Fraud Prevention Blog

EMV: Not All It's Cracked Up To Be

Posted by Stephanie Cho on Wed, Oct 05, 2016 @ 03:01 PM

October 1, 2016 was the first anniversary of EMV’s adoption by the United States. Businesses who have not yet adopted the EMV standard are exposed to the fraud liability shift imposed by the standard.


EMV Review

EMV, which stands for Europay, MasterCard, and Visa, is a payment card standard that, put simply, is the reason why so many payment cards these days have visible microchips that allows the cards to be inserted into a chip reader as opposed to being swiped through a magnetic strip reader. In order to use the new chip-enabled card, point-of-sales terminals need to be upgraded to accept card insertion as well as card swiping.

The purpose of EMV was to create a more secure method of card-present transactions. Massive data breaches, particularly data breaches concerning credit card information, are unnervingly common. With the EMV standard, credit card information lost in data breaches cannot be used to commit fraud, thanks to the heightened security capabilities provided by the microchip.

EMV is managed by a group of companies - collectively known as EMVCo - that equally control its standards. EMVCo’s members are: Visa, MasterCard, American Express, JCB, China UnionPay, and Discover. As you may have already surmised, the EMV standard affects the payment cards that are released by these six companies.

Businesses that did not upgrade their point-of-sales (POS) terminals to accept chip-enabled cards by the October 1, 2015 deadline were liable for any losses to fraud, as mentioned above.

“October marks the anniversary of the U.S. card networks’ fraud liability shift – the closest thing the payments industry had to a deadline. After that date, the party not adopting EMV was on the hook for fraud. This incentive proved insufficient to convince every issuer, merchant, and processor in the country to agree to the upgrade”

To learn more about the fraud liability shift and how it affects businesses, please check out our previous post (http://blog.fraudfighter.com/counterfeit-detection-id-verification/emv-the-fraud-liability-shift-what-it-means-for-your-business) that goes over it all in detail.

In this post, EMV and its effects since the year-old deadline will be discussed.


EMV Adoption Stats

According to a survey released last month by The Strawhecker Group, only 44% of merchants had point-of-sale terminals that had chip readers for chip cards. More unnervingly, only 29% of merchants had point-of-sale terminals that were actually able to conduct transactions via chip cards. This means that about 15% of merchants had point-of-sale terminals that were capable of accepting chip cards but weren’t set up to actually conduct chip card transactions.

The Frustration of Chip Cards
Who else relates to this?

There is a painfully obvious reason why merchants have been slow to adopt the EMV protocol, besides the addition of complications to their payment transactions systems: they’re not legally required to.

The implementation of EMV did not mean that payment card issuers had to provide the technology or the resources to merchants to become EMV-ready. In other words, EMV made in-person card payment transactions more secure, but did nothing to make sure that businesses were actually able to accept these transactions. To be clear, merchants need a point-of-sale terminal that has a chip-reader that has been set-up correctly to accept chip card transactions to be considered EMV-ready.

If a business doesn’t want to be liable for fraud, it has to make an investment into new point-of-sales technology using its own money. Such an investment doesn’t cost just money, however. It takes time – time to install the technology and time to train employees – to conduct an overhaul of the point-of-sales system.

“EMV adds a chip to plastic payment cards to thwart the counterfeiting methods that became so prevalent with older magstripe cards. EMV improves security only at the point of sale, and implementing it is not as simple as plugging in a new card reader.”

Upgrading a non-chip-reader point-of-sale system to a point-of-sale system with chip-readers isn’t as simple as replacing one machine for another. There’s actually a somewhat complicated, expensive vetting process that businesses need to go through to set up a valid EMV-ready system.

“[E]ach POs system – not just each terminal but the bank-end systems – must go through a testing and certification process before the EMV terminal can be activated. First, procrastinating merchants found themselves waiting in a long queue just to buy the terminals from backstocked suppliers, and now they find themselves in a long queue to get their certification processed.”

And so, businesses have a choice to make: to make the costly and time-consuming investment of upgrading their point-of-sales terminals or to roll the dice and hope that no one tries to conduct fraudulent transactions.

“To be sure, merchants are not required to install chip-card readers, nor are card issuers mandated to put to put chips in their cards. For a lot of companies, holding out has been a calculated risk as merchants have weighed the cost of implementing the readers against the odds they’ll be victimized by fraudsters.”

And according to the stats, businesses have chosen to roll the dice because the costs of upgrading their point-of-sale terminals are just too enormous of a burden to bear, especially for small businesses.

Top EMV hurdles:
• Processor Readiness (47%)
• Replacement POS Terminal Readiness (47%)
• Gateway Readiness (45%)

It is expected that just 62% of merchants will be able to accept chip cards as payment by March 2017. Having an adoption rate by more than 90% of merchants is predicted to take much, much longer.

“Even the most ambitious pro-EMV merchant may run into bottlenecks with getting approved. Some companies are offering a faster certification option – but for a price.”

