Nearly a year after the EMV liability shift in the U.S.—a move specifically engineered to incent retailers to install EMV-compliant POS systems in their stores—only 44% of merchants are equipped with the new terminals, according to a new report from The Strawhecker Group. Furthermore, not all of those merchants that have installed EMV-enabled systems are using them. Only 29% of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit.
Despite fewer U.S. merchants accepting chip transactions a year into the transition to EMV than predicted, however, the effects experts predicted have largely come true. Studies over the past few months have consistently shown that counterfeit fraud at the physical point of sale is dropping, while card-not-present fraud is surging. Baergen, Director at NuData Security, and Smrithi Konanur, global product manager at HPE Data Security – Payments, Web and Mobile commented below.
Lisa Baergen, director at NuData:
Compounding the problem, some issuers are deciding to phase in PIN compliance, as it was not part of the October 2015 deadline. Without the PIN, these EMV cards require the far less secure signature to authorise the transaction, stripping the card of its two-factor authentication protection.
A period of overlap will continue, with the increases in account takeover, fraudulent account creation and traditional credit card theft this report highlights. This scenario provides even more reason for organisations to switch from traditional fraud detection methods to behavioural analytics and passive biometrics to detect and protect good users and reveal and block bad actors.
If you truly know the human behind the device, you can finally focus your efforts: protect legitimate accounts, provide streamlined experiences for customers you trust, and block actual fraudsters completely without customer friction.”
Smrithi Konanur, Global Product Manager at HPE Data Security:
However, for card-present transactions, EMV provides no protection for the transmission of sensitive payment information to the acquiring bank. After the EMV card validation process, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV, and then can use the stolen data for card-not-present transactions. When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits, as well as loss of consumer confidence and customers.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.