Nearly a year after the EMV liability shift in the U.S.—a move specifically engineered to incent retailers to install EMV-compliant POS systems in their stores—only 44% of merchants are equipped with the new terminals, according to a new report from The Strawhecker Group. Furthermore, not all of those merchants that have installed EMV-enabled systems are using them. Only 29% of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit.
Despite fewer U.S. merchants accepting chip transactions a year into the transition to EMV than predicted, however, the effects experts predicted have largely come true. Studies over the past few months have consistently shown that counterfeit fraud at the physical point of sale is dropping, while card-not-present fraud is surging.
Lisa Baergen, director at NuData Security:
“In October 2015, the U.S. began complying with the mandated shift to EMV credit and debit chip cards. The U.S. market had the advantage of being able to learn from its European counterparts who had made the shift years earlier. The implementation has been a long and difficult process, particularly for merchants, where the cost to implement is relatively high, and the perceived value was just not there. While the deadline for the U.S switch was October 2015, not all merchants have upgraded – only about 40% of merchants have completed EMV implementation. Furthermore, these new EMV cards are still compatible with old systems, which put them at the same risk for fraud as they were before the switch.
Compounding the problem, some issuers are deciding to phase in PIN compliance, as it was not part of the October 2015 deadline. Without the PIN, these EMV cards require the far less secure signature to authorise the transaction, stripping the card of its two-factor authentication protection.
A period of overlap will continue, with the increases in account takeover, fraudulent account creation and traditional credit card theft this report highlights. This scenario provides even more reason for organisations to switch from traditional fraud detection methods to behavioural analytics and passive biometrics to detect and protect good users and reveal and block bad actors.
If you truly know the human behind the device, you can finally focus your efforts: protect legitimate accounts, provide streamlined experiences for customers you trust, and block actual fraudsters completely without customer friction.”
Smrithi Konanur, global product manager at HPE Data Security – Payments, Web and Mobile:
“The fact that card-not-present fraud in the U.S is surging is no surprise. Earlier EMV adoption in other regions, such as Europe and Canada, have experienced the same shift to fraudulent card-not-present transactions. EMV makes it much harder and more expensive to replicate a physical credit card, but if fraudsters can steal card holder data, it is much easier to do online transactions, where EMV does not come into play. In order to mitigate card-not-present fraud, businesses should implement security strategies that include additional authentication like 3D-secure, end-to-end encryption, and tokenization. These technologies provide the layered protection that plugs various gaps in the payments transaction data flow. Data-centric technologies like format-preserving encryption provides the security solutions for businesses which are effective, optimal, scalable, and flexible to keep card holder data safe from hackers in case of a breach or attempted theft of data.
However, for card-present transactions, EMV provides no protection for the transmission of sensitive payment information to the acquiring bank. After the EMV card validation process, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV, and then can use the stolen data for card-not-present transactions. When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits, as well as loss of consumer confidence and customers.”