Endpoint

9/29/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

EMV: The Anniversary Of One Deadline, The Eve of Another

How merchants and criminals responded since the EMV liability shift for point-of-sale devices one year ago. And what changes can we expect after the liability shift for ATMs, which is just days away?

The US on Saturday celebrates the one-year anniversary of the EMV liability shift on point-of-sale systems and will ring in a brand-new liability shift: for Mastercard EMV cards on ATM machines.

If a merchant is unable to process EMV purchases, liability for chargeback losses shifts from the EMV payment card issuer to the merchant. Visa's deadline for EMV on ATMs is next October. 

Thanks to EMV on POSes in the US, counterfeiting is down, and account-opening fraud is way, way up. 

How much of that fraud -- which Experian counts as a subset of "e-commerce fraud," which is slightly up overall -- is attributable to greater EMV adoption? That's a matter of debate.

Some of the increase in "card-not-present" fraud is indeed a result of adaptable attackers shifting their tactics -- as one door closes, a window opens -- but some of the increase in e-commerce fraud could just be because of an increase in e-commerce.  

Besides, merchants have a long way to go before they're fully EMV-capable.    

On the 1-year anniversary, how are merchants doing with the migration of EMV technology on the POS?

According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. What's worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.

"You're seeing a lot of pieces of paper over the chip readers," says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  

Why the tape? Because each POS system -- not just each terminal but the back-end systems --must go through a testing and certification process before the EMV terminal can be activated. First, says Drieling, procrastinating merchants found themselves waiting in a long queue just to buy the terminals from backstocked suppliers, and now they find themselves in a long queue to get their certification processed. 

Contributing to the trouble was the timing of the deadline. October 1, says David Britton, vice president of fraud and identity industry solutions at Experian, is the "absolutely worst time to do anything from a change perspective," because retailers are not going to do anything to disrupt their holiday season. Therefore, any merchants that hadn't migrated before the deadline, weren't likely to do so until January.

2016 kicked off with a surge in demand for terminals and a rush of certification requests. That's how backlogs started to build up.

The saturation of EMV also varies by industry and organization. Fast-food restaurants, for example, are behind on migration, because they cannot accept the extra seconds EMV transactions add to wait times, and more importantly fast-food joints "don't see a lot of fraudulent activity," says Drieling.

If you're a fraudster, he says, "you're probably going to the Rolex store" or some other high-end store where you can buy something that can be resold; not a Big Mac. Meanwhile, jewelry and electronics stores, regardless of size, and shops in high-fraud states are ahead of the curve, he says.

Plus, although the EMV POS liability shift of Oct. 1, 2015 is often referred to in grand sweeping terms, it didn't actually apply to all POSes. Self-service gas pumps were given until Oct. 1, 2017 -- an additional two years -- before the shift kicks in.

Despite it all, though, Drieling says merchants have made "significant progress."

Does EMV work? 

"EMV is actually a good thing because it does do a very remarkable job of preventing counterfeiting," says Britton. "As long as we remember that was the intent of it."

Mastercard reported that its fraud data from April shows that year over year, not only are the costs of counterfeit fraud going down for those merchants who've adopted EMV, but costs of counterfeit fraud are going up for merchants that have not adopted EMV.

According to the Mastercard figures, US retailers with EMV rollouts that are completed or near completion saw counterfeit fraud costs decrease by 54% while "large merchants" that had not migrated or just began migration saw increases of 77%. 

EMV doesn't eliminate card-present fraud entirely, though, for several reasons.

How are criminals doing with migrating their crime?

Continued On Page 2

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.