Chipping in to prevent fraud

Adoption of EMV chip technology by merchants may be slow but it’s already working to prevent card fraud.

From the pages of In Business magazine.

Some point in the perhaps not-so-distant future, young children may roll their eyes when grandpa rambles on about, “In my day we used to swipe our credit cards!”

That’s because while the U.S. is late to the party on EMV chip technology in credit and debit cards compared to much of the rest of the world, more and more merchants are adopting the technology every day, and with good reason.

EMV, which stands for Europay, MasterCard, and Visa, is a global standard for credit cards that uses computer chips rather than magnetic strips to authenticate and secure card transactions at the point of sale.

The technology has been around for about two decades and is used in much of the world, but the chip-enabled cards have only really caught on in the U.S. over the past few years.

Part of that is due to an October 2015 deadline that was set for merchants to adopt the technology. However, the migration to EMV chip technology was not a mandate — a common misconception.

“The option for merchants to accept chip cards was incentivized by the payment card brands — Visa, MasterCard, etc. — in the form of a fraud liability shift,” explains Mike Blang, senior vice president of sales and marketing for Wind River Financial. “There are nuances but the general idea is that in the past the card issuer held counterfeit fraud liability. After Oct. 1, 2015, the entity that had invested least in chip technology, the merchant or the card issuer, holds the fraud liability going forward. For example, if the card issuer issues chip cards, but the merchant does not accept chip cards, then the merchant would hold the fraud liability.”

Since this was not a mandate, some merchants readily adopted EMV and some chose not to do so for business reasons, Blang notes. Some of the reasons merchants may have delayed implementation include:

  • They had to buy new hardware that could read chip cards.
  • There is at least the perception that chip card transactions are slower than magnetic strip transactions.
  • Some merchants didn’t know their level of counterfeit fraud liability since, in the past, issuers simply absorbed the loss rather than sending through chargebacks that they knew they were going to lose.
  • In some environments using integrated point-of-sale (POS) systems, the software needed to process chip transactions was not certified by the date of the liability shift.

“The U.S. is the world’s largest and most complex payment card market with many more providers in the payment space, more regulations to follow, many more financial institutions, many more debit and ATM networks, many more merchants, and many other complexities than any other market,” Blang says. “This, combined with what was arguably a shorter migration timeframe, may lead one to believe that what was achieved was actually nothing short of moving mountains.”

Slow your roll(out)

Although the EMV technology wasn’t new, software certification issues have also slowed adoption in the U.S. market over the last several years.

According to Blang, many software providers underestimated the complexity and time of getting certifications completed. However, every day more and more providers are being certified and rolling out EMV to those merchants that want it.

“The level of success is subjective, but some industry statistics indicate that counterfeit payment card fraud is already down by up to 40%,” Blang says. “The U.S. is unlikely to have 100% chip card acceptance any time soon. Canada, a much less complex market than the U.S., began experimenting with chip card acceptance and had a multiphase approach starting 10 years ago. Their chip card acceptance is now estimated be somewhere in the 90th percentile.”

From the consumer perspective, Blang adds, it will take time to “train” consumers to insert their cards rather than swipe them since swiping has been around for decades.

Derrick Taylor, president of Global 1 Solutions, a national payment technology company that serves merchants and retailers and is based in Madison, says growing pains are to be expected with any type of change, especially as large as an EMV migration. However, he believes the industry could have done a better job with the initial rollout.

“I believe the rollout was too soon. At the time of the October 2015 deadline most terminals and POS equipment were not compliant to accept the new chip cards. Coordinating a rollout across the U.S. payment industry is much like herding cats. It’s possible but it takes much longer than you’d expect,” Taylor explains.

A year and a half after that deadline, Taylor reports most consumers have chip-enabled cards. MasterCard reports that 88% of its U.S. consumer credit cards have chips, he says, yet only a quarter of all payment card-accepting merchants are able to accept them.

