Establishing Digital Trust: Don't Sacrifice Security for Convenience
Several months after the October 2015 deadline for card issuers and merchants in the U.S. to shift to EMV (chip-based) credit and debit cards, a recent Boston Retail Partners survey found that just 22 percent of retailers currently support EMV, with another 53 percent planning to do so within the next 12 months. Sixteen percent say they have no plans ever to support EMV.
Separately, a recent CardHub survey found that approximately 42 percent of larger U.S. retailers haven’t updated the point-of-sale (POS) terminals in any of their stores, and 24 percent have updated fewer than 50 percent of their terminals to accept EMV cards.
Why So Slow on EMV?
One problem, Boston Retail Partners vice president Ryan Grogman said, is that point-of-sale systems in the U.S. are relatively complex, making the EMV upgrade process more challenging than it might otherwise be.
"Support for EMV can often mean not just an upgrade of these payment terminals to support the new insert/dip process, but also changes to the POS application, changes to payment gateways and potentially changes at the credit switches," he said.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
He cited long lead times for new payment terminals and certification, a limited set of payment switch development resources and payment provider support resources, and a scarcity of POS developers as factors contributing to a big backlog in EMV implementations.
In fact, two small retailers in Florida, Milam's Market and Grove Liquors, have filed a lawsuit claiming that the card brands and issuing banks consciously delayed certifying terminals as EMV ready in order to shift liability from the banks to the merchants, resulting in over $10,000 in chargeback fees for the two stores in a matter of months.
Taking the Fraud Risk
The fact that the implementation of EMV-compliant terminals is being motivated by a liability shift (rather than a legal requirement) has also allowed some merchants to delay the process of purchasing, installing and certifying EMV-ready equipment, said Phil Sealy, senior analyst at ABI Research.
"If they're not victims of excessive fraud, perhaps some merchants were willing to take that risk," he said. "It's not legally required for you to change to an EMV system."
That's likely to be a particularly significant factor in the decision for smaller retailers, Sealy said.
"The likelihood of fraudulent activities with the smaller merchants is perhaps lower than, say, some of the big tier one merchants," he said. "So some of them will have definitely decided to take that risk – and others, perhaps they're still in that certification queue, waiting."
Another factor that delayed the process, Sealy said, was the fact that the initial change happened over the holiday period at the end of last year, leading many merchants to choose to hold off on implementation until after the New Year.
"They didn't want to cause confusion during their busy period - or cause possible longer queues and upset customers," he said.
Mobile Payment on the Way
Yet another factor in the EMV delay is the arrival of increasingly popular mobile payment solutions like Apple Pay. "A lot of merchants felt that they wanted to address everything at the same time, and perhaps that was more complex and time consuming than they would have liked it to have been," Sealy said.
Mobile payments are likely to become increasingly popular once they're tied in with retail and loyalty applications, Sealy said, giving consumers an incentive to get out their phones instead of their cards. "That's where it will get really interesting - and I think you'll see the likes of Apple Pay and Samsung Pay going down that road next, once they've expanded into other regions."
EMV and Online Fraud
EMV isn't a cure-all for payment fraud. Boston Retail Partners' Grogman notes that Trustev has predicted that online fraud will increase by 106 percent over the next three years in response to the shift to EMV. Online retail fraud surged by 100 percent in Canada and Australia, and by 89 percent in the UK, after those countries switched to EMV.
Julie Conroy, research director at the Aite Group, said an increase in card-not-present (CNP) fraud is all but inevitable as the migration to EMV continues.
"Looking at the increases in account takeover, CNP fraud and application fraud that other countries experienced as their EMV migration took hold, it's safe to say that these problems will only get worse here as the U.S. migration proceeds," she said.
One technology that could help in curbing card-not-present fraud, ABI's Sealy suggests, is a dynamic CVV code solution like those being offered by Gemalto and Oberthur Technologies. By using an ePaper screen to provide a dynamic one-time code that changes on a regular basis, a dynamic CVV makes it much harder to leverage stolen credit card information if the card isn’t actually in your hand.
According to the results of a recent survey of 231 consumers conducted by Dentsu Aegis for Oberthur Technologies, 80 percent of respondents said they'd be more likely to use a card with a dynamic CVV code for online shopping than one with a printed, static code - and 60 percent said they would be willing to pay more for that technology.
From the merchants' perspective, Michael Thelander, product marketing manager at iovation, said it’s crucial to anticipate the shift to online fraud that will inevitably follow the EMV rollout. "So if you’re thinking about layered authentication, some sort of multi-layered or multi-factor approach, do it now before they bombard your sites in force trying to find ways into consumer accounts," he advised.
EMV in Tandem with Other Security Techs
Even though many companies are planning security improvements, now may be the time to accelerate those efforts.
"If you've had a very slow end-to-end encryption rollout, or you're planning to redesign your outward-facing properties to better handle tokenization, do it faster - because the clock is ticking," Thelander said. "We've seen a lot of people say, 'We had already approved it, and we've funded it and planned it, but now we have to double down and accelerate the rate at which we're getting it implemented.'"
It's also about fine-tuning the investments you may have already made. "A surprising amount of security technologies, particularly in back-end infrastructure, are poorly implemented," Thelander said. "The good news is, you've already paid for it and you have the opportunity to just go back in and implement it the way it should be done, and fine-tune it so that it works really well for, for instance, end-to-end encryption."
It's best, Thelander noted, to take a layered approach, leveraging everything from device-based authentication to biometric and behavioral solutions.
"There's a tendency in the industry, among security professionals, to say, 'This is the one thing that will cure all ills,'" he said. "And we have to disabuse ourselves of that notion and realize that every single person, from a merchant to a bank to a vendor, really has to think in terms of layered authentication and validation strategies."
Ultimately, Grogman said, EMV should just one part of a merchant's approach to payment security. "The most effective approach for securing payment card transactions is a multi-tiered approach which includes implementing end-to-end encryption (E2EE) and tokenization in conjunction with support for EMV," he said.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.