Although it seems as though merchants who are not upgrading their point-of-sale terminals are doing themselves a disservice by exposing themselves to fraud liability, they might actually be saving themselves a massive headache by waiting to see if EMV is really the future of payment technology.

“When we have more than a year of chip cards in our rear-view mirror and are able to see any economic consequences, it’ll be interesting to see whether avoiding scammers was actually worth it in the long run.”

Of course EMV technology has the ability to minimize card fraud, but that does not mean it’s not immune to loopholes or failures. There have already been incidences where researchers found gaps in EMV technology that could potentially be exploited by criminals. And once those gaps are successfully found and taken advantage of by criminals, a new payment technology protocol is sure to emerge and be implemented.


EMV Issues

Unsurprisingly, there is already evidence that chip payment cards and chip-reader point-of-sales systems have weaknesses that can be exploited by criminals.

Two years ago, researchers at the University of Cambridge published a paper that revealed communications between EMV-compliant terminals and banks can be tampered with. Even more unsettling, the paper revealed that this was noticed at terminals that were already in use – that this was not something researchers discovered while tinkering with chip-reader terminals.

Another potential security issue with EMV is the fact that its technology inherently rests on the ability of the chip to generate random transaction numbers – which is what gives EMV technology its edge over traditional payment card technology. It may not be a well-known fact but no machine on Earth has the ability to generate truly random numbers. Any ‘random’ number generated by a machine is birthed from an algorithm that has been crafted to be as random as possible; but still, at the base, the ‘random’ number still rests on an algorithm.

The second a criminal can figure out this algorithm – or get his/her hands on the algorithm – the security provided by EMV technology is useless. The same types of fraud that was prevalent with non-chip card payments will once again be in play.

One of the biggest issues about EMV, other than the potential gaps in security, is the fact that transactions take a noticeably longer time to process than with traditional non-chip-card transactions.

On average, it takes about 20 more seconds to process a chip-reader transaction than it does to process a card-swipe transaction. Although 20 seconds does not seem like much, over time, even just an hour, the cost of time begins to add up.

The Frustration of Chip Cards
What 20 extra seconds feels like to customers

Take, for example, a business that processes 100 transactions per hour - which amounts to 36 seconds per transaction. Adding 20 seconds to each transaction means that it would take roughly 34 additional minutes to conduct those 100 transactions. By the end of an 8-hour long business day, in this particular scenario, you would lose the ability to process ~33% of the total amount of transactions (800 total transactions with no chip cards vs. about 512 total transactions with chip cards) you would have been able to process before the implementation of EMV technology.

These 20 extra seconds is long enough that many retailers decided to hold off on upgrading their point-of-sale terminals last year until the holiday season was over, for the convenience of their customers.

“In fact, USA Today pointed to a consumer survey that found that the new payment system will result in 71% people going online for their 2016 holiday shopping”

Even after the holidays, businesses were slow to upgrade their systems; the EMV adoption rate in 2016 is lower than the EMV adoption rate in 2015:

“EMV merchant adoption has slowed down a bit, at least comparatively speaking to our last EMV survey results in January 2016. EMV terminal vendor supply and delays in the terminal activation/certification process are the bottlenecks in the migration”
–Jared Drieling, Business Intelligence Manager at The Strawhecker Group

As long as EMV technology forces businesses to weigh potential fraud incidences against customer experience and satisfaction, businesses will be reluctant to embrace any technology that causes friction for their customers at the point-of-purchase.

Even the creator of the chip-reader technology used by EMV admits the system is quite cumbersome:


Future EMV Deadlines

The EMV deadline for merchants has already come and gone – October 1, 2015. If you’re a merchant and become EMV-compliant, you’re on the hook for any fraudulent transactions; the card-issuing company will not reimburse you for those losses.

Currently there are two types of transactions that haven’t been placed under an EMV deadline yet: gas pump transactions and ATM transactions. These two types of transactions have EMV deadlines coming up next year. The upcoming EMV deadlines are listed below. It should be noted that Mastercard placed its EMV deadline for ATMs at October 1, 2016.

Gas Pumps
American Express: October 1, 2017
Discover: October 1, 2017
MasterCard: October 1, 2017
Visa: October 1, 2017

ATMs
MasterCard: October 1, 2016
Visa: October 1, 2017

Merchants who do not want to put in the significant time and money that it would take to fully upgrade their POS systems to be EMV-compliant but also want to prevent the liability for the fraud that has been shifted onto them should consider incorporating counterfeit detectors. Counterfeit detectors take virtually no time to set up, do not require much more than five minutes of training to use, and is able to seamlessly integrate with your existing POS system.

Learn more about why counterfeit detectors are a viable alternative to a complete upgrade of your existing POS system by clicking here

Topics: credit card fraud, fraud liability shift, emv, credit card, chip card

Discussions