Do chip-enabled credit cards really reduce your risk of card-present fraud?
For many years the message to merchants from the payments industry has been clear: upgrading point-of-sale terminals to accept chip-enabled credit cards would substantially reduce the risk of card-present fraud. Yet concerns over the cost of hardware, retraining staff, and a rocky roll-out led many merchants to resist the change.
A growing body of evidence shows that when it comes to card-present fraud, chip-enabled cards have largely delivered on their security promises. Merchants who have upgraded often see dramatic reductions in counterfeit card-present fraud. For merchants still on the sidelines who have yet to upgrade their POS terminals, it’s time to take a fresh look at the issue.
A (very) brief history of credit card security technology
The technology behind credit cards has long been a double-edged sword, with payment industry leaders always striving to find balance between security on the one hand, and ease-of-use on the other.
In the 1960s, manual imprinting of embossed plastic cards represented the state-of-the-art. But the paper trail of paper carbon copies left behind a gaping hole for criminals to exploit. The 1970s saw the introduction of magnetic stripe technology. Magnetic stripes shielded critical data from the naked eye. Unfortunately, criminals developed “skimmers” and used other means of credit card fraud to penetrate sensitive card data, sometimes on a massive scale.
Each of these legacy technologies suffered from the same core problem: static data. Once criminals got a hold of your personal data, fraud was sure to follow.
EMV, the 2015 U.S. liability shift, and your business
Beginning in the early 1990s, credit card industry leaders Europay, MasterCard, and Visa—hence EMV—developed a system to overcome the static data problem. When dipped into an EMV-enabled POS terminal, the microprocessor chip embedded in an EMV card generates a dynamic and unique one-time code to exchange just enough data to satisfy the needs of the transaction. EMV uses two forms of cryptography: digital signatures ensure that data is authentic, while encryption ensures data is kept confidential.
From a layman’s perspective, the important thing to remember is that the process tackles the core limitation in magnetic stripe technology: the transmission of static data. By shielding critical customer data from the prying eyes of criminals, EMV technology plugged the biggest hole in the system used by criminals at the time.
October 1, 2015 marked a key turning point in the battle against counterfeit fraud in the U.S. Before that date (demarking a liability shift), responsibility for fraudulent in-store credit card purchases fell to the financial institution. After that date, liability for the costs of fraud fell to the party who was least EMV-compliant. As the vast majority of financial institutions had issued chip-enabled cards to their customers, in practice this meant that any merchant that did not upgrade became liable for any fraud on transactions processed via magnetic stripe.
Merchant objections to the EMV upgrade
Despite the shift in liability to merchants for card-present counterfeit fraud conducted through legacy POS terminals, many small and medium-sized merchants have stuck with their existing magnetic stripe POS terminals.
Objections voiced by merchants at the time of the 2015 liability shift were perfectly understandable. Among the most prominent roadblocks included concerns over the cost of terminals, implementation logistics, and consumer resistance to the new “dipping” procedures. Let’s look at each in light of the experience of the EMV transition.
Concerns about POS terminal cost. No business owner wakes up in the morning excited to spend money on new POS systems. When viewed as essential business infrastructure in the battle against counterfeiters, however, the cost of new equipment pales in comparison to the liability for even a few cases of fraud. The price of brand-name EMV terminals continues to drop, in many cases to less than $100. With the median cost of each instance of counterfeit credit card fraud currently over $450, the investment in EMV-compliant POS terminals is likely to generate a positive return-on-investment for many merchants.
Concerns about training and implementation. As a business owner, you work hard and continually invest in proper training for your employees, especially at the point of sale. In 2015, many business owners wanted to see more proof before having to retrain staff to operate a system that might be transitional, anyway. The objection is far less compelling now, as EMV technology clearly here to stay.
Concerns about customer acceptance. The success of chip-enabled credit was always going to hinge on consumer acceptance of the technology. Frustrating implementation kinks made widespread consumer acceptance far from assured. Most consumers have surely experienced a moment of frustration with chip-enabled POS systems: being asked to swipe when you dipped or experiencing some sort of system error. But now, several years down the road, dipping cards into EMV terminals isn’t a new or exotic consumer behavior. For many, “dipping” is now as normal as breathing. It was weird… until it wasn’t.
EMV acceptance proof points
Merchants that took a wait-and-see approach on converting to chip-enabled credit card acceptance in 2015 were far from being unreasonable—they were exercising reasonable and prudent caution. Any such hesitation on the part of merchants to upgrade in 2018 is, however, less defensible. The proof points continue to tell a story suggesting that accepting chip-enabled credit and debit cards is not just the optimized choice, but the only real choice.
A recent study by Visa showed that merchants who upgraded their point-of-sale infrastructure to accept chip-enabled credit cards witnessed an astonishing 66% reduction in the cost of card-present counterfeit fraud from June 2015 to June 2017. The study also reported that a majority (2.5 million or 55%) of U.S. storefronts now accept chip-enabled cards.
Acknowledging the desire for less friction at the point of sale by merchants and consumers alike, American Express recently announced that they’ll be waiving the signature requirement for card-present transactions beginning in April 2018. The move reflects increasing confidence in the EMV chip standard.
EMVCo, the managing entity for the EMV standard, reports that the number cards in global circulation increased by 1.3 billion in 2016 to a total of 6.1 billion, with the adoption rate in the U.S. being EMV chip card adoption rate: 75.7%
Accepting chip-enabled cards: better late than never
Credit card fraud remains a major problem that costs merchants, consumers, and financial institutions billions of dollars every year. Cracks in the system are inevitable in our increasingly interconnected digital world that has a persistent need to balance financial data security with ease and fluidity in conducting business. Card-not-present fraud continues to witness a dramatic rise, as criminal fraudsters have followed the money and moved online, away from the prying eyes of merchants, and the increasingly stringent security measures of EMV checkouts.
Yet the tremendous success in combating card-present fraud should not be underestimated. Indeed, the rise of card-not-present fraud reflects the changing fraud landscape, a landscape that has been reshaped by the success of EMV chip-card systems. Far from a condemnation, this shift demonstrates that EMV simply works.
What the experience of EMV does tell us is that collective action on the part of consumers, merchants, financial institutions, and card issuers can win hard-fought battles in the ongoing war against credit card fraud. If you are a merchant looking to safeguard your assets and add to your bottom line, upgrading your POS system to accept chip-enabled credit cards is simply smart business.