Shift to EMV cards expected to increase online fraud

Next year’s scheduled changeover to chip-and-pin debit and credit cards is expected to reduce in-store fraud, while significantly increasing fraudulent purchases online, experts say.

[Major attacks on retailers cast spotlight on higher security cards]

Recent high-profile break-ins of electronic cash registers at retailers Target and Neiman Marcus has added urgency to Visa and MasterCard’s plan to dump the swipe-and-sign cards used today by U.S. consumers. In their place will be so-called EMV cards that store security data in an embedded chip.

Carolyn Balfany, head of MasterCard’s U.S. product delivery group, told The Wall Street Journal that a key deadline, called the “liability shift,” would occur October 2015. That’s when retailers and banks still supporting the kind of debit- and credit-cards used today will be liable for losses resulting from fraudulent use of the cards.

“Whenever card fraud happens, we need to determine who is liable for the costs,” Balfany said. “When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.”

EMV cards, which have been used for years in Europe, require people to input a PIN to complete a transaction with a retailer.

Payments cards in use today in the U.S. have a magnetic stripe for storing data, a decades old technology that hackers can easily mimic when using stolen credit-card numbers to make counterfeit cards.

While in-store fraud with bogus cards is expected to decline, the reverse is predicted for online retailers, which won’t experience any significant improvement in security with the switch to EMV cards, experts say.

Instead of using stolen credit-card numbers at stores, criminals will intensify such activity online.

“Fraud is much like natural phenomenon, whether that be the flow of water or electricity, in that it moves to the path of least resistance,” Al Pascual, analyst for Javelin Strategy & Research, which focuses on the financial industry, said.

While websites could require the PIN before completing a transaction, hackers could just as easily steal that data along with the card number.

“It’s uncertain to see how moving to EMV can really secure anything online at this point,” said David Kennedy, founder and security consultant of TrustedSec.

In time, the credit-card industry could develop ways to leverage the technology in EMV cards to bolster online security.

For example, a near-field communication (NFC) reader, either built into a PC or sold as a USB accessory, could be used to authenticate the EMV card to complete an online transaction. The chip embedded in the card could also be used in making purchases through a mobile phone, many of which support NFC.

[Target POS terminals were infected with malware]

“EMV cards do not currently offer much in the way of protection from CNP (card-not-present) fraud,” Pascual said. “(But) there is talk of leveraging the NFC capabilities of mobile devices and contactless EMV cards to authenticate e-commerce and m-commerce transactions.”

Pascual predicts some form of NFC authentication will become popular between 2015 and 2016.

The use of EMV cards is supported by the Payment Card Industry (PCI) Security Standards Council, which sets the rules retailers follow in accepting payment cards. The council has said that use of EMV cards will not change current security standards.