Neeraj Gupta, Vantiv, On The “Countdown to EMV”
Posted July 21, 2015
In three months, U.S. merchants and credit card networks will follow in the footsteps of many other countries around the world and abandon technology associated with antiquated magnetic stripe credit and debit cards. With the current magnetic stripe technology, hackers can easily skim card numbers and security codes in order to use stolen credit cards, which EMV chip card technology will prevent.
While the adoption of EMV will make it more difficult for cybercriminals to copy account numbers, security codes and magnetic stripes associated with antiquated cards, the U.S. will likely see an increase in online fraud. This has been the case elsewhere, including in Europe, which saw a 21 percent online fraud increase following EMV adoption in 2012.
In the run-up to the October 2015 deadline for EMV adoption in the U.S., ThreatMetrix has surveyed several industry thought leaders for their views and opinions. In this blog, Neeraj Gupta, senior fraud product manager, Vantiv eCommerce, provides his perspective.
Question: How can e-commerce merchants prepare now for the shift to EMV?
Answer: I would put two tasks on e-commerce merchants’ to-do lists.
The first is simply to understand the “what,” the “why,” and the “so what” of the EMV standard in the context of e-commerce payments. There’s a great deal of talk on the topic, so it’s imperative that they grasp what’s truly relevant to them. Let’s cut straight to “so what.”
Merchants often ask if they need to do something differently to accept these cards. The bottom line is that for card-not-present-only merchants, the consumer experience when paying with a chip card will not be any different, nor will payment acceptance – thus no direct effects. However, there will be two substantial indirect effects of EMV adoption that do warrant the attention of eCommerce merchants.
And, that takes us to task number two.
The second task for e-commerce merchants is to prepare for the two indirect effects of EMV adoption in the United States:
- More Fraud. We fully anticipate a sharp uptick in online fraud rates as EMV makes it more difficult to use lost, stolen, and counterfeit payment cards at the point-of-sale (POS) terminal. There will be a number of unemployed fraudsters looking to pivot their exploits to the more attractive e-commerce channels. .
- Massive Card Reissuance. When issuing banks replace existing cards with their chip card successors, many will also change the card number and/or the expiration dates. For e-commerce merchants offering a saved card-on-file (e.g., recurring services), this can spell trouble in the form of broken subscriptions and increased customer attrition.
While Vantiv offers services to address these indirect effects, the most important thing for merchants is to ensure they’ve implemented an effective strategy to address these issues.
Question: How would EMV adoption have affected all the high-profile retail data breaches of the past 18 months? Would it have prevented them?
Answer: No. EMV solves for counterfeit card fraud by adding a unique signature to the primary account number (PAN) in a card transaction, allowing the issuing bank to confirm that the card being used is authentic. The additional data element does nothing to encrypt or secure the PAN, so that data would still flow through a merchant’s systems, and could easily fall prey to malware. Products like point-to-point encryption (P2PE) and tokenization serve to protect data in transit or at rest. These are the types of technologies that would have foiled the fraudsters that perpetrated those major breaches.
Question: In your opinion, will most e-commerce merchants meet the October 2015 EMV deadline? If not, what will hold them back?
Answer: The hard October 2015 EMV deadline does not apply to e-commerce merchants. That is, there is nothing that card-not-present merchants need to do to comply. At the same time, there is a softer imperative for these merchants to address the indirect effects of EMV adoption before the consequences become untenable. To be specific, e-commerce merchants would be wise to ensure their fraud prevention and account update strategies are in order. That way, they can keep the cost of payment fraud down and the maximize customer lifetime value, respectively.
So, will e-commerce merchants be ready to counter these indirect effects of EMV adoption? Our experience is that this answer varies by merchant size. The larger the merchant, the more prepared they are. This isn’t surprising, although the degree to which smaller merchants have put off readiness has been surprising to us.
There are a few key reasons for this. For one, some merchants simply don’t want to deal with solving for an uptick in fraud and card reissuance until they materialize. Second, other merchants have had limited success either building their own home-grown solutions or navigating a complex and overwhelming landscape of solution providers. Finally, others simply hope their smaller stature will render them invisible to impact.
Question: In the EU, the shift to EMV caused an increase in online fraud. How will EMV adoption change fraud rates in the U.S.? Do you predict in-store fraud increase or decrease? How about online fraud rates?
Answer: It will ultimately come down to the speed with which brick-and-mortar merchants and financial institutions adopt the EMV standard. In broad strokes, however, we fully expect what played out abroad to repeat itself here in the United States. The proportion may not be the same, but we expect to see a reduction in POS fraud while e-commerce fraud increases. Once again, that’s nothing surprising. After all, fraudsters are very good at rapidly identifying the most vulnerable targets and quickly adapting their attacks.
However, we are beginning to suspect that the smaller merchant set will bear the brunt of the uptick in payment fraud attacks. It’s becoming clear that larger e-commerce merchants are going into the EMV adoption phase with their eyes wide open and fortified for the onslaught. Conversely, many of their down-market counterparts are taking a riskier approach, as discussed above. Unfortunately, it’s a gamble that we don’t see paying off. We suspect that fraudsters will quickly identify this gap and exploit it until detected and stopped.
Thus, the emerging picture in my mind is that the shift in fraud will be more than simply a lateral one from point-of-sale to e-commerce, but rather more of a shift over and down.
And, we all better be prepared.