When you hear about another credit card breach (this time it was Arby’s), you might become a little frustrated. For two years we’ve heard so much about the benefits of EMV in reducing fraud, so why are these breaches are still happening?
The Payments Review summarized it well in a recent article discussing the Arby’s breach. What Arby’s teaches us is that even after EMV, a merchant’s own networks are vulnerable to hacking. This was the case with Target and many others in 2013-2014. If a hacker can penetrate a merchant’s payment systems, they can steal card data residing on company servers.
Remind me: How does EMV reduce fraud?
If that’s the case, why was the Target breach such a catalyst for EMV migration? That’s because EMV greatly reduce the value of stolen credit card data and renders it useless at chip-enabled terminals.
During payment at the Point-of-Sale (POS), the chip card creates a cryptographic code unique to this transaction, which proves that the card is genuine. EMV cards use a smart microprocessor chip that secures the cardholder’s credentials and performs cryptographic computation to protect its communication with the terminal and the processing network. Since the chips are virtually impossible to tamper with or clone, EMV cards are infinitely less vulnerable to counterfeit fraud than magnetic stripe cards.
Even if a fraudster got hold of stolen card data – for example by hacking a merchant server – and used the stolen data to create a counterfeit card, they could not steal the keys required to create a valid transaction code. Hence, any transaction attempted on a chip-enabled reader would fail.
Because EMV is so successful in reducing in-store fraud, it’s already a worthwhile investment. According to Visa, accounting for 2 million merchants that accept EMV cards, counterfeit fraud losses decreased 58 percent in December 2016 compared to December 2015.
Nonetheless, merchants need to make sure their networks are secured and fortified against hacking attempts.
Fraud shifts online to compensate
After EMV migration, fraud naturally shifts online. In Canada, card-not-present fraud increased by over 300% in the years following EMV. In fact, card-not-present fraud accounts for 70% of card fraud in EMV countries.
Fraudsters try to make purchases on eCommerce websites that require minimal card and cardholder information. That includes sites that don’t require the security code (CVV or CVC) – a piece of information the hacker could not obtain in a hack, because it’s not stored on the merchant databases.
For this purpose, it’s strongly advised that merchant websites use secure checkout options and require card security codes to complete payment.
Advice for community FIs that haven’t yet made the shift to EMV
Fraudsters are seeking the most vulnerable cards to exploit. As a community FI, if you still haven’t re-issued your debit cards as EMV, it would be wise to do so. With fraudsters running out of options, your risk of being targeted increases. Mag stripe cards can be easily counterfeited and used within hours to make big purchases.