If you’re a merchant or retailer, you have other days like November 27 and December 24 engrained in your mind, marked on your smart phone and on the calendar hanging in your break area. It’s time to add another date to your list, because chances are good that if you’re not using terminals capable of processing chip-enabled card payments by the EMV compliance deadline of October 1, you’re painting a big target on your back for the world’s most sophisticated data thieves to hit.1
In EMV Deadline, Data Thieves See an Opportunity
Stopping fraud has always been a game of cat and mouse, with retailers more often reacting to data thieves than nabbing them. Fraud didn’t become a $5.5 billion global industry because hackers are lucky. Fraudsters are highly intelligent. Their operations are sophisticated and they’re smart about who they target. They’ll swipe data from retailers still operating mag-stripe only terminals and then use that data to make fraudulent purchases online.
The impending EMV compliance deadline of October 1 promises to create acrimony between banks and merchants, leaving an opportunity for thieves to take advantage of merchants that haven’t yet updated their terminals, certified their software or trained their employees on how to process chip-enabled card payments. Yet, if the recent, massive data breaches experienced by high-profile retail giants taught us anything, it’s that the cost of losing the public’s trust in the safety of your shopping experience can be devastating. Those breaches stand as a warning to non EMV-compliant merchants and signal the need to invest in EMV compliance as one of the necessary protocols to put in place to guard against fraud.
What History Tells Us
Introduce a new wrinkle into the payments process to make it safer and it’s a sure bet that in a matter of time, thieves will figure out how to change their behavior to maintain their income. Such has been the case with EMV in its UK rollout. Chip-and-PIN implementation in the UK gained traction in 2004 and within two years had reached near full migration. At the end of August 2006, 99.8 percent of chip transactions were PIN-verified.
Tracked over a ten-year period from 2004 to 2014, card-not-present (CNP) fraud soared in the UK as sophisticated thieves were forced to replace their traditional domestic counterfeiting and card-present fraud activities. If past history is any indication, a similar rise in CNP fraud should be expected in the U.S. over the coming years; taken together with an ongoing growth in eCommerce transactions, it would appear that a perfect storm is shaping up to hit the payments industry in the U.S.
And it’s not just about CNP fraud. We also saw other fraud behavior here in the UK in the post EMV environment. In some cases, domestic fraudsters who didn’t target CNP fraud or engage in cross-border fraud moved instead to account takeover and online banking fraud to get access to genuine cards, enabling them to continue with their domestic spending sprees.
Not Just a Brick and Mortar Issue
EMV isn’t just a mandate which impacts the issuance of plastic cards and in-store point-of-sale systems. Although online retailers have always assumed liability for transactions given the lack of physical touchpoints, their potential for loss gets larger with EMV when the fraudsters switch tactics now that physical stores have stronger fraud prevention systems in place at the in-store terminal level. Pure play eCommerce merchants (or E-tailers) have as much to lose if not more, given the fact that all of their business comes from the CNP channel.
Smart Merchants Will Make the Safe Move
When it comes to EMV compliance and outmaneuvering data hackers and fraudsters, merchants are at the tip of the spear. They have to discern what the payment experience will be like in their stores and how they will engage customers who are frustrated by the new payment experience. Merchants will bear the brunt of customer frustration, confused employees and eager thieves. Non EMV-compliant merchants will also shoulder the liability that used to fall to payment processors and issuing banks for fraudulent transactions.
In the unending effort to stay a step ahead of fraudsters, EMV compliance and CNP fraud detection and prevention are the safest and smartest moves a merchant can make. Are you ready?
This is the fourth post in a new series on EMV. Catch up on past posts below.
1. Peterson, T., Fishman, J. EMVelocity: Outlook for POS Reterminalization and Mobile Payments. Aite Group, January 2015.