Echoing Blang, Taylor says there are several reasons why these merchants have not adopted EMV and therefore are now liable for in-person payment fraud. Upgrading a stand-alone terminal can be fairly easy and non-disruptive, but many retailers have an integrated POS system.

POS system upgrades can be expensive and merchants might be interested in delaying the expense as long as possible, notes Taylor. Fear of the payment card industry (PCI) is another reason why some merchants have been slow to adopt the EMV technology.

“Some merchants are nervous to make any change to their payment processing for fear of increasing their risk of fraud or PCI requirements,” says Taylor. “There are, in fact, many solutions that are designed for EMV certification that actually reduce PCI scope such as semi-integrated solutions.”

Taylor also agrees with Blang that there’s been a perception that EMV equals slower transaction times. “Some merchants have flat out decided not to adopt EMV because they are worried about lengthening their transaction times,” Taylor says. “This is especially likely in industries where checkout speed is a competitive differentiator such as quick service restaurants and retail.”

Transaction times haven’t been a concern for Katrina Kelly, owner of The Kitchen Gallery on King St. in Madison.

“In our case it’s not a super quick checkout process anyway,” Kelly explains. “We wrap up all the products and stick them in a bag — it’s not like customers are just getting one thing and running out the door really fast.

“People have commented that [the transaction] takes a little longer but I think the biggest complaint we’ve heard from customers is they keep having to get issued new cards with chips so they’ve had to repeatedly change all their card numbers and payment systems they had stored online. I think that frustrated a lot of people and was what bugged our customers.”

The Kitchen Gallery installed its two chip reader terminals in fall of 2015 just prior to the deadline. Kelly says her primary motivation was to address fraud liability.

“Most merchants and consumers were (honestly) becoming frustrated with the lengthier process of EMV acceptance locally and nationwide,” Taylor notes. “But over the last year the reaction from merchants has continued to trend positively. Most of the initial issues with the chip card process have been resolved and consumers are mostly expecting to insert the card versus slide. Consumers also understand that even though the process was tedious, it’s worth the extra security and added protection.”



Fraud fix — or failure?

Security is the primary reason why the migration to EMV chips was implemented by card issuers and the financial industry.

Local financial institutions began re-issuing cards to their customers within the past two years and full integration is nearly complete.

Carma Atkinson, director of card programs for UW Credit Union, says the credit union began issuing EMV chip-enabled credit cards in July 2015. By the end of 2015 all credit cards were switched to chip technology. Then in January 2016 UW Credit Union began issuing chip-enabled debit cards to its customers, a process that was completed in October 2016.

Similarly, State Bank of Cross Plains converted all its credit cards to EMV in October 2015, says Betty Nonn, senior vice president of general operations. “With our debit cards, we chose to replace them over the course of one year, so we began replacing them last May and will have all customers converted by end of April 2017.”

Both Nonn and Atkinson say cards from State Bank of Cross Plains and UW Credit Union are now issued with the traditional magnetic strip, as well as an EMV chip, which is important because it allows customers to use the cards at any retailer, whether they have converted to the chip readers or not. However, if the merchant has converted, Nonn notes, the customer has to use the chip reader, as the chip takes default precedent over the magnetic strip when the chip reader terminal is active.

According to Taylor, the rapid rise of counterfeit payment fraud in the United States clearly demonstrates the need for a solution like EMV. And so far the technology has proven to be fraud proof — when used properly.

The microchip in the new credit cards generates a dynamic one-time use code for each transaction called a cryptogram, explains Taylor. Because the cryptogram changes with every transaction, even if the card data is stolen the information can’t be used to create counterfeit cards because the stolen cryptogram would have already “expired.” This feature makes EMV chip card data a less attractive target for criminals to steal.

“A magnetic strip holds a secret number, and if someone knows that number they can claim to be the owner of the card,” explains Taylor. “But if a bad guy swipes the card they then know the number and can make their own card, i.e. ‘cloning.’ This has turned out to be a major practical problem with magnetic strip cards.

