Retailers Realize EMV Won't Save Them From Fraudsters

Fraudsters hit retailers harder than ever in 2014 and many recognize that even though EMV's chip-and-pin authentication will stem skimming, breaches and other forms of fraud will persist.

As mega data breaches at retailers like Target and Home Depot continue to rock the retail industry in 2014, many merchants are facing the music with higher-than-ever rates of fraud and monetary losses that follow. And while some champions have sung the praises of the chip-and-PIN authentication method that will be instituted with the implementation more advanced physical cards through the rollout of EMV. But the industry is recognizing that hackers, identity thieves, and other criminals are so firmly entrenched with advanced technology and an understanding of card payment systems that EMV is only going to create a whack-a-mole situation. The expectation remains that as in-store fraud will diminish, card-not-present fraud will shoot up.

In a report out this month, analysts with LexisNexis found that merchants are paying 33% more in fraud losses this year than last. Not only are these merchants incurring losses from fraud itself, they're often incurring fees and other costs -- with an average of an additional $3.08 lost per dollar of fraud. And at the moment the increase in losses is felt most acutely by large online merchants. Even as they've experienced a $30 billion windfall from increased revenue in 2014, $255 million of it has been eaten up by fraud. Fraud rates this year have increased at double the rate at these online merchant organizations compared to others.

And as the ripple effects of EMV start to present themselves, it is likely that this impact to e-commerce will only intensify. Designed to sunset dreadfully insecure mag-stripe technology and make it difficult for attackers to create and use counterfeit cards out of breached card information, EMV technology uses a circuit-board chip on the card to authenticate with the retailer. EMV has already drastically reduced in-store fraud at European merchants. But the technology does nothing to prevent fraud in situations where the physical card is not used.

And with so much money at stake, retailers recognize that fraudsters are going to set their targets elsewhere within the payment ecosystem.

"Fraudsters have to eat just like you and me, so the fraud is going to go somewhere, and it will be interesting to see where it goes," one unnamed executive at a mid-sized card-issuing institution told LexisNexis.

This seems to be an increasingly pervasive view across the industry, as more security evangelists tout EMV as just one critical layer in securing the point of sale. According to Stephen Orfei, general manager of the PCI Security Standards Council, the PCI Council is encouraging organizations to embrace a host of technologies to make card data less valuable to criminals.

"If you have EMV at the POS, point-to-point encryption back to the acquiring environment, and tokenization implemented properly, you have the opportunity to devalue the data and make it useless in the hands of undesirables," Orfei says.

The encryption and tokenization elements are very important, because as Lucas Zaichkowsky, enterprise defense architect for the forensics and security firm AccessData, explains, EMV readers still allow card number and expiration data to be stored unencrypted during parts of the transaction.

"The proponents of EMV, they either don't understand it or they are some special interest group that's pushing it through because that's their job and they just kind of skirt around telling people, 'By the way, you should still encrypt this stuff because it has the card number and expiration data in plain text,'" he says.

In the meantime, retailers shouldn't wait around for EMV to start instituting extra layers of security. In fact, LexisNexis believes that until the payment companies start enforcing EMV deployment more stringently in 2015, many criminals are going to try to use that window to commit as much fraud as possible at the POS terminal.

"Until EMV is widely implemented or criminals’ caches of stolen card numbers are exhausted, counterfeit cards will proliferate in fraudsters’ last-ditch effort to use them at the POS," the report warned. "Extra caution is advised in light of this trend."

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading