The Burst of the EMV Bubble

Written by

So, here we are, living in the “future”. Many of us now finally have chip cards; the G20 nations are all in the post “liability-shift” world; we’re all expecting to be living in the new paradigm.

But it is fairly clear that not all is right in the world. There are still breaches, skimming and fraud, and in fact, they are just as bad as they have ever been. Seemingly nothing has changed and depending on whom you listen to, it’s worse. To some degree, and depending on your perspective, this is pretty much the truth.

With that, here are three reasons why the new playing field isn’t any better than the old one:

If you’re a merchant, now the pain is in your world: Merchants woke up on October 1st and now everything is pushed off on them. Worse, the hacking didn’t slow, so now the merchants are targeted on one side by hackers and moreover, the fraud losses fall on them as well. Seems that this EMV thing has been the wrong move.

You have to pay for the new technology and terminals, and you’re at even greater risk than you were before. If you’re a brick and mortar merchant, you still hear that POS systems are increasingly hacked, especially at restaurants and hotels. If you’re an eCommerce merchant, you’re hearing that fraud has migrated to your channel, and there is no fix yet. Both of these scenarios may appear to be materializing and perhaps as an indirect result, around a third of POS machines have been updated to EMV. It appears that there is no real incentive, as this is a lose-lose scenario. 

If you’re a US card issuer, you’re working as hard as ever and volumes are spiking: ATM fraud is worse than ever, fuel pumps are getting skimmed like it’s going out of style, because it very well might be. New fraud types are popping up in volumes that keep teams fighting fires. It appears that while we scale our businesses, the fraudsters are scaling theirs just as fast, if not faster, and that it’s accelerating faster on their side. Compound that with the fact that the merchant EMV acceptance rate is fairly low, and it may appear to be that we’re stuck in neutral. All the re-issues of the mag stripes in the world won’t change that.               

If you’re a consumer or other industry watcher, you don’t know what’s happening or what might be the truth. You might be hearing that fraud is shifting, you might be hearing that there is more insecurity in the payments ecosystem, you might be perceiving that there is more friction or you are actually getting more alerts and/or unauthorized transactions passing by your radar. Either way, it appears that there is little good coming out of this and that we’re more or less under-realizing much in the way of any benefit of this conversion. Fraud has not slowed and all stakeholders are unhappy.

The end result is that from wherever you sit, you may hear, see and perceive that there is more fraud. That all these new technologies haven’t solved the problem. That EMV is not going to improve anything or it’s just redistributing the problem. There is also a darker, more sinister fact at play here: that the hackers, fraudsters and foot soldiers on the dark side of this battle have grown in numbers as we’ve slowly moved to increase our dependency on electronic payments.

I’m sorry to burst the bubble, but this is all true. There is a ton of fraud right now, it’s still growing, and the criminal entities who have created, scaled and maintain these dark economies are presently undeterred.

Here’s why all of that is shortsighted

There is glimmer of hope and that glimmer is not that far in the distance: we’re just in the infancy of the adoption of new technologies that will significantly reduce the impact. EMV has worked in the countries where it has been implemented, it has dramatically reduced counterfeit card fraud. To really put this in perspective, in the USA, we’re only seeing about a quarter to a third of all POS transactions going through the EMV mode right now. So, we have a ways to go before the benefits really take hold.

With every new technology, in payments or in any consumer goods, there are typically teething problems, and this is a very complex, global problem where no simple answers exist. The investments in security we are making today can and do pay dividends. It is right now that we are in the transition period, and if investments in security have not been made, it is now time to make them, or find oneself in the position of being left behind when the hacker, fraudster or ne'er-do-well sets their site on your organization.

What’s hot on Infosecurity Magazine?