The EuroPay, MasterCard and Visa (EMV) migration to “smart cards” is a text-book example of the dissonance between expectation and execution. Since the smart cards are virtually impossible to counterfeit, the migration was expected to significantly reduce fraud. This was fueled by a massive PR campaign from the card schemes promising as much. However, the reality of the migration proved to be a lot more complicated.
For one, merchants would have to be EMV compliant to enjoy the fraud protections of the smart cards. Not only do merchants need new EMV terminals in place, that hardware must be certified compliant by each smart-card network it transacts with. Failing that, merchants are not just exposed to fraud, they are now liable for all fraudulent transactions processed with non-compliant points of sale. And that’s just the card-present merchants.
EMV did manage to reduce fraud, in the very specific context of card-present transactions, and under ideal conditions using EMV-compliant POS. Yet fraud is not static, it is dynamic like a virus that mutates and hunts for vulnerabilities. As more and more card-present merchants have become EMV compliant, fraudsters have moved online, attacking card-not-present merchants, beyond the reach of EMV protections.
Currently in the United States, only about one-third of merchants are EMV compliant. Yet the US in 2016 has already seen an increase in CNP fraud overall. Digital goods have been hit hardest, reporting three times more fraud attempts from the previous year in that sector.
This trend is consistent with that of countries that were early-adopters of EMV, such as the United Kingdom. When the UK’s migration began in 2004, there was a general uptick in both CNP and card-present fraud, as fraudsters scrambled to use their stolen card data before it was invalidated by smart cards. But as UK EMV took hold and card-present fraud started to decrease, CNP fraud went way up, and continues to.
Online fraud was already on the increase as well. E-commerce transactions are growing rapidly, and fraudsters were simply going with the flow, despite EMV. Also, massive data hacks are becoming more frequent in recent years; companies like Yahoo, Adult Friend Finder, Home Depot, and WalMart have been compromised, opening a deluge of stolen credit card information available to fraudsters. These hacks will continue to be a menace for the foreseeable future, and as EMV compliance grows, fraudsters will use the card data harvested to target online points of sale.
The EMV migration and its unintended consequences highlighted a quintessential dilemma for e-commerce merchants in 2016. Banks and card schemes are always on the charm offensive about the measures they take to reduce fraud. EMV migration was no exception. The expectation of “fraud prevention” was, in practice, merely a liability shift by the card schemes that in turn flushed fraudsters over to the online space.
The moral of the story: whenever new protocols and technologies are introduced to fight fraud, merchants need to be skeptical, and have their own plan in place to fight fraud. The payments industry is undergoing some major changes aimed at combating fraud, but you shouldn’t wait around for those changes to save you from fraud; they just might make it worse before they make it better!