Large banks and card issuers are ready for the U.S. shift to chip-and-PIN technology, according to a report issued Wednesday. But the drop in fraud that is expected to result is unlikely to come any time soon.
The use of EMV-style chip cards is supposed to make retailers like Target less appealing targets for hackers because they will be storing less card data. However, the way the U.S. is implementing EMV leaves plenty of room for the continued use of fake cards. And there is a plethora of ways hackers can use stolen card information without using a physical card.
“EMV’s impact on fraud in 2015 could be pretty much a toss-up,” said Steve Mott, CEO of BetterBuyDesign, a consultancy based in Stamford, Conn.
According to a study released Wednesday by CardHub, all 10 of the largest credit card issuers are in the process of issuing chip-based credit and debit cards and expect the majority of their portfolios to be updated by the end of 2015. All the major banks are issuing chip-and-signature cards, with 40% also supporting PIN capabilities. About 65% of retailers plan to accept chip-and-PIN cards as well.
This means the major banks are in good shape to handle the October 2015 “liability shift” deadlines Visa, MasterCard and Discover have set to encourage U.S. issuers and merchants to migrate from magnetic stripe cards to EMV.
“Right now, issuers incur the cost of card-present counterfeit fraud in stores,” said Martin Ferenczi, president for North America at Oberthur Technologies, a manufacturer of chip cards. “After October 2015, the institution with the lesser technology will be liable for fraudulent charges.”
The CardHub study also shows that the major card issuers are all putting magnetic stripes on their chip cards. This provides convenience all around — the new cards consumers get in the mail will be usable on older point-of-sale terminals that are not yet EMV-ready as well as new devices. It also waters down the security promised by EMV.
As long as there are dual or hybrid payment terminals and ATMs that accept magnetic stripe cards, hackers will be able to use fake cards created with stolen credit and debit card data.
“Visa is projecting 29% of POS transactions to be chip-on-chip, but everyone I know believes the right number is more like 5% or less,” Mott said. “If it’s wildly successful, EMV chip-on-chip volume might hit a running rate of 10% by year-end, but only at the 200 top retailers.”
Mott expects merchants probably will have 30% to 40% of locations equipped with EMV-ready terminals by year end, but most of them will not have the software installed and certified to make them work.
“Many will choose to turn them off until they can figure out how to get around the user ‘gotchas,’ such as leaving cards in the dip slots and not dipping them long enough,” he said.
In some near-term scenarios, Mott said, EMV could actually increase fraud. For instance, EMV credentials sent “in the clear,” or unencrypted, could be intercepted and used online on websites that don’t require security codes.
Eventually, as the U.S. gradually shifts to EMV-only mode, fraudsters’ ability to use fake credit and debit cards on physical machines (this is also known as “card present” fraud) will fade, as it has in other countries like the U.K. and Canada. They will then take their stolen card data and inclination toward thievery elsewhere.
EMV stands for Europay, MasterCard and Visa, a standard for chip-and-PIN cards that are considered far more secure than the magnetic stripe cards we use in the U.S. today. Card credentials will be tokenized, such that retailers will not receive the actual card number, but a temporary token generated by a card network. Hackers who break into a retailer’s network the way thieves compromised Target more than a year ago would find a stash of useless numbers. On top of that, EMV chip credit and debit cards are almost impossible to duplicate, which means counterfeit card fraud should decrease.
Many industry observers expect the migration to EMV will increase fraud in all the places where credit cards are used but not physically presented, such as on shopping websites, over the phone, over the mail, and over fax machines. This is called card-not-present fraud. Some experts include mobile app payments, such as Uber and Apple Pay transactions, in this category. Card-not-present fraud already accounted for 45% of U.S. card fraud in 2014, according to Aite Group.
When the U.K. shifted to EMV cards, counterfeit card fraud fell 56%, according to Aite, but card-not-present fraud rose 79% in the first three years after the country switched to chip cards. It more than doubled in Australia and Canada.
“The experience in the U.K. is very indicative of what we’ll see here,” said Joram Borenstein, vice president of marketing at Nice Actimize, a provider of fraud analytics. “Understanding how card-not-present fraud is likely to spike, we need to retrain fraud investigators.”