“A chip also holds a secret number,” Taylor continues. “However, it is securely embedded in the chip. When you use the card the chip performs a public key operation that proves it knows this secret number. However, it never reveals that secret number. If you put a chipped card in a bad guy’s machine they can impersonate you for that one transaction, but they cannot impersonate you in the future.”

Blang notes the financial industry has seen seen many attempts to break the EMV technology but none have been successful to date. “Remember that EMV technology is about 20 years old and has been used in other areas of the world for quite some time. Criminals can technically make counterfeit chip cards with working magnetic strips, but not working counterfeit chips.”

EMV is one of the newest solutions to help prevent fraud in credit cards, notes Taylor. However, don’t expect it to stop all fraud.

“The migration to EMV helped decrease card-present fraud in the U.S., as it has in other parts of the world,” Taylor says. “Fraud can still exist in other forms of credit card usage such as online fraud and card-not-present transactions. It’s always going to be a never-ending battle to stay one step above these hackers and fraudsters. The good news is that both U.S. merchants and consumers have made significant progress since the EMV liability shift a year ago, as in-person credit card transactions become more secure.”

Chip-less transactions

Where security has lapsed is when the chip-enabled cards aren’t being used properly — that is to say, when the chip isn’t being read.

“The financial industry and banks specifically embraced this as a way to reduce the amount of fraudulent transactions occurring on our cardholders,” notes Nonn. “I wish we could say we don’t have any fraud since issuing the chip cards, but unfortunately that is not accurate — either for us or for the financial services industry as a whole. There have still been transactions where the chip technology has been circumvented, but overall we have reduced fraud losses for both our customers and the bank as the cards have been re-issued with EMV chips.”

Generally speaking, the chip technology isn’t being circumvented by financial criminals. It’s occurring at the register or online.

“For those locations currently accepting chip cards, counterfeit fraud is being mitigated significantly,” Blang explains. “Having said this, magnetic strip counterfeit cards can still be made and there is currently no retirement date for the magnetic strip on cards. Just as keying in the card number was the fallback for magnetic strips that did not work in the past, swiping the card is the fallback for chip cards or chip readers that are not working for one reason or another.”

The Kitchen Gallery’s Kelly, who says adoption of the chip readers at her store was fairly seamless, confirms this. Some chip-enabled cards still don’t work well with the chip readers, and because those cards cannot be swiped the card number has to be hand-entered at the point of sale.

However, those instances are becoming more rare as more merchants adopt the EMV technology and kinks get worked out of the system.

“In preventing counterfeit card fraud, chip technology is much safer,” says Atkinson. “The key in preventing counterfeit fraud lies in both the issuers and the merchants adopting the technology.”

It’s working well so far for UW Credit Union. According to Atkinson, since switching to chip cards the credit union has prevented roughly $411,000 in counterfeit fraud. “We have also been able to return an additional approximately $300,000 in fraud to the merchants via the counterfeit liability shift. These two numbers together represent the counterfeit fraud losses we have been able to prevent by switching to chip technology. We absolutely feel the switch was necessary.”

Skip the chip

Even as adoption of EMV chip technology is expanding and proving effective at mitigating credit card fraud, it’s replacement is already here in the form of digital wallets.

“Consumers are tired of having their card numbers stolen and having to deal with reporting the fraud, closing their cards, having to get new cards issued, etc. It’s a hassle they don’t want, so they are recognizing and asking the merchants when they’ll switch to the more secure EMV technology,” says Nonn. “The consumers are also starting to embrace digital wallets — Apple Pay, Android Pay, and Samsung Pay — where they can input their card information on their phone and just wave their phone to pay. It’s quick and easy for them, and they don’t have to carry their card with them, whereas they always have their phone.”

Blang agrees that digital wallets are generally very secure because they use the same dynamic security codes as chip cards. “They also use tokenized or ‘fake’ card numbers instead of the real ones. As such, there is currently not a lot a criminal can do with this data if they were able to steal it from the merchant. Many merchants that are accepting EMV have terminals that also work with the type of signal that is used for these types of ‘contactless’ transactions.”

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.