Oct 2015: chip-and-PIN will force fraud online

Posted by Rurik Bradbury on December 9, 2014


Over the past few years, the US has slowly but surely been adopting EMV technology -- a payments standard in Europe and Asia. EMV, which is an acronym for Europay, MasterCard and Visa, uses a chip within credit and debit cards as an added layer of security, and a transaction can’t be processed without a user inputting the correct PIN code or a signature.

While this technology has been the norm in Europe for the past ten years, the US is just getting around to adopting EMV technology. The target date is October 2015, when the liability for fraudulent transactions conducted without chip-and-PIN tech shifts from the banks to the retailers and merchants. This means that thousands and thousands of stores, from Wal-Mart and Target to your local bakery store, need to upgrade their point-of-sale terminals to support EMV in 11 months. The costs are expected to rise to the billions for merchants, according to financial technology analysts we’ve spoken to.

The in-store fraud benefits for EMV have been well documented -- the New York Times wrote that in Britain, counterfeit and stolen card fraud has fallen 60 percent, while it has grown 50 percent in the US over the same time period.

Fraudsters in the US are starting to realize that many of their tricks, like the use of skimmers, don’t work with chip-and-PIN. When customers type in a PIN code, the system doesn’t store it, it just confirms whether or not the PIN code is correct or not. So, fraudsters won’t be able to gain access to the PIN code, which will severely limit their attacks in-store.

But, while EMV and chip-and-PIN technology may solve offline retail fraud, the impact the technology has on e-commerce fraud is negligible at best.

We anticipate that those fraudsters will start to target online transactions more, and mobile purchases as well. PIN codes aren’t necessary online, as the New York Times writes, which means they are more susceptible to fraud attacks.  

“Specialists warn, however, that the E.M.V. technology will not address all types of financial fraud. Although the encrypted microchips have led to a significant decline in counterfeit cards, they cannot stop illegal online purchases that do not require an individual to enter a four-digit code. Such purchases represent the fastest-growing area of financial fraud.”

There’s evidence of this happening in the United Kingdom. The Aite Group says fraud for “card-not-present” transactions, which are online and mobile transactions where there is no physical card used, rose 79 percent in the three years after chip-and-PIN was adopted. In Australia and Canada, the figure more than doubled.

EMV technology may help limit the impact of massive data breaches, like the one that hit Target last year and Home Depot this year. That's a good thing.

However, a sharp increase in fraud attacks on online purchases is coming, and there’s not much that EMV and chip-and-PIN technology can do about it.