By Toni Lapp
October 1 – The EMV liability shift is upon us, and as of Oct. 1, retailers will be liable for fraudulent transactions if an EMV chip card is presented, but the point-of-sale equipment hasn’t been updated. Yet by many accounts, most Americans do not even know what an EMV chip card is or how it provides enhanced security over magnetic stripe cards. Of those who are aware of the new cards, one survey reported that the majority (53 percent) had not yet received replacement cards.
But one segment of the population is keenly aware of the EMV technology: fraudsters.
Security expert Scott Laliberte, managing director of consulting firm Protiviti, says many retailers are “rolling the dice,” gambling that the cost of replacing terminals will be greater than the cost of potential fraud. In the United States, only one-third of merchants were expected to meet the Oct. 1 deadline, and of small businesses, it was estimated that only 22 percent had EMV terminals in place by the deadline.
In the past, retailers have been a source of abundant data that hackers could easily tap to create counterfeit cards. Laliberte is also predicting a surge in charge-back volume, the result of fraudsters disputing valid transactions conducted with a chip-enabled card on magnetic stripe technology. “Normally it would be a disputed charge, but with the liability shift, (acquirers) won’t even listen to the dispute.”
Steve Pederson, vice president and head of North American corporate card products at Toronto-based BMO Financial Group, believes that it will take an incident of fraud to motivate many retailers. This was his experience when Canada adopted EMV, a process that took five years once the announcement was made in 2007. “What we saw in Canada, terminalization (the adoption of EMV terminals at the point of sale) was lagging. As soon as liability shift happened, you saw rapid adoption and deployment because all of the sudden there was a watershed moment.”
Once fraudsters are deterred at the point of sale, they will likely look for another “weak link.” The liability shift deadlines for ATMs and gas pump POS devices are October 2016 and 2017, respectively. Banks with international exposure are versed in EMV technology, and many have upgraded their ATMs ahead of the deadline, Pederson says. This could leave smaller regional institutions vulnerable if they have not yet upgraded.
And then there will be other vulnerabilities.
“Attacks will shift to other fraud channels,” says Laliberte. “The big impact on banks will be phishing and malware attacks. Criminals will steal credentials to make fraudulent wire transfers and clean out bank accounts.
“Malware is becoming very sophisticated,” he says. ‘It’s easy to get an unsuspecting user to click on a link and provide credentials. That will be the unanticipated effects of the EMV initiative.”
Educating the Consumer
Forty percent of U.S. adults are “not at all sure” which types of fraud EMV will protect them against, according to a recent survey. The poll, conducted by Harris Poll, also found that 59 percent don’t know who will be liable for fraudulent transactions on cards with an EMV chip after October 2015. “Education on the new chip cards is an issue,” said Bob Graham, senior vice president of financial services at Virtusa. “Unlike in some European countries where the government got behind consumer education on EMV, in the United States that process seems to be falling on the individual retailers. There are no ads out there about Chip cards, how they work and why consumers should be happy. Confusion will reign at the point of sale and among consumers for a while as some retailers will have converted and require you to ‘dip’ while others are still processing through the old mag stripe readers. While this will not necessarily diminish purchases, it will certainly create friction and frustration for both merchants and consumers.”