EMV – fighting fraud on a global scale

Jeremy Gumbley, CTO, CreditCall

Fraud reduction is one of the primary drivers of the global migration to the EMV standard for credit and debit cards. Crucially, countries that have already made the transition from the old mag-stripe standard to EMV Chip-enabled cards have seen fraud levels reduce dramatically. However, the global nature of the payment chain calls for a global and joined up solution. That means that as long as there are regions that have not fully adopted the standard, such as the US, the ultimate goal of stamping out payment fraud altogether will remain out of reach.

Jeremy-GumbleyAs one of the last major economies to move to EMV, the US has suffered as a result of fraud migrating from EMV-mature markets. Fraudsters are skilled at finding and exploiting security loopholes, and the US market’s continued acceptance of the mag-stripe card to withdraw cash has provided criminals with the opportunity to use cloned cards from other markets. In April 2013, a report from the European ATM Security Team revealed that five European countries had seen an increase in the number of “skimmers” attached to ATMs and other terminals. To skim a card, fraudsters capture data from the mag-stripe on users’ cards, and obtain PIN numbers from miniature CCTV cameras. According to Financial Fraud Action UK, attempts to steal bank cards and PIN numbers at ATMs have tripled over the past year. The cloned cards will then only work in non-EMV countries, which perhaps is why last year saw a reported rise in ATM fraud through skimmed cards across 20 US states according to http://ficousfraudmap.com

Although the EMV spotlight is currently on the US, it is important to note the many successes so far as the industry fights to co-ordinate a synchronised approach. EMVCo, the organisation that manages the EMV standards and associated compliance processes, published its first version of the EMV specifications in 1996. The organisation estimates that there were 1.62 billion EMV-compliant payment cards in use worldwide as of Q4 2012, though adoption rates remain staggered across geographies. Europe has led the way – in parts of the region, 81% of cards and 95% of terminals were Chip-enabled as of Q4 2012. Canada, Latin America and the Caribbean have also made strong progress, with 49% of cards and 79% of terminals meeting the standard. Other regions, such as Africa, the Middle East and APAC have begun the transition, though are still in the early stages.

The varying migration rates are indicative of the many challenges faced along the route to compliance. In particular, there are a number of technological hurdles that organisations must clear. The move affects both hardware and software, including every card payment system, device and application, across a complex worldwide ecosystem. Organisations must modify or replace every terminal and banks need to reissue credit and debit cards.

Merchants are likely to bear the burden of some fraud losses if they continue to take mag-stripe payments, so they are turning to their device manufacturers and integrators to provide the right EMV-compliant technology. To meet this demand, manufacturers and integrators must get to grips with the specific requirements of the EMV standard and navigate the path to a certified EMV solution. This is an intricate process that requires the integration of card readers with EMV Level 1 and 2 Kernels, as well as PA-DSS and PCI DSS compliance.

Another major hurdle is the need for rigorous testing and certification of terminals for them to become EMV-ready. This testing is enforced by EMVCo to ensure a common standard and therefore global interoperability between all the EMV cards and terminals.

This process can be broken down into two separate stages. The first of these is EMV Level 1 and Level 2 testing. Manufacturers must build and test their own devices with the EMV card reader and applications. The second of these stages is that of end-to-end testing. This is a long process that can take up to 16 weeks in an EMV mature market, and covers the integration of the messages from the terminal to the payment gateway and through to the payment acquirer. Both these stages are time consuming and expensive. With resources in short supply, not only amongst manufacturers but within the wider payments sector, a certification bottleneck is a real possibility.

The sheer scale, and therefore cost, of EMV migration might explain the staggered adoption rates between regions. The move to EMV affects the entire payment industry, making it a particularly difficult shift for larger countries such as the US, which must wrestle with a complex payment value chain that spans several time zones.

Industry experts have recently called the benefits of this enormous implementation cost into question. However, to assess the benefit of EMV migration based solely on potential financial losses through counterfeit fraud is to ignore other important market dynamics. In February 2013, federal agents cracked down on a card fraud ring that reportedly amassed at least $200 million using 7,000 fake identities. One concern is that these types of activities fund organised crime and, according to some reports, terrorist activities. In this light, fraud prevention can be considered a matter of global social responsibility.

As EMV becomes a global reality, merchants, integrators, VARs and processors are seeking to navigate a technology shift which is fundamentally changing the shape of the payments landscape. EMV migration may appear a heavy technological burden at the outset. However, the benefits of adoption mean that it will be very costly to those who are left behind.