For quite some time, the United States has had a well-established reputation for having one of the world’s highest rates of payment fraud. A key reason given for this problem has been the lack of security with US payment cards, which rely only on swiping a magnetic stripe and signature for validation, something that has been an exceptionally easy target for thieves.
On October 17, 2014, U.S. President Barack Obama signed an executive order that was the final impetus needed to push American retailers and payment card issuers to adopt the use of more EMV (Europay, MasterCard, Visa), or chip-and-PIN, cards. In his order, President Obama directed the U.S. federal government to replace its existing magnetic strip payment cards with chip-and-PIN for all of its programs. These cards include government employee credit cards for making purchases and debit cards used to distribute federal benefits to veterans and others. In addition, all point-of-sale (POS) terminals used by the federal government for processing payments will be upgraded to accept the new cards.
This is an important change in the way that Americans use their credit cards, which will hopefully protect against credit card fraud. The U.S. has been slow to accept chip-encoded cards until now because most retailers didn’t have machines that could read them, and they didn’t want to pay for them.
How will the change to chip-and-PIN in the U.S. affect consumers, businesses, banks, and fraudsters?
According to research from MasterCard, 63 percent of consumers are eager to start using chip-and-PIN as soon as possible, and 87 percent are comfortable with making the switch from swiping and expect to adapt quickly to using the new card.
In terms of ease of use, there doesn’t seem to be any serious concerns. The same MasterCard study showed that only six percent inserted the card incorrectly, and 27 percent removed the card too soon. The key differences will be entering a security code and waiting for the secure transaction to process.
Now that the U.S. is finally adopting the use of chip-and-PIN for card payments, this removes a major pain point for Americans travelling abroad. Up until now, paying for purchases using credit or debit cards was difficult, if not impossible, in some cases. Americans could not use their chipless cards for payment in Europe due to either staff unfamiliar with processing card swipe purchases or merchants afraid of being held liable for potential fraud from the less secure cards. International travelers to the U.S. will also benefit from having greater protection from fraud, now that they can finally use the chip on their card.
Although merchants in the U.S. are not required to upgrade their POS terminals to support chip-and-PIN, they have a strong financial incentive to do so. As of October 1, 2015, any merchant that doesn’t accept EMV payment cards will be fully liable for the cost of fraudulent transactions.
At first glance, this card-issuer-imposed deadline might seem compelling enough to drive all merchants to make the switch as quickly as possible, but some industry insiders disagree. NACS, an industry group representing convenience stores and fuel retailers in the U.S., is highly skeptical that most retailers will be ready for EMV by October 1. For small merchants, small card transaction volumes may not justify the expense for new card readers, and they may prefer to accept liability for the low levels of fraud that they would expect from traditional swiping. For fuel retailers, costs could run as high as $35,000 per location to upgrade equipment, with the highest cost from modifying fuel pumps.
If U.S. financial institutions need a use case to justify the cost of retrofitting their ATMs and upgrading terminals, they need not look any further than to their friendly neighbours to the north. In Canada, there has been a steady decline in debit card fraud since chip-and-PIN was introduced in 2008. From a high of $142 million in 2009, it dropped to $38.5 million in 2012. A recent report from the Interac Association revealed that Canadian debit-card fraud losses dropped even further last year to $16.2 million, a record low. That’s a 45 percent reduction compared to 2013, when losses were $29.5 million.
Despite the encouraging numbers for debit cards, the statistics for credit card fraud in Canada have not been as strong. The Canadian Bankers Association found that credit card fraud losses increased by 38 percent from 2012 to 2013. However, the fact that losses from counterfeit cards dropped by 23 percent for the same period shows that chip-and-PIN technology is making a difference in reducing fraud at POS terminals. The challenge remains with card-not-present transactions, which are most often online purchases made on either computers or mobile phones.
Most observers are confident that the security features of chip-and-PIN cards will certainly reduce the amount of card payment fraud that occurs from in-person transactions in bricks-and-mortar establishments. At the same time, there have been grave concerns raised about an expected surge in online fraud resulting from criminals focusing their efforts on card-not-present purchases, such as those made by eCommerce or by mobile commerce. Being able to simply use credit card information with much weaker security measures in place make online retailers a much easier target that will only become attractive to thieves after EMV is deployed.
Not to be outdone, credit card companies are also doing their part to combat an already troublesome situation. Both Visa and MasterCard are diligently working on solutions to keep cyber criminals at bay by removing account numbers and replacing password protection with more secure alternatives.
In addition to what Visa and MasterCard are already doing, there need to be additional layers of security to protect consumers and card issuers from card-not-present fraud. Conforming to the Payment Card Industry Data Security Standards (PCI DSS) and using strong encryption and tokenization as well as tools such as electronic identity verification will all help to bolster online retailers’ defences against cyber criminals.
Without a doubt, the implementation of chip-and-PIN in the U.S. is a change that is both welcome and long overdue. Having a far more secure form of card payment standard in place will significantly reduce the amount of fraud that occurs for retailers and financial institutions. Despite the worries of increased online fraud, the move to EMV is a necessity. As the payments industry takes a multi-faceted approach, tackling card-present and card-not-present security issues, the tide may yet turn in favour of retailers and consumers as fraud decreases.
Who do you think should be held liable for losses due to card payment fraud?