In the 1980s, EMV (Europay, MasterCard and Visa) technology using a chip embedded in credit cards was responsible for a drastic drop in fraud involving cloned credit cards that was rampant in following the fall of the Iron Curtain.
Despite good arguments for (and against) EMV technology as the worldwide standard and intense pressure from Visa, MasterCard, and even the White House, merchants and banks in the U.S. seem to be dragging their feet as the October deadline for implementation has passed with only moderate success.
A recent article at BankInfoSecurity.com attributes the delay in implementation here to high costs, a lack of demand from consumers, and doubts about the ability of the EMV technology to actually mitigate credit card fraud. Not surprising, these seem to be the same primary stumbling blocks to IT Security funding and progress in many companies.
High Costs of EMV Implementation and IT Security in General
Reluctance to Fund the EMV Transition
With the shift to EMV technology, banks and credit card issuing companies are incurring considerable costs to create new cards with the EMV chip and then to replace all the cards currently in use by their customers. Additionally, merchants are faced with considerable expense to purchase new compatible point of sale (POS) equipment, reconfigure computer systems to integrate with the new equipment, and then to train staff to understand the new systems.
Compounding the reluctance of merchants to purchase the necessary equipment is an underlying concern that this expensive upgrade is likely only a temporary half-measure. The chip and signature version of EMV technology being implemented by U.S. banks is sort of a step between the old magnetic strip cards and the chip and pin cards being used in Europe. Merchants are understandably concerned that the chip and signature POS equipment will simply be obsolete within a couple of years.
Reluctance to Fund New Security Technology
We often hear similar concerns with clients. Tools or systems they have bought “recently” may have been rendered obsolete by new security tools or by new risks that were not foreseen at the time the tool or strategy was devised. This is why tools must be proactively updated whenever possible and kept up to date to remain effective. With tools made to evolve such as encryption systems, the necessary upgrades are relatively easy but, in a medium to large sized company, the time and effort to manage patches and updates can still be significant.
Executives are often simply reluctant to make large purchases in IT Security systems or tools because they do not understand the systems and their options well enough to act in confidence. Our team of experts can help clients avoid unnecessary future upgrade costs by identifying the right tools to meet the organization’s current and anticipated needs, integrate well with existing systems and processes, and provide the support to ease potential challenges of implementation.
Lack of Consumer Demand for EMV Implementation and IT Security in General
Early in 2012, Visa and MasterCard joined together to set the October 2015 deadline for ditching the swipe-and-sign card model here in the US. They set parameters for a significant shift in liability for credit card fraud. For merchants who fail to upgrade equipment, liability would rest largely on the company when fraud takes place after a customer uses an EMV card. On the other hand, the liability would fall to the bank or card issuer when fraud occurs after a customer uses an old-style swipe & sign card on upgraded POS equipment.
Consumers are Slow to Accept Change, Not Demanding EMV
Card issuers and merchants alike have had to weigh the potential costs of such liability against the costs of making upgrades to the new system. The EMV system is not the first new concept in credit and mobile transaction processing to be tested. Merchants have also hesitated waiting to see if a new system like Google Wallet or American Express’ test of a one-time-use-code system would take off. Most recently, Apply Pay promised to revolutionize the way we buy things. The effectiveness of Apple Pay has yet to be determined but, historically, we know that consumers can be slow to adapt to such changes.
Similar to mixed adoption rates of two-factor password authentication, companies are reluctant to make expensive changes to existing systems to risk rejection or even a mediocre acceptance by customers who do not understand the new tools or do not appreciate the need for or benefits of the change. As we reach the October deadline with only minimal success in EMV implementation, experts are already calling for more education as we struggle to catch up to Europe.
Users Need Education to Adopt New Security Tools and Practices
We often find that education and reinforcement is key to aiding adoption rates. This takes considerable effort for changes made even within one company where employees can be repeatedly reminded of the importance of the new system or employees can even be mandated into organized training as a captive audience. Explaining a major (and moderately controversial) change to an entire nation of consumers has proven to be a challenge.
Doubt in Effectiveness of EMV Technology and IT Security Tools in General
With the adoption of the EMV technology across Europe, levels of “card present” (CP) fraud dropped off significantly and remained commensurate with rates of “card present fraud” rates in the US. Unlike Europe, the popularity of internet shopping in the US led to more prominent “card not present” fraud prior to (approximately) 2013. Just a few years ago, EMV technology seemed unnecessary in this country. While instances of credit card cloning and “card not present” (CNP) fraud seem to be rising in recent years, consumers are also plagued by fears of exposure due to numerous high profile data breaches at large companies. Americans are keenly aware that personal and financial information on virtually all of us is likely out there somewhere in the wrong hands. Consumers are slowly becoming more aware and somewhat more diligent – but also more wary.
Will EMV Lead to a Significant Drop in Fraud?
Ultimately, EMV technology does not address risks of CNP fraud. US retailers and consumers alike are less than excited about a drastic change that may offer little or no real effect. In 2012, EMV was said to be “just a solution looking for a problem” as CP fraud was seen as a small issue here. As the October 2015 deadline approaches, EMV is seen by some as an expensive solution to just one of many problems.
Will this Really Make Our Systems and Data More Secure?
Working with our clients, we are keenly aware that to confidently seek IT Security funding and create a forward-thinking strategy, expenditures and activities must be prioritized to get clients the most “bang for their buck” in what we recommend. A detailed cost-benefit risk analysis can point a company to the most effective and most critical areas of their security strategy and help overcome reluctance that comes from uncertainty.
In late 2014, the rate of EMV technology adoption increased significantly around the world (including in Canada, Latin America and in the Caribbean) but still lags behind here in the US. As the October 1 deadline comes and goes, it is apparent that swipe-and-sign cards are still very much part of transactions here in the US for most merchants and banks. Whether the EMV tools are going to become the standard and this push is ultimately successful will depend on how well and how quickly the questions of cost, demand, and confidence can be answered for companies and consumers. Similarly, if we are going to effectively combat cyber-crime and improve IT Security, these same issues must be addressed within our companies.