(This article originally appeared in Loss Prevention Magazine)
Fraud with credit cards decreased in the UK after the rollout of EMV. So what’s the problem here in the US?
Fraud and cyber security have never been more on the forefront of asset protection professionals’ list of things that keep them up at night than they are today. With the introduction of the EMV chip, we were hoping to get a little bit more sleep at night. However, the EMV isn’t exactly “new” technology; it’s decade old, and the bad guys already can defeat it. EMV was first developed in 1994 as a way to mitigate credit card fraud, but before we get too deep in the issue at hand, let’s start with some basics.
EMV Basics
EMV was originally implemented to try to solve fraud with credit cards and to better protect a customer in the omni-channel environment. EMV stands for Europay, MasterCard, and Visa. EMV cards are typically used in three ways for transactions: smart cards, chip and PIN, or chip and signature. An EMV chip and PIN card creates a unique code for each transaction and (ideally) requires the consumer to enter a personal identification number (PIN) associated with the card instead of relying on a signature. Chip-enabled cards store their information in an integrated circuit as opposed to the magnetic strip that was patented over fifty years ago in 1966. Hopefully, that fact sets the frame for you as to why our old pay methods were so easily pirated by bad actors. To comply with many stores’ legacy systems, the EMV-chipped cards are backward compatible to still use the magnetic strip.
Those who have updated their systems now have customers “dip” or place the card into a reader for a moment of time, and the information is accessed off of the integrated chip. The consumer is then prompted to either include their signature or put in a PIN—hence, chip and PIN or chip and signature. This is meant to alleviate some of the more basic methods of gathering card information like skimming.
The Challenges
Not many associates are familiar enough with your signature to verify that it is yours. The FBI released a survey that basically said EMV (chip and signature) was not going to solve the problem. The United States needs to deploy chip and PIN for EMV to reach its full effectiveness.
Research coming out of the UK shows that after the move to chip and PIN, counterfeit card fraud losses in the UK decreased almost two-thirds from 2005 to 2013. In that same time span, fraud losses from lost or stolen cards decreased over 40 percent. While the result is significant overall, fraud cases increased year over year in other channels.
However, the lessons learned in the UK may not be an accurate representation of how the EMV chip will behave in the US. More than half of all card fraud occurs in the United States. In 2015, the United States was responsible for 47 to 60 percent of the world’s card fraud, while only accounting for 24 to 30 percent of total worldwide card volume. To further obscure the issue, in 2005 there was no buy-online-pick-up-in-store, curbside-pickup, someday-deliver, or other omni-channel program the way they exist today—another reason the UK results probably won’t paint a clear picture.
The other problem is data breaches in the United States. There were about 1,093 data breaches in 2016, about a 40 percent increase from the year prior, according to the Identity Theft Resource Center. The breaches affected data records from the business sector (including retail), the healthcare/medical industry, and the education sector, among others. This is a problem: more info to the bad guys equals more counterfeit cards and IDs. In 2014, over 75 percent of reported data breaches worldwide were reported in North America. Forty-seven percent of fraudulent cross-border transactions on UK debit cards occurred in the United States in 2014. My point is the United States has and will continue to have more fraud than any other country.
In the Loss Prevention Research Council’s fraud working group, we cover EMV and many other topics related to fraud with credit cards. As with most topics, multiple heads are better than one, and it is exceptionally beneficial if those heads also happen to have decades of fraud experience.