In the wake of the Oct. 1 EMV fraud liability shift date, U.S. merchants can expect to pay for counterfeit fraud losses previously absorbed by European issuers, says Jeremy King, international director of the PCI Security Standards Council. Longer-term, however, King expects European banks will experience more fraud as U.S. point-of-sale and card security leapfrogs other EMV markets.
King says anticipated global fraud shifts in the wake of the U.S. EMV migration were a focal point of discussion at the PCI Council's recent North America Community Meeting in Vancouver.
"I was talking with Interac, the Canadian card [processor], and what they find is that when the card details are stolen in Canada, fraud always occurs in the U.S., because the criminals can go across the border, create a mag-stripe, cloned card and then use it to undertake fraudulent transactions," King says during this interview with Information Security Media Group. "And it's not just in Canada that that happens. It is around the world. In the U.K. and in Europe, the U.S. tops all of our fraud charts. When we see cards stolen, they turn up in the U.S. because it's easy to use them in a mag-stripe environment."
King says the U.S. migration to EMV is welcomed globally because reductions in card-present, face-to-face fraud are expected to be felt around the world.
But the U.S. EMV transition is going to push fraud to other markets and other channels, namely the card-not-present, e-commerce channel, he adds. And European banks and retailers are likely to see significant upticks in fraud as a result.
"This year, as the migration has been gaining momentum and support, I've started talking to organizations and merchants in Europe," he says. "The U.S. is getting the latest chip card; it's getting the latest PTS [PIN transaction security] approved terminals; their levels of security are going to the best there are [because U.S. merchants are investing in tokenization and encryption in tandem with EMV]. Now, the criminals will move. The criminals will start looking for other options, and the next big option is going to be in the card-not-present space. The criminals don't have to be in the U.S.; they don't have to be in Europe; they could be anywhere in the world. ... If your levels of security aren't as high as those in the U.S., you will be a target."
King argues that the United States' late EMV entry ultimately will work to its advantage.
"The U.S. is actually going to leapfrog us slightly over in Europe [because of the additional layers of technology]," he says "Their security is going to be at a higher level, therefore, we will be the target. So we've got to be aware. Everyone is now at risk globally. This [the U.S. adoption of EMV] changes the whole playing field in the fraud space."
During this interview (see audio link below photo), King also discusses:
- Why point-to-point encryption and tokenization are necessities, even with EMV;
- How the council's new data breach response guide will help organizations reduce breach-related costs;
- Why getting boards of directors involved in data security is becoming increasingly critical.
King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI-managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.