EMV: The Anniversary Of One Deadline, The Eve of Another

How merchants and criminals responded since the EMV liability shift for point-of-sale devices one year ago. And what changes can we expect after the liability shift for ATMs, which is just days away?

Sara Peters, Senior Editor

September 29, 2016

6 Min Read
Image: daizuoxin/Shutterstock

The US on Saturday celebrates the one-year anniversary of the EMV liability shift on point-of-sale systems and will ring in a brand-new liability shift: for Mastercard EMV cards on ATM machines.

If a merchant is unable to process EMV purchases, liability for chargeback losses shifts from the EMV payment card issuer to the merchant. Visa's deadline for EMV on ATMs is next October. 

Thanks to EMV on POSes in the US, counterfeiting is down, and account-opening fraud is way, way up. 

How much of that fraud -- which Experian counts as a subset of "e-commerce fraud," which is slightly up overall -- is attributable to greater EMV adoption? That's a matter of debate.

Some of the increase in "card-not-present" fraud is indeed a result of adaptable attackers shifting their tactics -- as one door closes, a window opens -- but some of the increase in e-commerce fraud could just be because of an increase in e-commerce.  

Besides, merchants have a long way to go before they're fully EMV-capable.    

On the 1-year anniversary, how are merchants doing with the migration of EMV technology on the POS?

According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. What's worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.

"You're seeing a lot of pieces of paper over the chip readers," says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  

Why the tape? Because each POS system -- not just each terminal but the back-end systems --must go through a testing and certification process before the EMV terminal can be activated. First, says Drieling, procrastinating merchants found themselves waiting in a long queue just to buy the terminals from backstocked suppliers, and now they find themselves in a long queue to get their certification processed. 

Contributing to the trouble was the timing of the deadline. October 1, says David Britton, vice president of fraud and identity industry solutions at Experian, is the "absolutely worst time to do anything from a change perspective," because retailers are not going to do anything to disrupt their holiday season. Therefore, any merchants that hadn't migrated before the deadline, weren't likely to do so until January.

2016 kicked off with a surge in demand for terminals and a rush of certification requests. That's how backlogs started to build up.

The saturation of EMV also varies by industry and organization. Fast-food restaurants, for example, are behind on migration, because they cannot accept the extra seconds EMV transactions add to wait times, and more importantly fast-food joints "don't see a lot of fraudulent activity," says Drieling.

If you're a fraudster, he says, "you're probably going to the Rolex store" or some other high-end store where you can buy something that can be resold; not a Big Mac. Meanwhile, jewelry and electronics stores, regardless of size, and shops in high-fraud states are ahead of the curve, he says.

Plus, although the EMV POS liability shift of Oct. 1, 2015 is often referred to in grand sweeping terms, it didn't actually apply to all POSes. Self-service gas pumps were given until Oct. 1, 2017 -- an additional two years -- before the shift kicks in.

Despite it all, though, Drieling says merchants have made "significant progress."

Does EMV work? 

"EMV is actually a good thing because it does do a very remarkable job of preventing counterfeiting," says Britton. "As long as we remember that was the intent of it."

Mastercard reported that its fraud data from April shows that year over year, not only are the costs of counterfeit fraud going down for those merchants who've adopted EMV, but costs of counterfeit fraud are going up for merchants that have not adopted EMV.

According to the Mastercard figures, US retailers with EMV rollouts that are completed or near completion saw counterfeit fraud costs decrease by 54% while "large merchants" that had not migrated or just began migration saw increases of 77%. 

EMV doesn't eliminate card-present fraud entirely, though, for several reasons.

How are criminals doing with migrating their crime?

Although there was a shift in criminals' tactics, EMV implementation can't be blamed for the plethora of stolen identity data available on the black market, or for inadequate authentication/verification during account creation processes, or for increasing e-commerce traffic, or for other poor security on e-commerce sites. 

For these problems, there are a variety of solutions.

"The unfortunate piece is that the countermeasures are taking a sledgehammer to the problem," Britton says. Although the e-commerce fraud attack rate has increased, it's still only around 3% percent, he notes.

Yet while some companies may have inadequate security, others have staff devoted to looking at a third of the traffic, and losing or denying a variety of customers during the verification process. "So you're incurring 30% friction to solve a three percent problem," he says. Britton stresses that e-commerce sites need to find the appropriate countermeasures for the appropriate time.

Although the costs of new account fraud are on the card issuers, e-commerce fraud is a cost issue for the merchants, who are already dealing with EMV at the POS. 

Shouldn't we have known this was going to happen?

Other countries saw shifts in their criminal activity after their EMV rollouts (many of which occurred many years before the US's). Figures from Financial Fraud UK show that there was a striking increase in card-not-present fraud (including e-commerce fraud) after the United Kingdom's liability shift in 2005, peaking in 2008.

It's worth noting, though, that the e-commerce numbers steadily decreased for several years between 2008 to 2011. After 2011, though, when the UK had already had six years to recover from its EMV liability shift, CNP fraud, began to rise again -- e-commerce fraud in particular grew by over 87 percent. 

It's also worth noting that, according to the latest figures from Financial Fraud Action UK, one-third of the fraud losses from UK-issued cards occur abroad, and one-third of those losses occur in the United States. 

The State of EMV on the ATM, on the eve of the liability shift

Security researchers have already poked holes in EMV technology on the ATM. At Black Hat USA last month, Rapid7 senior security consultant Weston Hecker released his "La Cara" real-time EMV ATM exploit tool, along with a reimagination of the next-gen carding network.

Research from the ATM Industry Association found ATM upgrades might cost as much as $2,000 to $3,000 per machine. National ATM Council, said they believe only 40% to 50% of ATMs will be EMV ready by October 2016 and that 42,000 independently owned ATMs may shut down as a result of the liability shift.

Considering the rash of attacks on non-EMV ATMs recently, maybe that's not the worst thing.


About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights