October 2015 represents a significant milepost in the migration of U.S. payments products to EMV chip technology. It also serves as a useful evaluation point as to what the technology achieves and where it falls short. By now, many U.S. cardholders have been issued EMV chip cards, the microprocessor-equipped cards that store the specific cardholder data on the embedded chip. For decades, U.S. payment cards stored cardholder data on a magnetic stripe on the back of the card, instead of a chip. Indeed most cards in the marketplace, including EMV cards, still contain the familiar “magstripe.”
Unfortunately, the static nature of the data contained on the magstripe makes the production of counterfeit magstripe cards relatively easy. Once the cardholder data for a particular person is obtained, through “skimming” or other means, a usable counterfeit magstripe card can be produced and readily used at the point-of-sale, until the cardholder realizes that his or her data has been compromised. In contrast, EMV chip cards use a dynamic system of authentication at the point-of-sale, which makes the production of a counterfeit card with EMV chip technology much more difficult. As a result, merchants can safely conclude that an EMV chip card presented for payment in a point-of-sale transaction is authentic and not counterfeit, and card issuers should similarly experience smaller fraud losses.
The four major U.S. payment networks (Visa, MasterCard, American Express and Discover) have long-recognized the fraud-reduction potential of EMV chip cards and, individually and through their jointly-controlled EMVCo. consortium, have pushed for the implementation of EMV technology in the U.S. As part of their efforts to encourage increased EMV chip card issuance by card issuers and acceptance by merchants, beginning in October 2015 the networks shift liability for card-present fraud losses to the party (i.e., merchant, merchant acquirer or issuer) that is least compliant with EMV requirements. For example, if fraud loss results from the use of a counterfeit magstripe card at point-of-sale, where the merchant maintains certified EMV chip terminals but the card issuer has not reissued its magstripe cards as EMV chip cards, the loss will be assigned to the card issuer. On the other hand, card issuers that have issued EMC chip cards may be able to avoid liability that arises from fraudulent transactions where the accepting merchant lacks a EMV chip terminal to be used to process the transaction.
However, while EMV chip cards are a useful tool in the fight against payment card fraud, issuers and merchants should be aware of the following limitations of EMV technology:
- Usage of stolen cards – While EMV technology assures that the payment card itself is legitimate and not counterfeit, the technology doesn’t prevent the use of stolen EMV chip cards, which continue to be usable by the holder of such cards.
- Retention of signature validation – The payment networks have not mandated the use of the more secure PIN validation as part of their EMV requirements. Instead, a cardholder’s identity still is likely to be validated through a signature at point-of-sale, to the extent that the transaction threshold requires any validation. As was the case under the pre-EMV regime, signatures remain a difficult means by which to verify the identity of a cardholder, and they may not significantly deter thieves from using stolen EMV chip cards.
- Card-not-present transactions – EMV chip card technology has no ability to reduce fraudulent transactions through online purchases, where cardholder information is entered manually. Indeed, in other countries where EMV technology has been adopted, fraud through online transactions has spiked, as fraudulent activity moved away from point-of-sale.
- Continued presence of magstripe – The increased usage of EMV technology does not simultaneously signify the death of the magstripe, which continues to appear on EMV chip cards to permit such cards to be accepted and used at non-EMV equipped terminals. As a result, cardholder data can still be pulled from magstripe cards and used online.
Now that EMV technology has entered into the next phase of U.S. adoption, the evaluation of its effect on fraud will begin. While there is little disagreement that EMV technology will decrease point-of-sale fraud through the use of counterfeit cards, issuers and merchants should recognize that EMV technology is not a panacea to fraud. The payments industry and its participants must continue to anticipate and to react to the changes in fraudulent activities that emerge in the post-EMV environment.