The deadline for US merchants to make the switch to EMV (chip and pin) payment technology to avoid being liable for customer credit card fraud has come and gone. As we head into the holiday season, and with Black Friday and Cyber Monday only a few weeks away, how has the transition gone and what does EMV mean for consumers in the short term?
As we discussed in early October, merchants on the whole were not ready for the change over. The reasons are varied: smaller retailers are not keen on the cost to upgrade terminals, some aren’t aware of the liability shift, and others have decided (for now) to not accept credit card transactions. Customers, too, are confused, many not aware of the change or why it’s happening, while others, nearly 40%, have yet to receive their new EMV cards.
In the midst of all this confusion, the FBI released a warning that while EMV cards are more secure than traditional magnetic stripe payment cards, there isn’t a single method that protects against all fraud. An EMV card used in a non-EMV card reader is still exposed to potential skimming and a stolen EMV card can still be used without the PIN number in places where they are not required, like online shopping. Vigilance, both when using the new EMV cards and when reviewing credit and debit card statements, is their recommended strategy.
As important as vigilance is, this after-the-fact review is chiefly a check to see if fraud has already occurred. Fraud prevention remains a multi-pronged approach. Switching to EMV is an important step, but must not be the only precaution. And the FBI isn’t the only one warning customers and business not to grow lax with the implementation of EMV. At an interview at Information Security Group’s 2015 Fraud Summit, Edwardo Perez, Vice President of Payment Risk for VISA, reminded attendees that EMV does not prevent fraud but only closes one door to it. He further went on to stress how important it was for companies to continue ensuring PCI-DCC compliance, calling it “good security hygiene” to commit to protecting and encrypting data entrusted to them and making it harder to steal.
While other countries have seen dramatic decreases in fraud from counterfeit credit cards after switching to EMV, there was a corresponding rise in account take over and fraudulent account creation. This is a typical pattern in fighting cybercrime – when one avenue is closed, focus shifts to the next easiest fraud scheme. Basically, if you lock the front door, thieves will try the window. The risk is that with uneven adoption of EMV and poor or inconsistent customer and merchant awareness of the new technology, fraudsters will exploit the gaps and may target merchants that had up until now been passed over as too small a return.
Reviewing statements, improving card technologies, and due diligence when caring for the sensitive data of customers are all parts of the larger strategy – but they are defensive measures. So long as there is an incentive for criminals to seek out and steal financial and personal information to leverage for fraud, they will, turning this into an endless arms race. It’s time to move beyond defensive, reactive measures by changing the way we authenticate users by not using something that be stolen but that is both integral and inviolate to the user – behavioral biometrics.