Only 29% of merchants can accept chip cards, CNP fraud surging anyway - expert comments
September 2016 by Lisa Baergen, Director at NuData Security
Nearly a year after the EMV liability shift in the U.S.—a move specifically engineered to incent retailers to install EMV-compliant POS systems in their stores—only 44% of merchants are equipped with the new terminals, according to a new report from The Strawhecker Group. Furthermore, not all of those merchants that have installed EMV-enabled systems are using them. Only 29% of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit. Despite fewer U.S. merchants accepting chip transactions a year into the transition to EMV than predicted, however, the effects experts predicted have largely come true. Studies over the past few months have consistently shown that counterfeit fraud at the physical point of sale is dropping, while card-not-present fraud is surging.
Lisa Baergen, director at NuData Security: "In October 2015, the U.S. began complying with the mandated shift to EMV credit and debit chip cards. The U.S. market had the advantage of being able to learn from its European counterparts who had made the shift years earlier. The implementation has been a long and difficult process, particularly for merchants, where the cost to implement is relatively high, and the perceived value was just not there. While the deadline for the U.S switch was October 2015, not all merchants have upgraded – only about 40% of merchants have completed EMV implementation. Furthermore, these new EMV cards are still compatible with old systems, which put them at the same risk for fraud as they were before the switch.
Compounding the problem, some issuers are deciding to phase in PIN compliance, as it was not part of the October 2015 deadline. Without the PIN, these EMV cards require the far less secure signature to authorise the transaction, stripping the card of its two-factor authentication protection.
A period of overlap will continue, with the increases in account takeover, fraudulent account creation and traditional credit card theft this report highlights. This scenario provides even more reason for organisations to switch from traditional fraud detection methods to behavioural analytics and passive biometrics to detect and protect good users and reveal and block bad actors.
If you truly know the human behind the device, you can finally focus your efforts: protect legitimate accounts, provide streamlined experiences for customers you trust, and block actual fraudsters completely without customer friction."