What The Status Of EMV And Payment Fraud Probably Will Be On October 2
There are about three months until the liability for fraudulent payment card transactions will shift from issuing banks to the party with technology least compliant with EMV. As an IT solutions provider working with merchants, you are probably helping your clients transition to the new technology or maybe, still, even just explaining what it is. EMV payment technology uses chip cards that create a unique transaction code, hindering criminals from duplicating payment cards from stolen data. You are probably aware there is a lot of misinformation circulating that could be contributing to some confusion regarding EMV.
Seth Ruden, senior fraud consultant at ACI Worldwide, a global banking and payments systems company working with 300 of the world’s largest retailers, offers some predictions and practical advice regarding the EMV transition in the U.S. that you can share with your clients and prospects to help them make informed decisions.
First, there won’t be a massive shift to EMV on October 1. Ruden says the outlook is for 30 to 40 percent of tier 1 retailers to have solid EMV structures in place by that date. For the other 60 to 70 percent? He says tier 1 retailers understand the liability shift. If they accept a fraudulent payment card, they will be responsible for that amount. But, says Ruden, they have weighed options and aren’t ready to transition now. “They’re willing to eat the liability and wait to get what they want,” he comments.
Once merchants begin to accept EMV payments, criminals won’t be able to use fraudulent cards at those locations. Keep in mind, card fraud is big business — estimated to total $10 billion in the U.S. this year — so, if criminals can’t use fraudulent cards in locations that accept EMV payments, then where will they go?
Ruden says any merchant accepting only mag stripe payments and that has liquid products that can be resold— such as gift cards and electronics —will be at risk for card fraud. If criminals obtain payment card information and duplicate cards, they will still be able to commit fraud at these merchants’ locations — and after the liability shift, these merchants will be responsible for the charges.
“Something that is not pointed out,” adds Ruden, “is that merchants who transition to EMV will be less susceptible to hackers.” Merchants who continue to accept only mag stripe cards will have a greater likelihood that their environments will be probed to see if there are data skimming opportunities. “Going to EMV is one of the best things they can do for their businesses,” he comments.
Will e-commerce become a new target? Ruden, who says it is unlikely, explains, “Just because we shut down one avenue, it’s not like a balloon animal and it gets pushed to another area.” Ruden says fraud is easier to shift within a channel than between channels. “A guy who walks into a store with a fraudulent card can’t necessarily commit fraud online.”
E-commerce fraud is not as simple as typing in payment card numbers. Some e-commerce sites — and the payment processors they work with — require a CVV2 number, the three- or four-digit code printed on the card, to authenticate the transaction, and others authenticate with different information.As for the often-cited statistic that e-commerce fraud spiked in the U.K. after the transition to EMV, Ruden says other factors could have contributed to that increase — including a greater number of merchants who brought products to the virtual market at that time, some without strong security. He says the shift to EMV alone didn’t “redirect” fraud. Based on his experience of more than a decade in the payments space, Ruden predicts, “[E-commerce fraud] is not going to be as elevated as some people who have agendas are saying it will be.”
Ruden also offers some basic security tips for your merchant clients. First, keep networks segmented. If payment is separate from the rest of the network, it prohibits malware being delivered by email from infecting the point of sale (POS) system. He also reminds your merchant clients that if they choose to use POS-as-a-Service or third-party tools that include remote access, they need to identify all accounts and change all passwords from default.