It was just a few short years ago that there was a nationwide push to replace old magnetic stripe credit cards with new ones embedded with chip technology to combat fraud. Gone would be the days of fraudsters who could easily skim your card information, and the credit card security revolution could finally be ready to begin — or so we thought.
A 2018 report by the National Retail Federation (NRF) showed that card fraud is still the number one concern among merchants, years after the technology was implemented.
EMV, which stands for Europay, Mastercard and Visa, is a more secure way to transfer and store credit card information. Basically, each time your EMV-enabled card is processed at a retailer’s point-of-sale terminal, a one-time code, or token, is created, making it more difficult for the information to be stolen. If hackers took the expired token information and attempted to make another purchase, it wouldn’t process. Chip cards also help to prevent counterfeiting.
Gemini Advisory, an intelligence group, reported in 2018 that 60 million U.S. payment cards had been compromised over the previous 12 months. What’s more, 90 percent of card-present fraud during that time involved EMV-enabled cards. You may have even experienced credit card fraud yourself, either on an individual scale or in a major data breach like the recent Marriott incident.
So why is payment card fraud still so prevalent? The reason: crooks have moved their illegal activities online.
Before the transition to EMV
In the time leading up to the shift to chip cards in 2015, counterfeit fraud in the U.S. was surging.
Countries across the globe had successfully implemented EMV technology over the prior decade and saw their fraud levels continue to drop while counterfeit fraud in the U.S. soared.
“[Card thieves] started realizing, well, the U.S. seems to be an open market,” says Stas Alforov, director of research and development at Gemini Advisory. “They haven’t made their full transition [to EMV] so we know how to work the system, we know how to steal these striped cards. We can take our business there.”
The Nilson Report found that by 2014, nearly half (48.2 percent) of all credit card fraud in the world came from the U.S., despite contributing just 21.4 percent of card sales volume worldwide.
Why merchants are adopting EMV so slowly
Since 2015, credit card companies have issued chip cards to their customers nationwide and they have proven to be effective in preventing counterfeit, or card-present, fraud.
According to data from Visa, where merchants upgraded their payments system to EMV, there was an 80 percent drop in “counterfeit payment fraud” between September 2015 and September 2018.
The problem for consumers, though, is that not every merchant has made the switch. The same Visa study showed just 68 percent of U.S. storefronts accepted chip cards at the end of 2018.
And that’s where the danger of card-present fraud lies, and why other countries continue to have lower instances of fraud than the U.S., according to Alforov.
A variety of factors may contribute to these merchants’ decisions not to switch to EMV. The process is lengthy, complicated and expensive, and even though they may be held liable for chargebacks for fraudulent transactions, some merchants would rather take their chances.
Another factor holding back mass adoption, according to the NRF report, is the way EMV in the U.S. does nothing to stop card-present fraud resulting from lost or stolen cards.
“The chip in an EMV card makes it very difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is the legitimate cardholder,” NRF senior vice president and general counsel Stephanie Martz said in the report. “If we want to stop card fraud, we need a better way of authenticating users and it should be one that’s affordable, easy and safe.”
Protect yourself from card-present fraud
Merchant buy-in is a big piece of fraud prevention, but there are still ways you can protect yourself from credit card fraud.
Though each of the four major card issuers (Visa, Mastercard, American Express and Discover) have zero-liability policies that protect consumers from many cases of fraud, you can still take steps to minimize your odds of being a victim of card fraud.
First off, if you’re checking out at a store that offers EMV chip insertion, it’s best to always choose that option.
“If a merchant is using chip cards and if it’s turned on, it really can secure their data when they’re shopping in a brick-and-mortar establishment,” says Amy Zirkle, who on February 21 was named interim CEO at the Electronic Transactions Association. “It really is there to protect the consumers, so consumers need to recognize that.”
When the merchant has not enabled EMV technology, it can get a bit more complicated, however.
If you’re making a purchase in a brick-and-mortar store or gas station where EMV isn’t enabled or you’re unsure, always use your credit card over your debit card.
“Reconsider your debit card use, because that money comes instantly out of your bank,” says Kelvin Coleman, executive director of the National Cyber Security Alliance. “Whereas, if you’re compromised on the credit-card side, you can work with the credit card companies to make sure that it is not reflected in your final statement.”
For the wary buyer, cash can often be a safer way to pay. Increasingly, merchants are enabling mobile-payment technology, which uses the same tokenization as EMV and is also a great alternative.
Countering online card-not-present fraud
The other issue involving EMV security for which there isn’t a quick fix is card-not-present fraud through online purchases.
Around the time that EMV chip cards became widespread throughout the U.S., so, too, did online shopping. As of 2018, nearly 10 percent of all retail sales in the U.S. were e-commerce sales.
Gemini Advisory also reported in 2018 that the amount of cards stolen through e-commerce fraud increased by 14 percent in just one year. In 2017, Experian found that e-commerce fraud grew at nearly double the rate of e-commerce sales (30 percent versus 16 percent).
“That’s the challenge: figuring out what can be done to effectively and aggressively tackle card-not-present fraud,” Zirkle says.
Most often, e-commerce sales are made by entering card information directly, meaning your EMV chip and its tokenization protections are rendered useless.
“Everyone is shopping online,” Alforov says. “That’s where the money is being moved, so that’s where the fraud is moving too. We implement something new and (fraudsters) just change to a new tactic, because their job is to steal credit cards. That’s their main goal and they’re going to find a way to do it.”
To better protect yourself, you need to understand how the fraudsters out to get your information think and operate, Coleman says.
“These adversaries, they’re not personal,” he says. “It’s business for them. They’re the most business-like entity I’ve known. They’re looking for password as ‘password.’ They’re looking for ‘1234.’ Some people still have those simple numbers as their password.”
Use strong, diverse, alphanumeric passwords and complicated usernames for your online accounts. Only give your credit card information over to sites you trust that securely use the encrypted HTTPS web protocol. Always keep your laptop or desktop updated with the latest security settings as well.
Again, remember to use your credit card for online transactions rather than a debit card connected to your bank account. Set up alerts with your bank or issuer so you’ll know immediately if anything appears to be compromised.
The future of fighting payment fraudsters
Technology and security are always evolving and sooner rather than later, Coleman says, the good guys will outpace the bad guys.
The evolution will come in the form of biometrics, mobile and contactless payments.
Zirkle says mobile payments “really are far more secure than any other way to pay, despite the fact that a lot of consumers think the opposite.” She and Alforov both recommend using mobile payment technology (such as Apple Pay or Google Pay) wherever it’s offered.
As more merchants — both brick-and-mortar and e-commerce — implement tokenization payment processes, whether through EMV, mobile payments or a future innovation, it should only get more difficult for fraudsters to succeed.
Still, you should stay diligent in your own security practices.
“We look at product, we look at process and we look at people,” Coleman says, referring to fraud management. “We have a great product in EMV, (and) you can have a great process in terms of (doing) credit monitoring and things of that nature, but then we still do things that are not in our best interest…There’s still that human element of the three that continues to be the weakest point.”