Julie Conroy, Aite Group, on the “Countdown to EMV”
Posted July 8, 2015
In three months, U.S. merchants and credit card networks will follow in the footsteps of many other countries around the world and abandon technology associated with antiquated magnetic stripe credit and debit cards. With the current magnetic stripe technology, hackers can easily skim card numbers and security codes in order to use stolen credit cards, which EMV chip card technology will prevent.
While the adoption of EMV will make it more difficult for cybercriminals to copy account numbers, security codes and magnetic stripes associated with antiquated cards, the U.S. will likely see an increase in online fraud. This has been the case elsewhere, including in Europe, which saw a 21 percent online fraud increase following EMV adoption in 2012.
In the run-up to the October 2015 deadline for EMV adoption in the U.S., ThreatMetrix has surveyed several industry thought leaders for their views and opinions. In this blog, Julie Conroy, research director of the Aite Group, provides her perspective. The Aite Group — with expertise in banking, payments, wealth management, capital markets, and insurance — is an independent research and advisory firm focused on business, technology, and regulatory issues and their impact on the financial services industry. Julie is research director for Aite Group’s Retail Banking practice and covers fraud, data security, anti-money laundering, and compliance issues.
Question: How can financial services institutions prepare now for the shift to EMV?
Answer: Hopefully issuers have begun their preparations long before now, as upgrading to EMV is not something that can be done overnight (and we all know that in the world of banking, the three months we have remaining until the liability shift is a blink of an eye.) While the project plan to upgrade to EMV is quite complex, at a high level it can be boiled down to three key initiatives:
- Card issuance: First, we need to get the EMV-capable plastics in consumers hands. This includes determining reissuance strategy (forced reissuance, at expiry, a combination of both), cardholder verification mechanism (online PIN, offline PIN, or signature), contact-chip or dual interface—lots of decisions to be made and planning to be done. And of course there is a lot of back end software upgrades and certification to be done to ensure that issuers are handling the enriched data streams appropriately.
- Cardholder education: Once all those cards are out there, FIs need to educate consumers about how they offer more security, and the new user experience. Unlike the UK and Australia, where the government supported the education effort, in the U.S. migration, the industry is on its own. There will be a fair number of confused consumers and front line staff at merchants in the early days of the transition (and we all know how fraudsters love to capitalize on times of chaos and confusion.)
- Fraud strategy adjustments: The criminals who are currently reaping billions from U.S. counterfeit fraud will not just take the hit to their P&L, they’ll adjust tactics. Issuers who are late to the EMV party should expect to see their BINs more heavily targeted, while all issuers need to prepare for an uptick in application fraud, as well as CNP fraud (which thanks to the increasing use of 3-D Secure is a shared problem with merchants.)
Question: What should consumers do to prepare for the shift to EMV?
Answer: The shift will be pretty easy for consumers. Most of us probably have at least one chip card in our wallet at this point. While there are few terminals that have the software coding fully enabled to process an end-to-end chip transaction, as we get closer to the October 2015 liability shift, we’ll see more terminals prompting us to “dip” our card, rather than swipe it when we’re using an EMV capable card. It’ll be a slight behavior shift, the biggest challenge for many will be remembering to take their card with them after the dip–Canadian merchants reported stacks of forgotten cards at the end of the day.
Question: In your opinion, will most financial services institutions meet the October 2015 EMV deadline? If not, what will hold them back?
Answer: The largest FIs are leading the way, and Aite Group projects that 70% of credit cards and 41% of debit cards will be EMV capable by the end of 2015. Debit will lag due to the complexities associated with the Durbin dual routing requirement, compounded by the fact that many of the smaller FIs got off to a slow start. In the EU, the shift to EMV caused an increase in online fraud.
Question: How will EMV adoption change fraud rates in the U.S.? Do you predict in-store fraud increase or decrease? How about online fraud rates?
Answer: One of the good things about being the last G-20 country to move to EMV is that there are plenty of lessons to learn from. The shift to EMV resulted in an increase in online fraud in pretty much every country that has moved to EMV, and the U.S. will be no exception. EMV is very effective at addressing counterfeit fraud, so card-present fraud rates should decrease markedly over the next couple of years, but we will see a corresponding increase in CNP fraud. Card data stolen in breaches will be used online where possible, and we’ll also see a continued uptick in account takeover, as criminals use stolen credentials to log into consumers’ accounts and use their card-on-file information to perpetrate fraud.