Post Categories: Market Watch

The Cost of Crime – Part 2: The Fight Against Payment Fraud

marketCoverBy Retail News Insider

The line in the sand has been drawn. After years of getting pummeled by billions of dollars in losses due to payment fraud, the major U.S. credit card issuers gave merchants an ultimatum: upgrade to more secure EMV “chip card” technology or be on the hook for financial losses due to fraud. That was the mandate in October 2015, yet six months after the deadline to implement EMV technology has come and gone, shoppers are still being asked to swipe their cards instead of dipping the chip for added security at many stores.

With the promise of more secure payment transactions, why aren’t retailers clamoring to get on EMV bandwagon? In this second installment on the cost of crime in retail, the Retail News Insider team investigates the challenges retailers are facing in implementing EMV payment technology, whether the goal to reduce payment fraud is truly being realized and where consumers stand on the issue.

Understanding EMV & Fraud Liability

Before we jump into how retailers are dealing with EMV implementation, it’s helpful to have a clear understanding of how payment processing used to work and how the move to EMV technology is influencing change. When a consumer swipes a card with a magnetic stripe:

  • his or her financial information is transmitted to the point-of-sale system (POS) through a simple magnetic field
  • the same information is transmitted every time the consumer swipes the card at any store.

This makes it’s fairly easy for a criminal to “skim” the information off the consumer’s card, then load it onto a counterfeit card.

When a consumer inserts a chip card into a POS:

  • it sends his or her financial information through a “packet” of data that’s encrypted via the computer chip embedded in the card
  • a uniquely coded packet is created for each new transaction.

This makes it harder for criminals to capture consumers’ financial information and to create counterfeit cards. Case in point: when chip cards were introduced in the United Kingdom, they helped reduce payment fraud by 27 percent, according to payment processor FirstData.

Now the liability shift issue. Before October 2015, if a credit card was used fraudulently, the bank or credit card issuer would give the real card holder his or her money back and still pay the retailer for the goods or services sold. The only one out of pocket was the bank or credit card issuer.

Today, if a fraudulent purchase is made using a chip card that’s been swiped because the retailer didn’t have a chip-enabled POS, the retailer is on the hook for the fraudulent charge. They have to give the real card holder his or her money back—and they’re out of pocket for the goods and services fraudulently purchased by a criminal.

Where Retailers Stand

With $7.9 billion in payment fraud losses reported in 2014, there’s a lot on the line for retailers. So why are less than half of all brick-and-mortar stores in the U.S. currently equipped to accept EMV? As it turns out, the process is more complicated than it might seem.

“We’ve polled our membership and collectively they viewed this project as the most expensive and most complex POS overhaul they’ve ever had to do,” says Mark Horwedel, CEO of the Merchant Advisory Group, a payment advocacy group representing over 100 of the largest retailers in the U.S. When EMV implementation is said and done, the total cost to U.S. retailers will be $25-30 billion, according to the National Retail Federation.

Delays in providing the information needed to upgrade were also an issue, says Horwedel. “We were really set up for failure. There just wasn’t enough time [to complete the upgrade], especially when it’s noted that the specifications for debit cards weren’t provided until after the deadline was identified. It’s like asking someone to build your house and giving them a deadline, but not giving them a blueprint.”

“Card companies made it very difficult for retailers to meet the liability shift deadline by providing the technology details very late, setting unrealistic timeframes, and not being adequately prepared to certify all of the new payment terminals—as they require—before they could be switched on,” agrees Debra Berlyn, President of Consumer Policy Solutions, a consumer advocacy firm.

Berlyn’s last point explains why consumers are still being asked to swipe their cards at terminals that appear to accept chip cards. Retailers have to wait for those terminals to be certified by the very companies that have shifted fraud liability to them. The cause of this backlog is surrounded by much finger-pointing, and is currently the subject of multiple lawsuits.

“We refuse to implement the chip technology here. Our customers would hate how long it takes to process their orders, so we absolutely will not be putting that option here.” ––San Diego-area gas station manager on why she hasn’t implemented EMV technology yet

Where Payment Fraud Stands

Despite the fact that a number of retailers’ EMV systems aren’t fully online yet, we also haven’t heard of many major security hacks recently. Does that mean EMV is working for those retailers who have implemented the technology?

