New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

EMV – How Can This Impact My eCommerce Business?

August 24, 2015

by: Featured Author,
Harold Paulson, Director of Fraud Risk Management

Originally published on eBay Enterprise. Harold Paulsen is the Director of Fraud Risk Management North America for eBay Enterprise.

What is EMV?

EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. "Chip cards" are credit or debit cards that have a chip embedded in them that enable the use of the EMV protocol. [1]

Card issuers are replacing their existing cards with chip cards because of changes happening in the payment networks in Oct 2015. If you check your wallet, chances are you already have at least one chip card in it.

To Better Understand All of This – Some Background Is Needed

For a very long time (since the 1970s!) credit cards have been issued with a magnetic stripe on the back. This magnetic stripe contains all of the card information necessary to process a purchase made in a store to your credit card account. Essentially when your card is swiped in a store, this information is read and transmitted to your card issuer for payment.

Criminals realized that if they obtained the data from your magnetic stripe, they could produce counterfeit cards (with your data) and buy things (using your account). At first they tried to steal this data by running it through their own card reader (i.e. when you hand you card to a waiter and they take it to a different place to process your bill). Over time, criminals realized they wanted more card information and it would be faster to systemically steal the data directly from various points in the payments process. The age of card compromises had begun.

When a counterfeit card is used in a store (swiped through a card reader) by a criminal to commit fraud, the card issuer is typically responsible for the fraud loss. Card issuers incur significant losses annually for this type of fraud (known as "card present" fraud in the industry).

Chip Cards will make it very difficult for criminals to steal data and use it to produce cards that can be used in a store. "…chip cards are not only more secure, they are also simple to use. Chip cards and terminals work together to protect in-store payments. A unique one-time code is generated behind-the-scenes that is needed for the transaction to be approved—a feature that is virtually impossible to replicate in a counterfeit card."[2]

Chip cards issued by card issuers will still have a magnetic stripe so they can still be used by merchants who have not converted their terminals to accept chip cards.

What is Changing in Oct 2015?

Changes to the payment network rules will make merchants responsible for card present fraud. To clarify, there are a few pieces of the puzzle for this fraud liability shift:

1. The credit card used for the purchase by the criminal must have been issued with a chip
Example: The criminal produces a counterfeit card where the chip is deactivated or without a chip, the real customer still has their card and it has a chip

2. And the purchase is processed by the merchant as a card swiped or key entered transaction
The merchant has not upgraded their terminals to accept a chip card, OR the merchant has a terminal that can process a chip card, but they chose to process it with the magnetic strip or key entered it

3. And the account owner of the credit card used claims the transaction as fraudulent
One could say a "carrot-and-stick" approach is being used here. The carrot is issuers will realize substantial fraud loss savings providing they reissue their card base with chip cards. The stick is merchants will now incur these fraud losses unless they upgrade their terminals to accept chip cards.

How Does This Impact eCommerce?

Despite active debate and discussion in the industry about the effectiveness of EMV in preventing fraud, two things are certain: EMV does make it more difficult for criminals to "play" in the card present space and, in countries where EMV was implemented, fraud shifted from the card present space to the card not present space (eCommerce).

Criminals who specialize in credit card related fraud look to monetize stolen data. Essentially, credit card and customer data is a commodity used by criminals to generate cash flow. There is an entire criminal ecosystem built around this—from the acquisition of stolen data, selling stolen data, producing counterfeit cards, counterfeit card distribution, and sales, and the use of counterfeit cards to buy products which in turn are sold for cash. Each step of the process has buyers and sellers.

With EMV, the criminals who participate in this ecosystem will find it much more difficult to profit from it. Criminals generally do not like difficulty and look to find the easiest method to make money. The easiest place for criminals to make money has been eCommerce.

Simply put, in countries where EMV has been implemented (e.g UK, France, Australia, Canada) card present fraud went down and card not present (eCommerce) fraud went up.[3] If you picture fraud as a balloon, essentially the balloon was squeezed on the card present end and the eCommerce end expanded.

If history repeats itself, a 1.5 to 3X increase in eCommerce fraud over the next few years is not an unreasonable projection. This increase will be gradual, although specific and more dramatic increases may affect some eCommerce merchants more than others. Those who are prepared and have good risk management capabilities will be able to manage this risk appropriately.

About Harold Paulson
Harold Paulson is the Director of Fraud Risk Management North America for eBay Enterprise. In this role, Harold is responsible for managing eCommerce fraud risk for 100+ retail websites with over $5B in annual sales. Harold has over 25 years of card industry experience in technology, operations, and risk management, and is a co-inventor for several patented fraud risk innovations.