Study: Chip-&-PIN Won't Cure Retail Breaches

The good news: US merchants are moving away from magnetic stripe payment cards to inherently more secure chip-and-pin or EMV type cards. The bad news: Most smaller merchants won't be ready for the rollout, and online payment card fraud (remember that?) is rising and will continue to increase, according to a new report by Javelin Strategy & Research.

"PoS fraud is going to decline, but it's going to take a while. EMV is not going to be deployed overnight," says Al Pascual, director of fraud & security at Javelin Strategy & Research.

Javelin studied Europe's EMV evolution, and while it's helped with on-premises card fraud, card-not-present (CNP) or online payment card transaction fraud has grown. "We're seeing CNP [fraud] is already bad, and it's going to get a lot worse."

That's because the total volume of card-not-present transactions are rising, and the bad guys will go after the easier targets as PoS systems get better locked down, according to Javelin's report.

"As the transaction volume in ecommerce grows, the total amount of CNP fraud will grow along with it," Pascual says.

He says the volume of CNP fraud in the UK -- where EMV cards are used at the brick-and-mortar PoS -- was growing. "In the US, without EMV, the numbers were very similar," he says.

Meanwhile, Javelin says retailers with less than 20 employees won't be ready for the migration to EMV payment systems, so they'll continue to use more vulnerable magnetic stripe technology. Bottom line: They will be the juicy PoS targets for cyber criminals. "In a November 2013 survey of small and micro merchants, just 20% stated that they would be EMV-capable within the next 12 months and 50% stated that they had little to no knowledge of the EMV liability shift. This gap in retailer awareness and motivation will contribute to the delay in EMV POS terminal conversion," the report says.

Says Pascual: "[Consumers] should get used to the idea that CNP merchants and e-commerce are going to become … breach victims. [Attackers] have to get that card data from somewhere," he says. "It's not going to be Target that gets breached. It's going to be Target.com."