“I don’t think EMV adoption in the U.S. can be given much credit for the apparent lack of large security breaches in retail of recent note,” says Dr. Lance Eliot, Vice President of IT for Interactions.
“It’s too soon for that to have made much of an impact. But I would assert that retailers got the jitters from seeing what happened to Home Depot and other retailers who experienced major security breaches in the last few years. They got religion, so to speak, and the systems security budgets suddenly got the monies that should have been there all along.”

It’s without question that chip cards are more secure than magnetic stripe, but consumers are still vulnerable to fraud, says Berlyn. “By opting for chip-and-signature rather than chip-and-PIN, credit card companies have not addressed card-not-present (CNP) or lost/stolen card fraud [which accounted for 59 percent of credit card fraud in 2014]. This is why over the past several decades we have seen most of the developed world move to chip-and-PIN.”

By and large, merchants also agree the implementation of chip-and-signature cards doesn’t go far enough—a problem Horwedel says lies with the banks. “There’s a lot of talk that [chip-and-signature] is being done to save the consumer from having to remember another passcode or PIN, but the truth is the banks don’t want to update their systems to handle PINs. I don’t think, if left to their own devices, most banks will move to PIN unless there’s a public outcry that they do so.”

Doug Johnson, Senior Vice President of Payment and Cybersecurity Policy for the American Bankers Association explains that the financial industry is ultimately focused on even safer technology. “Our desire is to make both [lost or stolen] credit card numbers and PIN numbers useless,” he explains. “If we have a dynamic number—the concept of tokenization—that’s much more powerful than a static number. That’s the direction we’re going in, and that was determined several years ago, before the debate about chip and PIN ever came into play.”

The tokenization technology Johnson mentions works by not simply encrypting consumers’ financial data, but by actually turning that data into a unique alpha-numeric sequence (or “token”) that can only be read by the payment processor—not the retailer—and that only authorizes a single transaction at a single location. “Tokenization is particularly effective in the online environment. That’s where it makes sense to extend the resources because that’s where the fraud is going,” says Johnson.marketPic

Where Consumers Stand

While there’s been some grumbling about the length of time it

takes to complete chip card transactions, according
to a recent Retail Perceptions report, the majority of consumers who have used them—71 percent—say the cards make them feel more secure. In fact, 60 percent prefer to use a chip card over any other method of payment.

This means that retailers who choose not to implement EMV—or who aren’t able to implement it quickly enough—may pay for more than just fraudulent transactions. “When consumer information is compromised and fraud occurs, retailers are often inaccurately seen as bearing sole responsibility and therefore face most of the public ire,” says Berlyn. “These misconceptions could damage a retailer’s reputation and disrupt business by diminishing its customer base as folks lose confidence in the retailer’s ability to protect their payment card information.”
Shoppers take a dim view of retailers that experience security breaches—both in the short-term and long-term, agrees Eliot. “Shoppers will not only buy less at that retailer, but even opt to not sign-up for loyalty programs or for cards with the retailer. Loyalty and trust effectively go out the window when a security breach happens.”

The Future of Payment Security

Despite the challenges they’ve faced with EMV implementation, Howedel says that retailers do have consumers’ best interests at heart. “The merchant community is interested in implementing the safest technology. The momentum is there, and when the system providers can catch up with the demand, we’re going to see progress in getting EMV implemented.”

Still, experts warn that the current implementation of EMV isn’t a panacea for payment fraud. “Since the U.S. isn’t requiring a PIN, pretty much anybody can use an EMV chip card, including a lost or stolen card,” says Eliot. “And the magnetic stripe on an EMV card is still vulnerable to being read by malware.” EMV doesn’t protect against card-not-present fraud (like online purchases) or attacks on databases containing financial data, either.

Other technologies that are being worked on, such as biometrics and/or the tokenization mentioned by Johnson, may help solve some of these problems. But there is still much work to do, and retailers must remember that security is not a one-time investment. As Eliot puts it, “the cat and mouse game just keeps moving along and retailers need to continually be playing the game.”