time the United States joins the rest of the world. Yet some retailers may be reluctant to invest in what amounts to a stop-gap solution with limited protection.
Yes, under the new rules, retailers will be liable for fraudulent card purchases, but given the credit limits on most cards and the need for a fraudster to be physically present, the actual exposure is going to be relatively small – so small that it may not justify the investment in new point-of-sale technology.
Of note, we expect there may be an initial run on fraudulent activities immediately after the deadline that will likely tail off over time.
Credit card security is a moving target. Fraudsters are resourceful and persistent, which means there is no single magic bullet that will fix this problem. Merchants and card companies both need to be constantly vigilant and use a layered security approach that combines data encryption with user verification and behavioral analytics that screen every transaction against prior purchases to flag aberrant activity.
Like it or not, that’s the price of playing the game.