EMV, fraud mitigation or migration?

As a consumer, I have found the implementation of the EMV chip to be a complete nuisance. Depending on where I’m shopping, I might still have to swipe my card. 

Still, it’s annoying. First the machine demands that I not remove my card. I patiently wait and wait and wait for what seems longer than it took to write out a check circa 2000. Then suddenly, the machine demands that I remove my card–immediately, lest it incessantly beep at me.

I know I’m not alone because a recent report by The Strawhecker Group found that only 29 percent of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit.

But, this blog post isn’t really about me. Nor is it about consumers (though it is indirectly). EMV is about retailers, and the anniversary of the roll out that was intended to prevent onsite fraud. Point of sale (POS) fraud has indeed diminished, according to Dave Britton, vice president, fraud & identity industry solutions at Experian.

[ ALSO ON CSO: Here’s how businesses can prevent point-of-sale attacks ]

While many studies have found that the implementation has decreased in-store counterfeit fraud, Britton said, “The truth is, it didn’t get rid of the fraud it just migrated it. Since the liability shift, we have seen an increase in other areas of fraud including online and account opening fraud.”

Dave Britton, vice president, fraud & identity industry solutions at Experian

Wells Fargo is the prime example of the kind of fraud that cannot be prevented by EMV, and innovators have yet to develop a solution for human greed. As a result, “Legitimate consumer data is being used more than ever to open false accounts without consumers knowing and businesses are struggling to identify which accounts are fake,” Britton said.

Retailers need to take additional steps to protect their consumers’ data in several different ways. Understanding where the risk has moved to is an important first step.

“The problem,” Britton said, “is that you put pressure on any system in some particular point, and that fraud is going to move elsewhere in the system. We’ve seen an uptick in channels outside EMV, in the e-commerce space itself.”

While customers at a retail store front have to present a card for a transaction to get EMV approval, using those same cards in the online channel is easier for criminals because there is no chip to read.

In a world where even employees of a massive banking enterprise are willing to risk the monetary reward of opening accounts under false pretenses, how can defenders protect customer data?

One solution, said Britton, “Bring together the data from multiple risk systems. Instead of specific risk detection within a particular channel, pull all of the data into a holistic common platform that gives a comprehensive view of the consumer and transaction activity across the organization.”

The problem, though, is maintaining customer satisfaction and loyalty while also implementing the right solutions that allow for risk mitigation. “Risk mitigation that slows the process can result in the customer going elsewhere,” said Britton.

To a certain extent, the retail sector should have been prepared for this shifting of risk. The migration of fraud from POS to card-not-present doesn’t come as a great shock, said Smrithi Konanur. global product management, HPE Data Security.

“That card-not-present fraud in the U.S is surging is no surprise. Earlier EMV adoption in other regions such as Europe and Canada have experienced the same shift to fraudulent card-not-present transactions.” 

When criminals are able to access card holder data, they can easily do online transactions with minimal risk. “In order to mitigate card-not-present fraud, businesses should implement security strategies that include additional authentication like 3D-secure, end-to-end encryption, and tokenization,” Konanur said.

Lots of other technologies can help to plug the leaks in the retailer data flow. “Data-centric technologies like format-preserving encryption provides the security solutions for businesses which are effective, optimal, scalable, and flexible to keep card holder data safe from hackers in case of a breach or attempted theft of data,” Konanur said.

Not to make light of a very sensitive security concern, but the image of data leaks continuing to pop up is reminiscent of what could have been an episode of “I Love Lucy.” There’s a leak spewing water through one hole, then when it’s plugged, another busts open. In the comedy sitcoms of old, it’s hysterically funny, but in security it can be discouraging and costly.