EMV and Beyond: Technology Rises to the Consumer Fraud Challenge

mfinity security

Article by Anthony C. Ashe, Executive Vice President of MiFinity Payments

With the October 1, 2015 “liability shift” now a few months behind us, the era of EMV is here in earnest. Yet it’s still too soon to tell whether the expansion of EMV payments has lowered fraudulent activity – in part because too few retailers have gone all-in on the new payments technology.

For background: As of October 1, if merchants don’t accept EMV payments they, not the card companies, are responsible to cover the costs of any counterfeit fraud – that is, fraud or “skimming” that occurs when card numbers are stolen from magnetic-stripe data. EMV or “chip” cards encrypt the cardholder data that powers the transaction, better protecting consumers’ payment credentials.

Yet according to newly released research, only 37 percent of U.S. merchant locations are fully equipped for EMV card acceptance. But indulging in EMV reluctance is, of course, an individual retailer’s prerogative: Because it was a “liability shift” on the part of U.S. payment networks – rather than a government-mandated upgrade requirement – merchants are welcome to continue accepting magnetic-stripe-only cards if they like, as long as they’re willing to accept the increased financial risk.

Which leads one to wonder how much riskier the decision to continue accepting only magnetic-stripe cards really is, when more than 60 percent of merchants are still going that route.

Certainly, EMV is a step in the right direction. But is it enough? The U.S. was responsible for 47 percent of the world’s credit card fraud in 2015, despite having only 24 percent of the total global volume. Widespread use of EMV in the United Kingdom has contributed to a $116 million (USD) annual decline in counterfeit card fraud there between 2004 and 2014 – but even for early EMV adopters in the U.S., POS fraud vulnerabilities remain.

According to a new report, only 10% of retailers are performing EMV-enabled transactions that are working well, with another 12% saying their EMV-enabled transactions “need improvement” – meaning they’re likely still leaning heavily on swiped-card payments when their EMV transactions are botched. The liability for any fraud stemming from failed chip-card transactions doesn’t fall on those retailers’ shoulders (since card companies cover magnetic-card losses for EMV-enabled merchants) but it can still hurt their reputation with consumers.

And avoiding “skimming” isn’t nearly all that matters for U.S. businesses when it comes to consumer fraud. At last count, counterfeit fraud accounted for 37 percent of U.S. credit card fraud, with online or other card-not-present (CNP) fraud accounting for 45 percent. And as it has in other countries, the CNP problem will only grow as EMV makes counterfeit fraud more difficult and financial criminals seek out other avenues.

Beyond EMV, other technologies aim to conquer the card-not-present challenge and other POS liabilities and payment security issues. End-to-end encryption or “E2EE,” for example, goes a step further than EMV by eliminating encrypted data (i.e., encrypted consumer payment credentials) at rest and keeping the encryption key outside the merchant’s POS system or online payments environment. A reported 29% of retailers plan to implement E2EE in the next 12 months.mfinity safe

Tokenization is also generating increased interest in today’s payments ecosystem, in part because even the best encryption provides insufficient protection from financial crime. Encryption –even with E2EE –simply hides or scrambles a cardholder’s original primary account number (PAN), leaving open the potential for hackers to decode the algorithm masking that data, access the original PAN, and use it for fraudulent activity.

Tokenization safeguards payment card data by substituting a cardholder’s “PAN” with a randomly generated, one-time, virtual card number – i.e., a token – and bundling it with business rules for its exact use (where, when, and by whom). Because the token is uniquely generated for one specific transaction, there is no way to trace it back to the original card number or apply it for a purpose beyond its intended use.

Though it’s not a new concept, tokenization is seeing increased adoption of late – with a reported 41 percent of retailers using tokenization and 22% planning to implement it within the next 12 months – because it enables merchants to avoid the risk of their consumers’ data being “unencrypted” and misused; with tokenization, the original card data is eliminated from the transaction entirely. To adapt to the evolving, EMV-driven payments landscape and meet the needs of a wide variety of merchants, tokenization solutions providers like MiFinity are increasingly creating systems with functionality designed specifically around the needs of specific industries – retail, gaming, hospitality, travel, and more.

No efforts or technologies can (or ever will) completely eliminate a business’ financial crime risk, but besting consumer fraud will take more than a shift from “stripes to chips” for merchants. As more retailers go all-in on EMV, they’ll hopefully also double down on supplemental technologies that can better protect their customers.

mfinity anthony asheAuthor Anthony C. Ashe is a principle shareholder and Executive Vice President of MiFinity Payments, (formerly NXSystems). MiFinity is a global payments provider specializing in secure, cost effective payment products that help merchants protect their consumers and lower their processing fees. Ashe has served as a member of the NASD and SEC, a registered investment adviser, and an accredited asset management specialist. He can be reached at tashe@mifinity.com.


More articles about payments and credit card technology:

Urovo Will Present Handheld Terminal in 2016 IoT and Smart China
TSYS and Handpoint to Offer Mobile EMV
Payments: The last mile of online customer intimacy
Taking A Look at MasterPass
PayPal To Air Superbowl Commercial – The New Money
Top Payments Industry Articles from 2015
Data Breaches Overwhelm Retailing
Square Stock Closes Below IPO Price
Are selfies and retina scans the future of payments security?
Protecting Retail Businesses after the Liability Shift