• United States




EMV, fraud mitigation or migration?

Nov 04, 20164 mins
Data and Information SecurityData BreachDLP Software

What are the metrics used to evaluate the success of EMV implementation

As a consumer, I have found the implementation of the EMV chip to be a complete nuisance. Depending on where I’m shopping, I might still have to swipe my card. 

Still, it’s annoying. First the machine demands that I not remove my card. I patiently wait and wait and wait for what seems longer than it took to write out a check circa 2000. Then suddenly, the machine demands that I remove my card–immediately, lest it incessantly beep at me.

I know I’m not alone because a recent report by The Strawhecker Group found that only 29 percent of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit.

But, this blog post isn’t really about me. Nor is it about consumers (though it is indirectly). EMV is about retailers, and the anniversary of the roll out that was intended to prevent onsite fraud. Point of sale (POS) fraud has indeed diminished, according to Dave Britton, vice president, fraud & identity industry solutions at Experian.

[ ALSO ON CSO: Here’s how businesses can prevent point-of-sale attacks ]

While many studies have found that the implementation has decreased in-store counterfeit fraud, Britton said, “The truth is, it didn’t get rid of the fraud it just migrated it. Since the liability shift, we have seen an increase in other areas of fraud including online and account opening fraud.”

Dave Britton, vice president, fraud & identity industry solutions at Experian

Wells Fargo is the prime example of the kind of fraud that cannot be prevented by EMV, and innovators have yet to develop a solution for human greed. As a result, “Legitimate consumer data is being used more than ever to open false accounts without consumers knowing and businesses are struggling to identify which accounts are fake,” Britton said.

Retailers need to take additional steps to protect their consumers’ data in several different ways. Understanding where the risk has moved to is an important first step.

“The problem,” Britton said, “is that you put pressure on any system in some particular point, and that fraud is going to move elsewhere in the system. We’ve seen an uptick in channels outside EMV, in the e-commerce space itself.”

While customers at a retail store front have to present a card for a transaction to get EMV approval, using those same cards in the online channel is easier for criminals because there is no chip to read.

In a world where even employees of a massive banking enterprise are willing to risk the monetary reward of opening accounts under false pretenses, how can defenders protect customer data?

One solution, said Britton, “Bring together the data from multiple risk systems. Instead of specific risk detection within a particular channel, pull all of the data into a holistic common platform that gives a comprehensive view of the consumer and transaction activity across the organization.”

The problem, though, is maintaining customer satisfaction and loyalty while also implementing the right solutions that allow for risk mitigation. “Risk mitigation that slows the process can result in the customer going elsewhere,” said Britton.

To a certain extent, the retail sector should have been prepared for this shifting of risk. The migration of fraud from POS to card-not-present doesn’t come as a great shock, said Smrithi Konanur. global product management, HPE Data Security.

“That card-not-present fraud in the U.S is surging is no surprise. Earlier EMV adoption in other regions such as Europe and Canada have experienced the same shift to fraudulent card-not-present transactions.” 

When criminals are able to access card holder data, they can easily do online transactions with minimal risk. “In order to mitigate card-not-present fraud, businesses should implement security strategies that include additional authentication like 3D-secure, end-to-end encryption, and tokenization,” Konanur said.

Lots of other technologies can help to plug the leaks in the retailer data flow. “Data-centric technologies like format-preserving encryption provides the security solutions for businesses which are effective, optimal, scalable, and flexible to keep card holder data safe from hackers in case of a breach or attempted theft of data,” Konanur said.

Not to make light of a very sensitive security concern, but the image of data leaks continuing to pop up is reminiscent of what could have been an episode of “I Love Lucy.” There’s a leak spewing water through one hole, then when it’s plugged, another busts open. In the comedy sitcoms of old, it’s hysterically funny, but in security it can be discouraging and costly. 


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author