Our Blog

Tackling fraud – EMV to the rescue

“The most expensive change in the card world – the costs are high and it’s time consuming.” These are the stakes – as described by EMV migration expert David Cole – for all stakeholders in the U.S. card payment ecosystem ahead of the October 2015 EMV mandate.

Mr Cole – Director Europe at EFTlab Pty Ltd and a smart card consultant – speaking during Aviso’s EMV Migration webinar also explained how fraud is the key driver behind this EMV mandate. He outlined – in stark terms – how prevalent the problem is: “It is believed that in certain parts of the world card fraud is second only to drug trafficking in terms of earnings.”

The problem is also escalating. Just take a look at this list: Target, Kmart, Supervalu, Dairy Queen – all fine U.S. merchants who have been victims of data breaches in the past 12 months. The list is lengthy . . . and growing. It now appears that Staples has also just been hacked. As a result of these, and many other, breaches the payment details of over 100 million Americans were compromised in 2013 alone. It is a trend that needs to be halted.

Mr Cole – who was involved in the first EMV migration in a ‘First Data canteen in the East of London’ back in 1997 – highlighted the fact that this need for card security has also reached the White House. President Obama recently signed an executive order to apply “chip and PIN technology to newly issued and existing government credit cards, as well as debit cards like Direct Express, and upgrading retail payment card terminals at Federal agency facilities to accept chip-and-PIN-enabled cards.”

The White House replacement program begins on January 1, 2015, and they aim to re-issue over 1 million Federal payment cards. It was announced that American Express will – from January 2015 –  launch a $10 million program to assist small business customers in upgrading their POS terminals. The White House also revealed that Target, Home Depot, Walgreens, and Walmart will all start accepting chip-and-PIN cards from January 2015.

The EMV mandate

A poll of webinar attendees found a straight 50-50 split between those who think they are ready for the October 2015 EMV migration and those who are not.

The change to EMV will require a systems overhaul in the U.S.: billions of new cards will have to issued, while POS terminals, mPOS card readers and ATMs will all have to be upgraded to be EMV chip-enabled. This is where the bulk of the cost comes in.

But U.S. merchants will need to understand that after October 1, 2015, the least compliant party in an EMV chip card transaction will be liable for any card-present fraud.

Given that card schemes have demanded EMV adoption, and issuers provide the chip cards, it is highly likely that after October 1, 2015, it will be merchants that will be the most exposed party in the payment processing chain. Merchants, in other words, need to ensure that their systems are EMV-enabled.

Latest figures from the Payments Security Task Force (established by Visa and MasterCard) estimate that 46% of U.S. merchant terminals will be EMV-enabled by the end of 2015.

But why is EMV happening?

EMV is being promoted by the card schemes for a plethora of reasons.

The first is due to card interoperability across the globe, more and more markets are outright rejecting mag stripe cards. More mature markets will shift the responsibility for fraud to the merchants. Many merchants in London, for example, will not take a mag stripe card. They know the risk implications.

Secondly, it’s due to customer pressure. As Mr Cole pointed out, right now cards belonging to members of the U.S. Department of Defense are being turned down throughout the world. He added that the “chances of a U.S. tourist using their mag stripe card in Oxford Street, London, is pretty remote.” This has led to these customers exerting pressure on issuers to provide cards that will be accepted. If their existing issuer doesn’t do so then they will simply go and search for one that does.

This situation, of course, opens up marketing opportunities for issuers. Mr Cole highlighted the example of a Trinidadian bank that was the first to migrate to EMV in that country. The bank’s executives went on national television and said ‘come bank with us, we have EMV’. Their high net worth credit card base rose by 25% in a few weeks as people simply did not want to be declined when abroad.

EMV is also being promoted, as stated, due to rising fraud risks in countries that still accept mag stripe cards. In reality the biggest drivers in EMV are the fraudsters. For this reason the move to NFC/contactless transactions will continue apace.

“We will also see the disappearance of cards . . . watches, cell phones, chips implanted in humans: this is the direction we are heading,” said Mr Cole. “PIN and biometrics will become more important once the limits on contactless are removed and the higher values will be replaced with a PIN/biometric (e.g. Apple Pay) ID.”

EMV is costly and time-consuming – but plan well

The key issues for those in the card payment ecosystem faced with the EMV mandate are infrastructure, cost, and time consumption.

As already stated it will be expensive due to the systems overhaul required and it will take time. However, Mr Cole’s advice to those institutions faced with the EMV mandate was not to rush anything.

You do things when it makes sense to do so,” he said. “Don’t do it all in one go. Card schemes will say that you have to do everything. I don’t agree. Do what makes sense to you. A migration needs to be a very well controlled and well laid out plan and it needs to take time. I know there are mandates in the US, if you are moving you will be left alone by the card schemes. Understand the priorities within your own organisation. Plan and do it properly.”

Cost, he added, can also be spread over several years’ budgets, but the key here is to not build a series of brick walls. To illustrate his point, Mr Cole gave an example of what a UK-based bank did when chip-and-signature was first introduced in the UK back in 1997. One large bank, he said, bought the smallest chip and put it on all of its cards. However, in 2003, when the UK Government issued a mandate to upgrade to chip-and-PIN, the bank did not have room on their chip for PIN. It had to re-issue 12 million cards: a costly example of bad planning.

Mr Cole also turned to the topic of achieving migration by outsourcing. The idea of outsourcing many of the payment processing functions has increased dramatically in the past decade. There are many more PSPs between merchants and acquirers and more additional services. Barclays, for example, used to do everything in the payment processing chain. That is no longer the case – they outsource everything.

It all comes down to planning, said Mr Cole. What makes sense to a bank is not the same for a retailer or a payment processor.

Our EMV Wrapper

During the webinar our Head of Sales, Peter Bove, spoke about how change introduces cost and risk. He posed the questions: can risk be controlled, and can those in the card payments ecosystem reduce time costs so as to become compliant? The answer – on the double – is yes.

That’s why we built our EMV Wrapper – it achieves EMV migration without wholesale change to a customer’s infrastructure. Crucially, it is cost-effective, quick and simple.

Our EMV Wrapper surrounds the existing payment system and handles the complexity of EMV.

This great product provides EMV compliance without changes to existing applications, significantly reducing our customers’ migration risk. It can sit anywhere in the payment stream to manage EMV compliance for our customers be they merchants, issuers and/or acquirers.

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts

You can access all of our previous blog posts on EMV here.