Fraud and cyber security have never been more on the forefront of asset protection professionals’ list of things that keep them up at night than they are today. With the introduction of the EMV chip, we were hoping to get a little bit more sleep at night. However, the EMV isn’t exactly “new” technology; it’s decade old, and the bad guys already can defeat it. EMV was first developed in 1994 as a way to mitigate credit card fraud, but before we get too deep in the issue at hand, let’s start with some basics.
EMV was originally implemented to try to solve fraud and to better protect a customer in the omni-channel environment. EMV stands for Europay, MasterCard, and Visa. EMV cards are typically used in three ways for transactions: smart cards, chip and PIN, or chip and signature. An EMV chip and PIN card creates a unique code for each transaction and (ideally) requires the consumer to enter a PIN (personal identification number) associated with the card instead of relying on a signature. Chip-enabled cards store their information in an integrated circuit as opposed to the magnetic strip that was patented over fifty years ago in 1966. Hopefully that fact sets the frame for you as to why our old pay methods were so easily pirated by bad actors. To comply with many stores’ legacy systems, the EMV-chipped cards are backward compatible to still use the magnetic strip.
Those who have updated their systems now have customers “dip” or place the card into a reader for a moment of time, and the information is accessed off of the integrated chip. The consumer is then prompted to either include their signature or put in a PIN—hence, chip and PIN or chip and signature. This is meant to alleviate some of the more basic methods of gathering card information like skimming.
Not many associates are familiar enough with your signature to verify that it is yours. Thus, the FBI recently released a survey that basically said EMV (chip and signature) was not going to solve the problem. The US needs to deploy chip and PIN for EMV to reach its full effectiveness.
Research coming out of the UK shows that after the move to chip and PIN, counterfeit card fraud losses in the UK decreased almost two-thirds from 2005 to 2013. In that same time span, fraud losses from lost or stolen cards decreased over 40 percent. While the result is significant overall, fraud increased year over year in other channels.
However, the lessons learned in the UK may not be an accurate representation of how the EMV chip will behave in the US. More than half of all card fraud occurs in the United States. In 2015, the US was responsible for 47 to 60 percent of the world’s card fraud, while only accounting for 24 to 30 percent of total worldwide card volume. To further obscure the issue, in 2005 there was no buy-online-pick-up-in-store, curbside-pickup, someday-deliver, or other omni-channel program the way they exist today—another reason the UK results probably won’t paint a clear picture.
The other problem is data breaches in the United States. There were more than 1,500 data breaches in 2014, about a 46 percent increase from the year prior affecting more than one billion data records. Both retail and financial services account for about 20 percent of the breaches, almost evenly split. This is a problem: more info to the bad guys equals more counterfeit cards and IDs. In 2014 over 75 percent of reported data breaches worldwide were reported in North America. Forty-seven percent of fraudulent cross-border transactions on UK debit cards occurred in the US in 2014. My point is the United States has and will continue to have more fraud than any other country.
Remember that part earlier where I mentioned that the bad guys can already defeat it? Well there’s good news and bad news. The good news is that not every bad guy who had tools to get information off magnetic strips can do the same with the EMV chip. The bad news is that organized crime rings adjusted their tactics and found ways to skim and capture the information from the chip, including the PIN number for a chip card. This should be a subtle reminder that different pins for different cards are the safest way to manage multiple payment options as a customer. Since the organized rings have devised these methods, the UK’s lost or stolen and counterfeit fraud has increased over the past few years.
So now what? Let’s review some of the challenges with rolling out EMV. The learning curve is steep. Some retailers have great messaging and loud beeps, while others don’t. The amount of time a card needs to be dipped may feel different to a consumer. With anything else new to the retail environment that affects customers, your associate population needs to understand how to explain the new technologies to the shopper. Unlike other payment standards, everyone is not in the same place, so it is harder to get everyone on the same page. Not all banks are up to date, and they are issuing cards at different times. These are all things that had to be considered when rolling out EMV.
In the Loss Prevention Research Council’s fraud working group, we cover EMV and many other topics related to fraud. As with most topics, multiple heads are better than one, and it is exceptionally beneficial if those heads also happen to have decades of fraud experience.