Not EMV-compliant yet? Brace yourself for chargebacks

Photo by Whym via Wikimedia Commons

For as long as currency has existed, resourceful people have tried to find ways to profit by forging it. Soon after the introduction of the first coins in Greece around 600 B.C., the first counterfeiters went to work. Counterfeit coins were made by shaving enough metal off of a real coin to coat a cheap fake with genuine gold or silver; with one real coin, they could make several real-on-the-outside-fake-on-the-inside coins.

Today, payment behavior has shifted as more people use payment cards (debit cards and credit cards).Not surprising, then, that counterfeiters have shifted their illicit skills to the counterfeiting of payment cards. In fact, "[p]ayment card fraud cost the US $7.9 billion last year alone, an increase of almost 60% from five years earlier."

To battle the rising cost of credit card fraud, payment card companies have come together to formulate a protocol known as "EMV". The new protocol is designed to make card transactions more secure. Although EMV will surely help reduce payment card fraud, it was only a matter of time before criminals took advantage of the gaps in the EMV protocol – we use the past-tense "was" because the EMV system has already been hacked.

Brief Overview of EMV

In case you do not know much about EMV, here is a brief overview. EMV is the standard by which virtually all payment cards function. As mentioned above, the purpose of EMV is to make payment cards more secure. Technically speaking, EMV dictates the information that needs to be included on a payment card, the physical dimensions of a payment card, and so on.

On October 1, 2015, the EMV protocol rules went into effect in the United States. To be EMV-compliant after this date, merchants needed to upgrade all their point-of-sales terminals to be able to accept payment cards with integrated micro-circuits (“chips”) in them. Chipped cards, in contrast to the traditional magnetic stripe cards, have a microchip embedded onto the card that provides a unique code for each transaction in order to provide more security. For more in-depth information on EMV, please read this previous post.

Didn’t Become EMV-Compliant by October 1st?

If you didn’t upgrade your point-of-sale terminals to be EMV-compliant by the October 1st deadline, you’re not alone. In fact, you’re in the majority:

"Just 29 percent of small-business owners surveyed by Wells Fargo several months ago said they would have chip-card systems in place by October. Those who put off the upgrade said they didn't believe the threat of fraud to be serious enough to justify the time and expense of upgrading during the holidays. Others said they would like to accept chip cards but have had technical problems with the new system or are still waiting to receive one from their credit card processing company."
- Pittsburgh Tribute-Review

In short, the costs, time, and overall headache of upgrading all POS terminals is just not quite worth it for most small businesses. Take Susan Sunderland, the Vice President of Operations for James & Sons Fine Jewelers in Orland Park, Illinois, for example. She estimates that it’ll cost her about $1,200 to update her 7 POS units, and that isn’t even accounting for the time it’ll take to train all her employees that work at the three-store chain.

“Many small businesses, including James & Sons, aren’t convinced the money they're spending on upgrades is worth the trouble. “We’re vulnerable to credit card fraud because we’re in the luxury business,” says Sunderland. “So we’re obviously going to make the switch soon, in the next week or two. But I’d like to know what really changes with the new card readers,” she added, pointing out that card issuers have always tried to shift liability to merchants in cases of fraud."
- International Business Times

The reason why the EMV-compliancy deadline is so important is because of the fraud liability shift. The fraud liability shift is exactly what it sounds like: a shift in the financial liabilities of fraud from the payment card issuer to the merchant. To be precise, the fraud liability shift comes into play “[w]hen a merchant accepts a magnetic stripe card that was counterfeited with track data copied from an EMV chip card, and the card is subsequently swiped at a POS device/application that is not EMV chip-enabled, and the transaction is successfully processed”, leaing the merchant to absorb the costs of the loss.

"The liability shift mark[s] the first time merchants potentially could be stuck paying chargebacks, a process that banks previously handled."
- David Heun, Associate Editor at Payments Source

Financial liability for fraud will slowly but surely be a growing problem for merchants not only because they will be unable to recoup losses from products sold or services rendered but because they will also be financially responsible for reimbursing the real payment card owner for the fraudulent transactions from your business. In other words: If you are a merchant who has not upgraded yet, you will be financially liable if someone comes into your store and makes a purchase with a counterfeit debit or credit card.

Before the implementation of the EMV protocol, chargebacks described situations in which a customer paid for a product/service and subsequently contacts his/her bank – instead of contacting the business – to reverse a charge on their payment card because he/she was not satisfied with a product or service.

Essentially, a chargeback occurred when a customer felt that they ‘didn’t get what they paid for’. If the bank felt the customer was in the right, funds would be pulled from the merchant’s account and placed in the customer’s account, and a chargeback fee would be issued to the merchant. If the bank felt the customer was in the wrong, no exchange of funds between accounts would take place, but, depending on the bank, a chargeback fee might still be issued against the merchant. Either way, a chargeback resulted in at least a fee against the merchant.

In the event a fraudulent payment card transaction, a chargeback would not occur and the issuer – not the merchant – was responsible for reimbursing the funds to the real payment card owner’s account.

