EMV Alone Won’t Cure Holiday Fraud Blues

How successful will the U.S. migration prove to have been? According to Joe Majka, Chief Security Officer at Verifone, the payments industry will likely have to wait until after the holidays for an answer.

Majka shared with PYMNTS the one key sign to look out for  — if there is a noticeable shift from in-store to online card fraud — to indicate, after the holiday dust has settled, whether or not card issuers and larger retailers have made positive headway in the effort to reduce successful use of counterfeit cards.

“Ultimately,” says Majka, “I suspect the results will be muddled and inconclusive.”

And there will be a number of factors contributing to that potential inconclusiveness, as Majka goes on to explain.

NOT ALL CONSUMERS HAVE CHIP CARDS

“Most of us likely still have at least one non-EMV credit or debit card in our wallets,” Majka observes, “as some issuers are lagging behind on issuing chip cards.”

He points out that — at merchants that are accepting EMV this holiday season — shoppers are likely to suffer even longer-than-usual checkout waits for this time of year, “as consumers and store clerks struggle with whether to swipe or ‘dip’ cards”

“Some will complain,” Majka goes on to say. “Newspapers will continue to publish stories of consumer frustration and confusion. And criminals will continue to seek out the easiest path to ill-gotten gains.”

EMV IS NOT A MAGIC ‘ELIXIR’ TO PREVENT ALL CARD-RELATED THEFT

In addition to longer checkout times, consumers and merchants are going to find out that EMV “is not the magic elixir to prevent all card-related theft,” warns Majka.

He stresses that “EMV is a card authentication technology, not a data protection technology. Chip cards do not protect against theft of the primary account number (PAN) or expiration date.”

As a result, Majka attests that some retailers that haven’t taken additional steps to protect card consumer data will “undoubtedly” experience cyber breaches, noting that theft of chip transaction details can result in cross-channel fraud in card-not-present (CNP) environments, such as online or over the phone.

Consequently, Majka believes that the U.S. — “similar to every other country that has adopted EMV — will likely see more fraud shift to the online environment as “the crooks seek out the easiest way to achieve their goals.”

This is a particularly important likelihood, Majka goes on to explain, given that U.S. consumers’ online purchases totaled nearly $84 billion in the second quarter of 2015 alone. And while there are ways to apply EMV to online purchases, Majka points out that they are not widely adopted in the U.S., where utilization of PINs for credit card purchases “is for the most part spurned.”

THE GOOD NEWS

All that being said, Majka shares that he has been “pleasantly surprised to see EMV acceptance popping up in small businesses, ranging from dry cleaners to medical offices.”

While not all retailers will be accepting EMV this holiday season, Majka states that it’s “important to note that the massive technological migration that took place in preparation for the liability shift did not happen in vain.” On the contrary, he explains, a lot of merchants used the liability shift as an opportunity to upgrade their technology with solutions that “not only have the ability to accept EMV, but also provide more flexibility and value to consumers at the point of sale.”

He adds that “many of the new technologies retailers put in place — or are currently rolling out — also have the ability to support NFC, mobile wallets, consumer loyalty programs, beacons and other capabilities that can be used to reinvent the payment experience.”

Overall, Majka believes that this holiday season will lead to greater recognition that in-store and online transactions require a security architecture incorporating multiple layers beyond EMV. These include:

•  Encryption from the point of entry to the payment card processor, shielding against malware that “sniffs and captures” sensitive data.
•  Tokenization to replace cardholder data (including the PAN) with surrogate values (tokens). Even if the token numbers are stolen, they are meaningless to thieves because outside of the correlation database, they are simply collections of random numbers.

With this in mind, Majka is hopeful that merchants will be more inclined to “leverage managed or cloud-based services that incorporate these additional layers and redirect payment terminal data directly to the processor, ensuring that it is not routed or stored in integrated POS software systems.”

Efficiencies gained through the segmentation of payment data provided by these types of services can, according to Majka, “essentially ‘free’ retailers to shift more of their resources away from ‘payments’ and toward selling more and better serving their customers.”

“As these tools become more widely adopted,” he concludes, “we can look forward to increasingly happier holiday seasons for merchants and consumers.”

Joe Majka,

Vice president and Chief Security Officer at Verifone

Joe Majka has more than 30 years of experience in the financial services sector, managing security, fraud, cybersecurity and data breach incident response. Joe has spoken internationally on the subject of cybercrime and payment card fraud, and he has testified before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.