2015 will likely bring many changes and developments in the payments and risk industries, but none more anticipated than the EMV liability shift taking place on October 15. As issuing banks prepare to replace magnetic-stripe cards with EMV Chip cards, many merchants will upgrade their POS equipment and prepare for the expected increase in online fraud attempts. While U.S. adoption of EMV has already started there will be significant growth this year, and it is expected that fraudsters and hackers will respond accordingly.
Merchants and issuing banks aren’t the only ones making preparations for the increased adoption of EMV and the liability shift date. In fact, fraudsters and hackers have already focused their efforts with this in mind. It is likely more than just coincidence that hackers have successfully compromised hundreds of millions of payment cards targeting major retailers like Target (40 million cards), Home Depot (56 million), Staples (1.2 million), Michael’s (3 million) and Neiman Marcus (1.1 million), with all of this happening during the span of about one year.
As consumer use and merchant acceptance of EMV cards grow the amount of sensitive cardholder data merchants keep on record declines, and once EMV adoption hits critical mass these merchants won’t be such fruitful targets. Hackers have targeted more large scale attacks against merchants recently in anticipation of this, while the value of such attacks is at its highest. Hackers aren’t just going to quit hacking post EMV, but they likely will shift their targets.
Overall EMV in the United States is a good thing, it greatly helps issues that have plagued traditional mag-stripe cards for decades: these cards are easily copied (skimmed) and are easy to counterfeit. There is little doubt that EMV cards and card readers will curb counterfeit card fraud at the physical point-of-sale, but fraud flows with the force of water and when one hole is plugged new leaks pop-up or existing ones grow larger.
As we approach the EMV liability shift date, as well as after this occurs, the number of EMV cards issued and merchants using EMV compliant payment terminals in the U.S. will continue to grow. There are many considerations and preparations organizations should be thinking about in anticipation of this, and below are a few trends that are expected to prevail in the payments and risk industries as EMV grows.
Fraudsters migrate (even) more to online channel for using stolen cards.
One benefit of being the last major card-based payment market to adopt EMV is learning from the events that impacted others and knowing what to expect. History has a tendency to repeat itself, and history tells us that as EMV successfully beats counterfeit card fraud in-store, fraudsters will shift more efforts to the Card Not Present channel where EMV does not provide protection. This trend was seen after the United Kingdom, France and several other countries and regions adopted EMV. There is little reason to think it will be any different for the United States.
Hackers shift focus from merchants to banks.
As previously discussed, merchants have been the bearing the brunt of the breaches. Today both banks and many merchants in the U.S. are holding on to the card details hackers want, but merchants are typically attacked more because they are easier targets. This isn’t to say breaches against banks don’t happen, JPMorgan Chase fell victim in 2014. But banks should be increasing security and preparing for an increase in attempts at intrusion as merchants will soon have less card data worth hacking.
Fraudsters use different methods of attack if cards are less available, such as Account Takeover.
Imagine a post-EMV world where the supply of stolen payment cards is reduced and they are no longer as cheap and highly available on the black market. The post-EMV future is not a Utopian future, the fraud doesn’t just stop. Even if advancements in security can reduce the availability of compromised payment card credentials, fraudsters will continue to find new methods of attack and monetization. Data breaches don’t only compromise payment cards; they also target emails, usernames, passwords and all types of personally identifiable information. Account Takeover has grown substantially in the past few years and shows no signs of slowing down. Account Takeover was a growing problem on its own, but the addition of EMV may even exacerbate this further.
In short, fraudsters are taking over consumer accounts to steal more information about that consumer, gain access to products or services, as well as make purchases and withdraw money from the payment information associated with the consumer’s account. This is already happening today, and is likely to happen even more in the future if it is more difficult to obtain or monetize the 16 digit credit card number (or PAN – primary account number). Data breaches compromising payment card credentials will be more difficult against banks than they have been against merchants. This is not to say it won’t happen, but it is likely it will not happen as frequently. As a result more breaches will obtain PII and login credentials, which will be sold on the black market and used for account takeover.