Now, in the post-EMV era, chargebacks apply to fraudulent transactions as well. If you sell a reliable and efficient product or service, or have easy-to-please customers, your business probably does not have much experience with chargebacks. However, even before chargebacks applied to fraudulent transactions, they cost retailers tens of billions of dollars per year:

"Chargebacks are already estimated to cost US merchants up to $40 billion each year and that number is expected to grow with the advent of EMV chip-enabled cards. Regardless of the initial reason, every $100 in chargebacks is estimated to result in $308 of costs to the merchant."
- Tony Zerucha, Managing Editor at Bankless Times

Considering the EMV deadline was only two months ago, the effects of the fraud liability shift through chargebacks has yet to be precisely analyzed and determined, but payment card companies are already bracing themselves for the guaranteed onslaught of angry calls from merchants when the first post-EMV chargebacks occur. The onslaught is expected to be so high in volume that Mike Passilla, Chief Executive of Merchant Services at JPMorgan Chase & Co. warned his call centers that they “need to expect a spike in calls for a period of time . . . Not for a month or two months, but for a good six months."

At this point after the EMV deadline, the main question on everyone’s mind is:

“How will merchants react when they get their first statements showing chargebacks for counterfeit card fraud?”

Payment Card Fraud in the Recent Years

If fraud hasn’t been a problem for your business in the past, you’re probably under the impression that these changes to payment cards won’t affect your business. Any maybe, just maybe, if you’re incredibly lucky, no unsavory characters will ever attempt to defraud your business.

"These retailers are rolling the dice every time they swipe a card with a magnetic stripe, betting that the card isn't being used fraudulently. And yet, they are willing to gamble that their familiarity with customers and history of not being a target of fraud will see them safely through the holidays."
- Pittsburgh Tribute-Review

Consider Tim Gasper, a manager, who claims that his jewelry store has yet to be hit with fraud since opening in 1969, which he attributes to the fact that they are "always pretty vigilant (with checking customer IDs)" when accepting debit/credit cards.

What managers and business owners need to be aware of when it comes to validating payment cards by comparing the name to an ID is that realistic fake IDs have become easier and cheaper to make over the years thanks to better and better technology. As a Massachusetts police department can attest: "Our information indicates these 'Fake IDs' appear to be professionally manufactured with functional 'bar codes' that work if scanned by a liquor establishment". Not only are fake IDs easier and cheaper to make, they are much more easily obtainable thanks to the Internet. "Reports have surfaced that thousands of teenagers have now turned to using Bitcoin to pay for their identification cards purchased online, and those IDs also passed a digital scanner test." There is even a subreddit on how to get a fake ID.

Not only are IDs easy to counterfeit, but payment cards are easy enough to counterfeit as well.

In recent years, hacks on large corporations such as Target and Ebay have exposed hundreds of millions of payment card details – most of which have been put up for sale on the darknet.

For just $5-$8, you can purchase a data package for payment cards that “includes a software-generated number that provides an account number, an expiration date and a CVV number". The price increases to about $15 if you want a bank account number and birthdate included and to about $30 if you want all the info: "a billing address, PIN number, social security number, date of birth, mother's maiden name and username and password access."5 It is easy to see why it would be so lucrative for criminals to pay their own money to obtain the data from stolen cards: by a conservative estimate, a $30 investment in a fraudulent payment card could easily result in a $100+ profit.

The steadily increasing ease with which fraudulent payment cards can be obtained is evidenced by the growing number of successful payment card transactions year after year.

Per month, the average merchant experienced:

• 80 successful fraudulent transactions in 2012
• 91 successful fraudulent transactions in 2013
• 133 successful fraudulent transactions in 2014
• 156 successful fraudulent transactions in (the first quarter of 2015)

It is theorized that the increasing amount of fraud in recent years arises from the fact that criminals are all too aware of the EMV update:

“[T]he advent of EMV will make the misuse of counterfeit payment cards nearly impossible. Fraudsters have been expected to make a last-ditch effort to collect and use as much breached and skimmed card data as possible . . . As retailers continue to reterminalize in the face of EMV liability shift, pressure is increasing for fraudsters to use breached magnetic-stripe data to counterfeit debit cards at the point of sale while credit cards become more secure for online transactions.”
- Lexis Nexis, "True Cost of Fraud Study 2015"

As much as people like to think they’re astute enough to handle fraud prevention by identifying potential fraudsters in their store, it’s just not that simple. Seemingly innocuous folks are often behind some rather large fraudulent transactions. Just take a look at a small sampling of credit card fraud cases in the past couple of months:

