“There’s nothing like the holiday shopping season going into the New Year to test our latest security efforts and payment technologies,” Jeremy Gumbley, CTO and CSO of Creditcall, recently told PYMNTS.
Overall, Gumbley thinks there will be a downshift in card-present fraud, thanks in large part to the October liability shift and the retail industry's migration to EMV standards.
"In the wake of the October Liability Shift, EMV will remain a strong force in card data protection," Gumbley remarks. "EMV will continue to drive down card-present fraud around holiday shopping and into the New Year, and for years to come in the U.S."
He speaks from experience, noting that when Creditcall helped companies navigate the EMV migration from mag-stripe cards to chip and PIN cards in the U.K., "by 2011 the U.K. had experienced a 79 percent decline of card fraud over the course of three years."
Gumbley also predicts a lag in security vulnerability, attesting that while a shift in fraud to online card-not-present channels may occur, it is likely to be slower and to a lesser extent than "sensationalized."
"Like any technology, it takes time before a new technology is widely adopted and therefore an exploitation interest for criminals. When EMV first came out in the U.K., there was no immediate increased online fraud until some time had passed,” explains Gumbley. "It’s too soon to predict to what extent U.S. and Canada will experience more online fraud as EMV helps to combat card-present fraud. However, North America has the significant advantage of embracing all the best lessons learned and best-in-class payment technologies from others who have already gone through this."
The Creditcall CTO additionally assesses the likelihood of fraudsters exploiting change and the weakest link in the system; this includes mag stripe cards still being used as the rollout of EMV-enabled machines continues.
"It is unfortunate consumers are being victimized during a festive time of year, and pivotal time in the payments world," says Gumbley. "However, around any notable change, it is not unsurprising to see scammers attempt to capitalize on consumers and businesses alike."
Mag stripe cards have been proven easy to hack — and, given that many chip cards are still being shipped to the consumer, scammers will exploit this area of vulnerability.
Another area of interest for Gumbley is around usability of new chip cards for both retailers and consumers alike.
"CreditCards.com recently released a report that outlined approximately 1.2 billion credit and debit cards still have to be upgraded to chip cards and approximately 12 million merchants' point of sale terminals have to be upgraded to accept chip cards,” he tells PYMNTS. “Furthermore, [that] consumers and retailers ... have the technology doesn’t mean they will know how to use it."
Gumbley points out that even the simple shift from swiping to dipping payment cards requires a behavior change and as "creatures of habit," it’s likely retailers and consumers might default to what’s most familiar to them. This is especially likely, Gumbley notes, if the transaction doesn’t go through right away because a consumer may have removed their card too quickly.
"This will get better over time," he states. "Especially after the concentrated holiday shopping season when everyone has had practice and more time to become accustomed to the new process."
Lastly, Gumbley predicts the rise of the Internet of Things and new payment methods amidst security naivety and fatigue. He points out that the latest VTech data breach that exposed data of 6.4 million children and 4.9 million adults raises security concerns around what risks are associated with all of our Internet-enabled devices.
"With the growing prevalence of IoT,” says Gumbley, “and many of these items on holiday shopping lists (e.g. Nest, IP baby monitors, Apple Watch), we expect to see more IoT devices linked to payments and personal identifiable information — and more people unintentionally exposing themselves to potential hackers."
This can be chalked up to security naivety as consumers interact with new kinds of technology or even security fatigue, as users just don't want to go through the hassle of changing default passwords or setting up basic security protection on new devices.
"In the wake of the VTech hack around the holidays,” concludes Gumbley, "we may see larger players like Google and Apple take more precaution to help users better understand the risks of a potential IP-hack and how to set up basic security measures."