The Rippleshot team had the pleasure of attending ISMG’s Fraud Summit here in Chicago this week. Unsurprisingly, the topic on everyone’s minds and mentioned in almost every single panel was the impending shift to EMV in the coming months and how that will impact card security moving forward.
The final panel of the day featured perspectives from merchants, issuers and card networks, and provided unique insight into each party’s opinions and reservations about the upcoming switch.
The speaking panel included Liz Garner, Vice President of the Merchant Advisory Group, David Pollino, Senior Vice President and Enterprise Fraud Prevention Officer at Bank of the West, and Krista Tedder, Vice President and Global Product Manager of Risk, Fraud, and Identity Verification at MasterCard.
Garner noted that while EMV is “a valuable tool, it’s not the answer” to stopping payment card fraud. She cited merchants’ frustration with the choice to implement Chip and Signature rather than Chip and PIN, not just because it’s less secure, but because it forces merchants to have to prep for two switches, instead of just one. And she was steadfast in her belief that Card Not Present fraud detection solutions will be critical to card security moving forward.
Pollino echoed many of Garner’s thoughts, particularly that many merchants won’t be ready for the October deadline. He cited hearing the excuse, “I’m a low-fraud merchant,” being used in defense of their delayed EMV implementation, though he bit back by saying that the way merchants are determining if they’re “low-fraud,” by using chargeback volume, is a flawed and wildly inaccurate measure of actual fraud levels. And that these merchants will be in for a very unpleasant surprise post-switch when they see record levels of chargebacks taking place.
But, from an issuing standpoint, while banks stand to benefit a ton from EMV implementation, Pollino noted that the switch is likely to continue to feed the recent shift in fraud stemming from big box retailers to more processors, POS vendors and other third-party providers, which will make the traditional CPP analysis many banks do much more difficult.
Both Garner and Pollino expressed frustration with the card networks setting the rules and deadlines for EMV, when the vast majority of the losses are being felt at the issuer and merchant levels.
Which brings us to Krista Tedder from MasterCard.
Tedder empathized with the issuers and merchants that they suffer most of the fraud losses on payment cards, and knows that banks are hurting from regular card reissuance due to data breaches. In fact, she noted that when a card number has to be changed, 20% of the time, the replacement card is never reactivated - which is a huge concern.
Tedder also did admit that though Chip and Signature is less secure than Chip and PIN, there was a reason behind that decision, and it sat mainly with the issuers. The rationale was that many consumers wouldn’t be comfortable or used to using a PIN with their cards, and coupled with the fact that many issuers weren’t going to allow customers to choose their own PINs, this would lead to their cards being shuffled to the back of the wallet.
The one thing that all three parties agreed on is the growing concern over mid-tier-sized merchants (20 to a couple hundred locations) and their ability to implement EMV in time. The truth is, the larger big box merchants are ready or are nearing close to it. The smallest merchants only need to replace one or two POS terminals. But the guys and gals in the middle have a large enough infrastructure to make this a major undertaking, but without the technical and financial support that a Tier 1 merchant has. And the fraud will quickly shift to this group, as hackers realize where the holes are.
Rippleshot has extensively covered the upcoming EMV switch. To learn more about its potential impact on fraud, and how we expect the U.S. to fare as compared to other countries’ migration, download our latest whitepaper: EMV Adoption in the U.S.