• On November 19th, Khaleeq Fisher, 22, and Maranda Cooper, 21, of Staten Island were arrested and charged with credit card forgery, credit card theft, and credit card fraud after it was discovered they had made thousands of dollars’ worth of purchases at stores such as Walmart and Home Depot using a cloned credit card.
• On December 2nd, Xiu Fang Zhang, 21, of New York City pleaded guilty to conspiring to commit credit card fraud after she was caught making thousands of dollars’ worth of purchases at various stores in Maine. She had been using counterfeit credit cards that were manufactured using data from stolen credit cards.
• On December 4th, Moises Linares-Pantaleon, 62, of Tampa, FL was sentenced to five-years and five-months in federal prison for credit card fraud and identity theft. He had used stolen credit and debit card data to create counterfeit payment cards that were used to purchase thousands of dollars’ worth of goods. It is interesting to note that this man, who is old enough to partake in early bird specials, was in possession of “a counterfeit driver’s license, counterfeit credit cards, a thumb drive containing 15 unauthorized credit and/or debit card numbers[, t]he software for running a magnetic card/writer, [and] a square credit card reader”.
• On December 4th, Carrie Aker, 43, and Mario Valentine, 32, of Shenandoah, PA were federally charged with theft by deception, receiving stolen property, and conspiracy to commit theft by deception, amongst a slew of other charges. They had racked up a grand total of $145,866.59 in fraudulent credit card charges at stores such as Sears and Kmart. The couple was found to be in possession of a credit card embosser and a magnetic stripe card reader-writer.

In those cases above, if any successful fraudulent transaction took place after October 1st, 2015 at a store that wasn’t EMV-compliant, the merchant would be financially liable for the losses from fraud. And the effects of not being EMV-compliant by the deadline have already been felt by one luxury brand. According to preliminary information they have provided us, they have already lost more than $40,000 to credit card fraud thanks to the fraud liability shift.

The main gist of this section is this:

"Although magnetic stripes will continue to exist now that the October 1 deadline has passed, the shift in liability ensures that merchants and card providers could suffer if they fail to catch up. After all, retailers that do not embrace the EMV transition will be held liable for the costs of credit card fraud that may arise, and in 2015, the estimated cost of credit card fraud liability is estimated to be somewhere in the region of over $10 billion."
- Field Nation

Chip Card Fraud is Nothing New

In September 2014, Home Depot revealed it had been the target of a massive data hack that compromised approximately 56 million credit cards.11 The hack of a large corporation, unfortunately, isn't shocking in this day and age, but what is shocking about this hack is the aftermath.

About a month after the hack was reported, "at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot". Fraudulent transactions of this size isn't all that surprising in itself - the problem with the fraudulent transactions in this case was that the fraudulent cards stemming from the Home Depot attack were chipped cards that had allowed the fraudulent transactions to go through.

"The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards."
- Krebs on Security

Just HOW the fraudsters tricked the security protocols is still a mystery; MasterCard and Visa have yet to comment on the results of their investigation into how "these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place". Avivah Litan, a fraud analyst, speculates that "it's likely that the perpetrators of this attack had their own payment terminals and were somehow able to manipulate the transaction fields in each charge". But no matter the speculation, to this day, there has been no official disclosure about how the fraudulent transactions occurred. And that's unsettling.

There even have been documented cases going as far back as 2011 (albeit in Europe - not America; however, that should be of little consequence considering EMV technology, no matter the country, should be the same) that chipped cards are not quite as secure as payment card companies would like you to believe.

In May 2011, French authorities were made aware that fraudulent EMV cards with data stolen from France was being used in Belgium. After catching the perpetrators and conducting a thorough investigation, holes in the EMV protocol were uncovered. In this particular case, unlike the Home Depot case, the flaws in the EMV protocol were found and fixed, but it is important to note that the level of technological sophistication displayed by the fraudsters was on par with the technology designed to prevent fraud. As a researcher who uncovered and fixed the flaw in the EMV protocol said:

"[T]his case shows that organi[z]ed crime is following very attentively advances in information security . . . producing the forgery required patience, skill and craftsmanship."
- When Organized Crime Applies Academic Results

Although the gaps in the EMV protocol discovered in the May 2011 case have been closed, there is speculation that authorities are aware of more gaps they have not been able to close that if discovered by criminals, they could be readily exploited:

"[An] FBI rep told The Washington Times that the chips themselves in the new EMV cards are still vulnerable, though no further explanation was offered."
- Greg Masters, Managing Editor at SC Magazine

EMV, of course, makes transactions more secure than they would be if magnetic stripe-only technology were to continue being used. BUT, it is important to be aware that EMV is not a failsafe method of preventing fraud.

As the Home Depot hack of 2014 shows, there are criminals out there who have figured out how to circumvent the EMV standard. Don't let your business be at the mercy of the technology of the same payment card companies who have decided to saddle you with the costs of implementing the system they arbitrarily constructed and the financial liabilities of fraudulent transactions. Outsmart both payment card companies and criminals by protecting your business on YOUR terms.

If you haven’t become EMV-compliant, or even if you have and want an extra layer of security, we can help prevent payment card fraud by enabling you to check whether or not the physical payment card (and the ID accompanying it) are genuine, officially-issued cards. While a thief may be able to buy your data off the Internet, they would then need to transfer that data to physical cards for use in stores - and unless thieves have the proper machines (which can cost tens of thousands of dollars each) to make those cards, they will be unable to make payment cards or IDs that can bypass our security checks.