Card fraud in the US: How EMV technology will change everything

In recent months, the US has been at the root of the global EMV discussion (the name EMV comes from Europay, MasterCard and Visa). With adoption of the new standard slow-going, the US is one of the last major economies to make the transition. As a result, it has found itself on the receiving end of fraud migrating from mature EMV markets, exposing itself as a point of weakness for fraudsters.

In 2012, 20 US states reported an increase in ATM fraud via skimmed cards according to analytics vendor Fico. Meanwhile, EMV in the UK has seen overall card fraud decrease from $275 million in 2009 to just $68 million in 2012, according to Financial Fraud Action UK. Despite this, the UK is still plagued by skimmers, with attempts to steal card holder data from ATMs almost tripling, from 2,553 to 7,525 incidents over the past year. Fraudsters can use data from the mag-stripe, which remains on Chip-enabled cards, to then clone cards and use them where mag-stripe payments are still accepted. Therefore, as long as regions such the US continue to accept mag-stripe cards to withdraw cash, there will remain a global issue of fraud migration.

The many challenges on the route to compliance are reflected in the staggered adoption rates across different markets and industry experts have begun to question the cost benefits of such a complex implementation. There is also the fundamental issue of global social responsibility and cracking down on the larger issues of criminal activity and organized crime, which the payments industry is in a prime position to address. By doing this, it can deliver the EMV benefits to merchants and banks, as well as protect cardholders.

Authentication, risk management, transaction integrity and cardholder verification are the four features that define the EMV standard, specified by EMVCo, the organization that manages the EMV standards and associated compliance processes. These are designed to protect merchants, acquirers and cardholders from fraudulent transactions.

Yet a question remains -- why has it taken so long for the world’s largest industrialized country to adopt EMV? The cost and sheer scale of implementation, especially for a country as vast as the US, is a primary restraint. Both hardware and software are affected, including every device, application and payment system. Some of this may need modifying or replacing completely, while banks must reissue the payment cards.

Rigorous testing and certification of terminals to become EMV ready, as enforced by EMVCo, is a further hurdle. All of this is a time consuming and expensive process that organizations must be prepared for as certain testing stages such as the MasterCard M-TIP (MasterCard Terminal Integration Process) can be particularly laborious. It can take up to sixteen weeks to complete in an EMV mature market, potentially causing a certification bottleneck.

Ultimately, EMV will only truly benefit the industry as whole if all regions embrace the standard and work collaboratively to stamp out fraud. The U.S. is making steady progress and is well-positioned to take advantage of being able to deploy tried and tested approaches to EMV migration. This unified approach across a global payments chain will ensure that everyone gets the full benefit and protection EMV was designed to provide.

Image Credit: nobeastsofierce/ Shutterstock

Jeremy Gumbley became CTO and technical director at CreditCall in 2001, having spearheaded the company’s technical development since 1999. He is a veteran of the payments industry, having driven product and technology development roadmaps to accommodate EMV migration programs in the UK, Europe, Africa and the Middle East as well as the US and Canada. As CTO, he is responsible for the design, development and implementation of the company’s market leading card payment solutions and portfolio of EMV Level 2 Kernels. Under his technical leadership, the company has licensed and deployed over one million Kernels in the last decade. In addition, Jeremy oversees the maintenance of the company’s PCI DSS Level 1 compliance.