Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/29/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

EMV: The Anniversary Of One Deadline, The Eve of Another

How merchants and criminals responded since the EMV liability shift for point-of-sale devices one year ago. And what changes can we expect after the liability shift for ATMs, which is just days away?

The US on Saturday celebrates the one-year anniversary of the EMV liability shift on point-of-sale systems and will ring in a brand-new liability shift: for Mastercard EMV cards on ATM machines.

If a merchant is unable to process EMV purchases, liability for chargeback losses shifts from the EMV payment card issuer to the merchant. Visa's deadline for EMV on ATMs is next October. 

Thanks to EMV on POSes in the US, counterfeiting is down, and account-opening fraud is way, way up. 

How much of that fraud -- which Experian counts as a subset of "e-commerce fraud," which is slightly up overall -- is attributable to greater EMV adoption? That's a matter of debate.

Some of the increase in "card-not-present" fraud is indeed a result of adaptable attackers shifting their tactics -- as one door closes, a window opens -- but some of the increase in e-commerce fraud could just be because of an increase in e-commerce.  

Besides, merchants have a long way to go before they're fully EMV-capable.    

On the 1-year anniversary, how are merchants doing with the migration of EMV technology on the POS?

According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. What's worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.

"You're seeing a lot of pieces of paper over the chip readers," says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  

Why the tape? Because each POS system -- not just each terminal but the back-end systems --must go through a testing and certification process before the EMV terminal can be activated. First, says Drieling, procrastinating merchants found themselves waiting in a long queue just to buy the terminals from backstocked suppliers, and now they find themselves in a long queue to get their certification processed. 

Contributing to the trouble was the timing of the deadline. October 1, says David Britton, vice president of fraud and identity industry solutions at Experian, is the "absolutely worst time to do anything from a change perspective," because retailers are not going to do anything to disrupt their holiday season. Therefore, any merchants that hadn't migrated before the deadline, weren't likely to do so until January.

2016 kicked off with a surge in demand for terminals and a rush of certification requests. That's how backlogs started to build up.

The saturation of EMV also varies by industry and organization. Fast-food restaurants, for example, are behind on migration, because they cannot accept the extra seconds EMV transactions add to wait times, and more importantly fast-food joints "don't see a lot of fraudulent activity," says Drieling.

If you're a fraudster, he says, "you're probably going to the Rolex store" or some other high-end store where you can buy something that can be resold; not a Big Mac. Meanwhile, jewelry and electronics stores, regardless of size, and shops in high-fraud states are ahead of the curve, he says.

Plus, although the EMV POS liability shift of Oct. 1, 2015 is often referred to in grand sweeping terms, it didn't actually apply to all POSes. Self-service gas pumps were given until Oct. 1, 2017 -- an additional two years -- before the shift kicks in.

Despite it all, though, Drieling says merchants have made "significant progress."

Does EMV work? 

"EMV is actually a good thing because it does do a very remarkable job of preventing counterfeiting," says Britton. "As long as we remember that was the intent of it."

Mastercard reported that its fraud data from April shows that year over year, not only are the costs of counterfeit fraud going down for those merchants who've adopted EMV, but costs of counterfeit fraud are going up for merchants that have not adopted EMV.

According to the Mastercard figures, US retailers with EMV rollouts that are completed or near completion saw counterfeit fraud costs decrease by 54% while "large merchants" that had not migrated or just began migration saw increases of 77%. 

EMV doesn't eliminate card-present fraud entirely, though, for several reasons.

How are criminals doing with migrating their crime?

Continued On Page 2

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.
CVE-2020-17487
PUBLISHED: 2020-08-11
radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY.