EMV: Payment Security Silver Bullet or Speed Bump for Fraudsters?

Read the April 2015 Forrester Research, Inc. report, “Prioritize Tokenization to Secure the Payment Chain,” for more information on EMV and complementary approaches to securing payments.

Credit card fraud is a growing exponentially, costing financial institutions billions. To help curb the problem, the U.S. is turning to EMV, a chip-based security standard that’s been used around the world for over 20 years. In Europe, where EMV has been in use since the 1990s, chip cards account for 96.6% of card-present transactions. As the use of EMV grows, expectations are high that it can eliminate or at least minimize card fraud. But is this a realistic expectation?

The sad fact is, uptake of EMV cards and solutions in the U.S. has been extremely slow. Banks and card issuers were initially reluctant to accept the greater cost of issuing chip cards to customers and merchants have been hesitant to shoulder the costs of upgrading point-of-sale (POS) terminals to replace traditional magnetic stripe readers (approx. $250 to $600 per terminal).

Proponents of EMV are hoping to accelerate adoption with the imminent shift of fraud liability. By October 2015, whichever organization in the payment chain doesn’t support EMV (either the bank who issues the card or the merchant who accepts it) will be liable for the cost of fraudulent transactions.

The Case for EMV

EMV is undeniably a more secure technology than magstripe cards. Card data is encoded on the chip, which is then read as part of the transaction process. EMV enhances the security of the transaction by attaching a dynamic cryptogram each time the card is used — a unique one-time password. EMV cards are much more difficult to skim or counterfeit, and in Europe there was indeed a 36% decline in credit card fraud after EMV was adopted, according to Security Intelligence

But EMV doesn’t stop fraudsters from getting a hold of card numbers by other means, for instance by hacking merchants’ databases. EMV alone couldn’t have prevented the major breaches we’ve seen recently in the media, particularly those that hacked the data held in the POS applications. According to our Verizon 2015 Data Breach Investigations report, almost 30% of breaches where data was stolen involved an attack on a POS application.

EMV can’t protect card-not-present transactions (CNP), such as online transactions, which are becoming a larger part of the payment landscape as more consumers shop online and use mobile payments. To be more relevant in this environment, EMV is promoting the implementation of physical readers for ecommerce and mobile transactions. Consumers are issued physical EMV card reader — small battery-powered PIN pad or USB card reader — to provide EMV-related security for online transactions, including online banking (already common in Europe). EMV also supports Mastercard’s Card Authentication Program (CPA) and Visa’s Dynamic Passcode Authentication (DPA).

A Multipronged Approach to Payment Security

By making the transaction at the POS terminal more secure, EMV is likely to displace fraud elsewhere, as we explored in the Verizon 2015 PCI Compliance report. Canada, for example, implemented EMV in 2008 and saw a decrease in counterfeit and lost and stolen card crime, according to the Canadian Bankers Association. But the increase in online or CNP fraud more than replaced this drop.

If merchants are to secure their payments and cut the cost of fraud, they can’t afford to bet on just one approach — whether it’s EMV or something else. Securing the card and the transaction at the POS is important, but issuers and merchants also need to continue to drive improvements throughout the payment chain to stay ahead of the criminals.