A Chip in the Card
By Kiran Ambre
Fraudulent card losses worldwide hit $16.3 billion out of $28.8 billion in total card sales. The U.S. accounted for only 21% of global card sales, but about 48% or $7.86 billion in losses. This 2015 study conducted by Nilson, also stated that counterfeit cards resulted in losses totaling $3.89 billion in the U.S. alone, consisting about 23.9% of global fraud losses. These frauds are largely due to the fact that the country still relies heavily on outdated technology that most of the world has already discarded. Companies often find it difficult to push their clients to pay-up. Automated systems reduce these difficulties while streamlining collections. Accuracy in numbers and billing systems are also improved as a direct result. The ability to generate invoices to include a logo is embedded in these systems contributing to a professional impression. Clients prefer to be billed timely and on a consistent schedule.
Need for more security
Traditional credit cards with magnetic strips are extremely easy to replicate as they store fixed data. Fraudsters can copy the magnetic strip of a stolen card or install malicious software in the card swipe machine which then steals and transmits card data to cyber criminals. This data can then be used to make many duplicate cards and siphon money off from an unsuspecting target. Counterfeit cards accounted for approximately $4 billion or 23.9 % of global fraud losses. Recent high profile data breaches like those of Sony, Target, and Home Depot etc. have put authorities on a high alert regarding card security. The need for more advanced technology was realized as early as 1986 with the implementation of the first standard for smart
payments card in France. The modern EMVCo – a coalition by Europay, MasterCard, and VISA was formed in the year 1999. This is now equally split and controlled by MasterCard, Visa, Discover, American Express; Tokyo based JCB, and China’s China UnionPay.
Europay, MasterCard and VISA (EMV) cards EMV
cards are the next generation security cards-both debit and credit; that have an embedded chip. These cards work on a unique tokenization system that replaces account information with a unique code. A typical transaction consists of: (a) A “card present transaction” (CP) – where a physical card is presented at a merchant counter i.e. point of sale (POS); or (b) “Card not present” (CNP) – typically an online transaction, where a card is not physically present. In a CP transaction, payment process differs from a traditional card to an EMV card. Unlike traditional cards, each time an EMV card is used to make a payment, from a specific POS, a unique code is generated for that particular transaction, which is usable again. Thus a duplicated card wouldn’t work as a stolen transaction code would be rejected and the transaction denied. This would make it harder for a criminal to steal data from the point where it is most vulnerable i.e. the merchant payment systems - making EMVs more secure than traditional magnetic cards.
The verification of EMV card transactions differs according to the requirement associated with the card: (a)Chip and Signature: An EMV card subscriber has to sign a payment receipt
While EMV cards are more secure at POS, they cannot totally prevent fraud in CNP transactions or reduce the risk of a data breach for a company. These losses will increase to $7.2 billion in the U.S. by the end of 2020, estimates a report conducted by Aite Group titled “EMV: Issuance Trajectory and Impact on Account Takeover and CNP”
Traditional and EMV card transactions
An EMV card functions similarly to its traditional counterpart, and is a two-step process including card reading and transaction verification. At a POS, the card is “dipped” in the slot provided by the POS terminal instead of “swiping”. When a card is dipped, data is exchanged between the card and the issuer, verifying the card’s legitimacy while creating a unique transaction id. If the card is dipped in the slot and pulled out immediately, the transaction is denied. This process takes a little longer than the quick swipe process of a traditional magnetic card. However, the lag is expected to improve with technology. New EMV cards also support contactless reading known as “near field communication”. In this process, the cards are merely tapped against a terminal scanner which are enabled to read card data from the embedded computer chip. Verification is done according to the requirement associated with the card.
The liability shift – merchant liability
Post the October 2015 deadline for adoption of the technology, the burden of liability for a fraudulent card transaction rests on the party (bank or merchant) that uses the most outdated technology. The merchants who until now were most protected will have to bear the liability for accepting a fraudulent card. This puts a big onus on them as the liability shift from banks could potentially cause them a huge financial loss or cessation of business operations.
Issues miring adoption of new technology
Lack of knowledge: A study conducted by Randstad Technologies in 2015, found that about 30% of merchants did not know about EMV. While as many 37% claimed that they had no intention of making the transition. Card issuers also fear that prompting consumers to remember and use a pin in EMVs would be a big deterrent, prompting them to require only a signature, which is less secure. However, a signature process typically costs more than a pin process, thus proving to be a major deterrent for merchants who have to bear this cost.
Expensive technology: To make a transition, a merchant has to update technology in stores at a significant cost, the burden of which – about 75% is born largely by the merchant.
National Retail Federation has stated that retailers will cumulatively have to spend $30-35 billion to make the switch. Card readers themselves cost $500 each.
Long queues for certification: While the wait for receiving machines is getting long as merchants realize the liability shift, there is an equally longer wait to get hardware certified. Once the hardware is installed at the merchant site, a software that enables the device to accept EMV cards from a third party also needs to be installed. While this is a long process in itself, the merchant additionally has to get certified in combination with the bank from each card network. Federal Law requires that every card issued should support at least two unrelated payment networks for processing. This makes both the writing and testing of codes for processing the software difficult. The specifications for the certification requirement were specified with delay, increasing the wait time even further.
Consumers’ education: According to a survey conducted by Walker Sands Communications, as many as 58% of first time users of EMV cards faced issues such as transactions getting stalled or delayed creating a major deterrent for their adoption. According to EMV Migration Tracker by CardFlight, only about 56% of cards presented are EMV enabled. The general public currently is not being held liable for any fraud however; fraud affects an individual’s credit score. Educating people to demand secure cards, monitor transactions, and alert card companies of suspicious activity would reduce the magnitude of card fraud.
While it is undebatable that EMV cards are more secure, technology would greatly benefit from an alignment of CP and CNP transactions. The bottle necks that exist today (i.e. huge technology adoption cost and time delays due to retailer v/s. financial gains sought by payment processors in verification methods), need to be aligned with the needs of the consumers – for whom the technology was developed in the first place. Failure to do so could result in customers opting out of using cards altogether as they realize the risks of faulty technology.