October Fraud Surprise for Retailers?Why Failure to Implement EMV Could Prove Very Costly
U.S. merchants that aren't prepared to accept EMV chip cards by October should be bracing for significant upticks in card fraud expenses.
See Also: Threat Horizons Report
That was the message from MasterCard this week at Information Security Media Group's Fraud Summit Chicago.
I don't think the merchants have any idea how much fraud is going to be shifted back to them.
When the EMV liability shift date for fraud takes effect in October, merchants that are not EMV-compliant can expect to immediately get pounded with card-fraud expenses that card issuers, up to now, have been absorbing, warns Krista Tedder, vice president of risk, fraud and identity verification at MasterCard. She was a featured speaker at the summit's closing panel.
The card brands' October liability shift date is an incentive, not a mandate. So, missing the liability shift date won't result in fines or an inability to conduct transactions. It simply means that as of October, a card issuer or merchant that does not support EMV assumes liability for fraud that results from compromised magnetic-stripe card transactions. While most card issuers are scrambling to issue EMV cards, many retailers are lagging in efforts to install updated point-of-sale equipment to accommodate chip cards.
Most merchants don't have a good handle on just how much card fraud is occurring as a result of POS breaches, said David Pollino, senior vice president and enterprise fraud prevention officer at Bank of the West, another panelist at the summit. Nor do they have a good feel for how often fraudulent magnetic-stripe cards are being used for purchases at their stores.
In fact, Pollino said merchants tell him they're basing their assessment of fraud losses solely on the chargebacks they receive, which account for only a tiny fraction of fraud. A chargeback is a demand made by a credit card issuer, such as a bank, for a retailer to refund a fraudulent or disputed transaction.
Pollino pointed out that Bank of the West had to absorb substantial card fraud losses linked to the Target and Home Depot breaches. And how many transactions linked to cards compromised in those attacks did Bank of West submit to retailers as chargebacks? "Zero," Pollino said.
So when the liability shift kicks in, "I don't think the merchants have any idea how much fraud is going to be shifted back to them," he said.
Beyond U.S.-Based Fraud
Pollino and Tedder also pointed out that many banks in Europe have been absorbing significant amounts of fraud because of lingering mag-stripe technology.
While European countries are already EMV chip compliant, their cards must retain mag-stripes to ensure global payments interoperability. That means cards issued in Europe can still be cloned and used as mag-stripe cards in countries, such as the U.S., where mag-stripes are still accepted.
In fact, Tedder said about 25 percent of all card fraud that affects European cardholders occurs in the U.S. with counterfeit cards. That represents "billions in card fraud" that U.S. merchants that are not EMV-compliant may have to pay for once the liability shift is in effect, she points out.
The October Shift
It's clear that not all merchants, or even all card issuers, are going to be EMV-ready by October. Liz Garner, vice president of the Merchant Advisory Group, who sat on the panel with Tedder and Pollino, pointed out that, unfortunately, many merchants that are ready to roll out EMV-compliant POS terminals are on waiting lists, because the POS vendors are backlogged.
Still, the card brands are not going to delay the liability shift date, MasterCard's Tedder stressed.
So banking institutions that work with merchants as acquirers really need to step up their game to get the word out. Acquirers need to ensure that their merchant customers know just how much fraud loss could be shifted back to them if they're not EMV compliant by October.
Based on what panelists said this week, the amount of these losses could potentially put some smaller merchants out of business. And nobody wants that to happen.