October 15, 2020, marked the fifth anniversary of the date when Visa and Mastercard implemented the EMV liability shift in the United States.
The card schemes shifted fraud liability from financial institutions onto merchant if the card used in a fraudulent transaction was “swiped” instead of “dipped.” The October 2015 deadline marked the US market’s transition with fraud liability, but merchants were already being encouraged to accept chip cards as early as 2011.
The purpose of the liability shift was, ultimately, to protect customers from identity theft. The thought process being that merchants would be more conscientious about employing EMV technology if they faced liability from fraud.
EMV chip cards are able to store significant amounts of encrypted data compared to a traditional magnetic stripe card. The card generates a unique token for each transaction, instead of transmitting the cardholder’s actual information. Because of this, the cards became nearly impossible to clone, helping prevent counterfeit card fraud.
Nowadays, nearly all Americans have at least one chip-enabled card in their possession. It allows ease of access and peace of mind when “dipping” your payment card. But, with the 5th anniversary of EMV adoption is at our doorstep, it’s important to examine just how effective EMV fraud prevention has been, and also decide where to go from here.
Card-Present Fraud Has Declined, but US Still Lags
In 2019, Visa reported an 87% decrease in counterfeit card fraud since the US liability shift. Despite this apparent success, though, the introduction of EMV hasn’t been without its challenges.
When the new process rolled out, consumers and merchants had to contend with shifting deadlines, delays in EMV certification, and an overall lack of clarity on policies. Though the transition began five years ago, we have yet to see it take full effect. EMV-enabled transactions still only account for 63% of card-present sales in 2019, meaning that until that number reaches 100%, stolen cardholder information still poses a serious threat.
One key problem is that certain industries have pushed back the deadline to comply with EMV standards several times. For example, we are seeing many noncompliant card readers at gas pumps, where one-third of AFD (automated fuel dispenser) operators still have no gas pumps available that are EMV-ready. Although the deadline for AFD readiness is set at April 2021, only 61% of merchants say they’ll be ready by then.
The EMV response in the US has been disjointed and uncoordinated. Without a unified approach to EMV fraud protection, we leave ourselves open to the risk of continued attacks and negligence.
COVID-19 and its impact on EMV
In addition to lax deadlines and changing policies, this past year has also presented an unforeseen and significant challenge to the EMV rollout. Namely, the COVID-19 outbreak, which disrupted nearly all aspects of life.
Merchants have dealt with this unexpected disruption to their cash flow management and have been preoccupied putting out numerous other fires. But, while the negative effects of the pandemic are obvious, the situation has also provided merchants with a compelling incentive to make the switch to secure card-present transactions through EMV technology.
More than ever before, consumers are wary of human contact and close proximity to others while shopping. Upgrading to an EMV-compliant terminal will minimize touch points and allow buyers to use NFC-enabled technologies such as mobile wallets. In light of virus concerns, these changes will provide consumers with peace of mind and a newfound confidence in shopping.
The fact remains that merchants who continue to resist EMV fraud protections will face serious consequences if a consumer finds themselves a victim of fraud. The problem isn’t unique to card-present merchants, though; there are also consequences for merchants operating in the eCommerce space. Fraudsters have the ability to access a cardholders’ information, and then use that stolen data to make online purchases.
EMV Systems Forced Fraudsters to Move Online
EMV adoption has meant a decline with card-present fraud. However, eCommerce merchants saw a significant surge in online fraud activity. This has caused a ripple effect as cardholders become increasingly fearful regarding eCommerce, leading to more chargebacks and a spike in friendly fraud.
Merchants are on the forefront of this situation. However, financial institutions can help reduce the burden by encouraging merchants to adopt the following precautions:
- Deploy Antifraud Tools: A multi-layered approach is necessary. Tools like CVV verification, AVS, proxy piercing, geolocation, 3-D Secure 2.0, and more can be used in a coordinated manner.
- Deploy Fraud Scoring: Fraud scoring examines each transaction based on dozens of variables, then assigns each transaction a numeric score. Parameters can be set to flag and automatically reject suspected fraud attempts.
- Encourage Secure Technologies: Mobile wallets like Apple Pay employ two-factor security. Accepting and encouraging these alternate payment methods can make for more secure, reliable card-not-present transactions.
- Eliminate Potential Errors: There are dozens of avoidable mistakes made in customer service, user experience, policies, and logistics that lead customers to file chargebacks.
- Address Friendly Fraud: Friendly fraud costs time, money, and inevitably skews data, making it impossible to identify genuine fraud. Representment ought to be implemented to identify and respond to friendly fraud.
Action Still Required
The market has seen many changes over the last five years. EMV adoption has reduced in-person fraud and protected consumers and merchants. However, it’s also coincided with increased fraud activity elsewhere.
The ugly truth is that, while criminal fraud becomes more common online, friendly fraud will continue to grow at an even faster rate.
Chip cards are a step in the right direction, but the work isn’t finished. Fraud is still a major burden for card-not-present merchants, which has only been exacerbated by the ongoing pandemic. A unified and multi-layered strategy is needed to ensure that all levels of the payment process are protected against fraud and malicious attacks.