In October 2015, the long-awaited “liability shift” from payment card issuers to merchants took effect in the U.S., which for years had been one of the last strongholds of magnetic stripe-only cards. This change meant that merchants without EMV technology built into their point-of-sale terminals became liable for fraud. In other words, whichever party in a given transaction had implemented the most secure technology would prevail in a chargeback scenario.
EMV: Important Milestones and Changes to Fraud Trends
It has not yet been a year since the shift occurred, and the EMV rollout has been steady yet uneven across the country:
- Most new cards issued in the U.S. now contain embedded EMV chips. While an August 2015 AP-GfK poll indicated that only 10 percent of Americans had received such a card at that time, the Ingenico Group found that 60 percent of these individuals possessed one by the following October.
- Close to 90 percent of American Express cards had EMV chips in them as of February 2016, according to the CardFlight EMV Migration Tracker. However, some issuers were still below 50 percent.
- Arizona, California and Florida have led the way in EMV issuance, while Maine, Mississippi and Utah have straggled behind. There is also tremendous variance across industries: Nearly 80 percent of cards used at supermarkets are EMV, but that percentage falls to 39 percent at fast food restaurants.
One of the most substantial effects of the EMV rollout has been the impact on card-present versus card-not-present (CNP) fraud. EMV chips make many classic types of card data theft, such as skimming and point-of-sale malware, impractical, which is crucial considering that many of the biggest breaches were related to magnetic-stripe exploits. That being said, attackers are now channeling their energies toward online fraud, since e-commerce is still a weak spot for many merchants.
“With the introduction of [EMV] cards, card skimming attacks have become significantly harder for cybercriminals to carry out, particularly in-store,” explained the 2015 Entrust Datacard document “Securepay Compliance Guide.” “However … the switch to EMV cards will cause merchants to implement fraud resistant chip point-of-sale devices in their brick and mortar stores, leaving them open to online attacks and liable (as well as the banks that fund their store cards) for losses resulting in fraudulent use.”
It is also important to note that in the near term, the EMV shift could also increase POS fraud in tandem with e-commerce, as cybercriminals rush to cash in before the magnetic stripe window closes. An iovation/Aite Group study estimated that $10 billion in fraud would occur between 2016 and 2020 as stockpiles of stolen cards are used up. This would echo the 79 percent jump that the U.K. saw in the first three years of its EMV migration a decade ago.
Using Identity-Based Security to Safeguard E-Commerce and Digital Banking
In the years ahead, both e-commerce and digital banking operations will feel the pressure from rising levels of CNP fraud initiated by the EMV shift. The paramount goal for vendors and banks will be to secure their users’ identities to prevent data breaches. The bulk of all such incidents start with a stolen login credential such as a weak password; the 2016 Data Breach Investigations Report from Verizon pegged the share at 63 percent.
Fortunately, there are now numerous options that can help establish trusted identities even as more transactions move to the cloud and across multiple computing devices:
- Authentication can go beyond vulnerable password-oriented systems and hardware tokens, and also be set up to allow for streamlined access to authorized users via secure mobile device-enabled solutions and managed public key infrastructure.
- For example, NFC and Bluetooth capabilities on mobile devices may be used to turn them into mobile smart credentials that can be used for a variety of use cases, including digitally signing transactions, encrypting data and accessing workstations.
- These are just two examples among many. Authentication can ultimately be extended across physical, logical, mobile and cloud domains. These possibilities allow merchants and banks to be flexible and respond properly to risk and context.
Establishing trusted identities will be as important as ever in the coming years as merchants and banks attempt to keep threats at bay. How each firm approaches risk-based authentication will depend on its particular requirements, but it is crucial that security teams start thinking today about what they can do to ensure trusted identities as the EMV shift pushes more fraud into the online realm.