Eight months after the EMV liability shift took hold in the world of credit cards, there really has been some liability shift.
There’s also been a shift in focus for fraudsters, who are now finding easier targets for accessing accounts, all the while trying to burn off their stock of magnetic stripe cards no longer so useful for counterfeiting.
And the big card brands are trying to mollify consumers who, at least the conventional wisdom holds, find it irritating to wait while an EMV reader reads the chip. So irritating, in fact, that some big retailers, willing to take the hit, have reportedly turned off the EMV readers at some checkout lines, especially during busy times like the holidays.
Those are three observations from the first wave of activity following the Oct. 1, 2015, declaration by the major card brands that the weakest link in the transaction change has to eat the losses. Issuing EMV cards has been the standard defense and MasterCard, for example, now reports that about two out of three of its branded cards in the U.S. now have the chips and that about 1.2 million merchants accept them.
The effects are becoming clear. “Net fraud is down for many issuers,” Aite Group research director Julie Conroy says in a new report. She attributes part of that to the fading fallout of major breaches at Home Depot and others, but added: “Another significant driver of the net fraud decline is the fact that issuers can now charge counterfeit fraud losses to merchants that have not yet upgraded to EMV-capable terminals.”
PSCU Sees The Shift
“Close to a couple hundred thousand dollars in fraudulent charges have already been sent back to merchants that in the past would have been lost by our member-owners,” says Art Harper, director of payment card and plastic solutions consulting at PSCU, the big payments processing CUSO.
That’s because the members were using EMV cards and the merchants were not processing them that way. Harper says the numbers are just beginning to come in, but that he has seen estimates that MasterCard has seen card-present fraud drop by as much as 73% since the liability shift. That would replicate a similar experience in the U.K.
“We really don’t know what the numbers are yet,” Harper says, “but we’re confident that card-present fraud has dropped pretty significantly because of EMV chips.” And that the liability shift has worked for credit unions who have gotten the new cards into members’ hands.
That’s because chip cards are hard, if not currently impossible, to counterfeit. Conroy’s Aite Group report estimates that counterfeit card fraud losses in the U.S. will drop from $4.5 billion in 2016 to $900 million in 2020. That’s after spiking from $1.7 billion in 2011 as fraudsters focused on the non-EMV U.S. while the payments industry here was slowly ramping up and rolling out chip tokenization technology deeply entrenched across the rest of the developed world.
While the counterfeit market is shrinking, it’s still big. PaymentsSource reports that LexisNexis Risk Solutions and Javelin Strategy & Research have found that 16% of the $10.9 billion now seen annually in U.S. card fraud are still from counterfeit cards.
Fraudsters also are working hard to burn off their store of magnetic stripe cards while moving on to easier targets such as poorly secured online shopping sites and ATM skimming schemes. Notably, hackers pulled 1.4 billion yen ($12.7 million) from 1,400 convenience store ATMs in Japan in just three hours recently.
A Matter Of Perception
While EMV use continues to rise in the U.S., consumer impatience over how long it takes a card to be read has led to some software innovation by MasterCard and VISA, each of which announced their own solutions that streamline the process.
The technologies differ somewhat but the idea is the same: prioritizing the parts of the transaction that are critical to security so it seems like the whole ordeal is taking the same amount of time as a traditional swipe of the magnetic card.
To Harper at PSCU, it’s really just a matter of perception. He maintains that it takes no more time for an EMV reader to do its thing, but that the user perceives it to take longer because instead of swiping the card and then returning it to a wallet or purse, the consumer is just standing there waiting for the “remove card” prompt.
Plus, there’s also the issue of competing with mobile at the checkout line (think Apple Pay and Samsung Pay and everything else Pay). Again, Harper says an EMV reader takes no more time than a digital wallet transaction on a smart phone.
“The perception is that the card is taking longer when it’s really operating in much the same environment,” Harper says.
Meanwhile, MasterCard’s M/Chip Fast and VISA’s Quick Chip will allow the cards to be inserted and pulled out immediately, but there still will be some issues to be resolved and their rollout dates have not been announced while testing gets underway.
Harper says it’s not clear yet what the ramifications will be of the transaction process proceeding without final authorization after the card is removed. For instance, in the case of debit cards, he says, in theory that could result with something like what happened when gas was selling for upwards of $4 a gallon and the transaction would exceed the hold limit of, say, $100.
“Transactions could be denied. We really don’t know yet,” the PSCU cards consultant says. He says his CUSO will be keeping up with the changes through its involvement with organizations like the standards specs group EMVCo and by watching the action unfold on the issuer side.
Credit union processors and issuers will really know what’s happening at the POS end when the M/Chip Fast and Visa Quick Chip tools actually hit the market. It’s not clear when that will happen, but Payment Week reports that testing is underway and MasterCard should have prototypes out in about three months.
“Right now it’s just all conversation,” Harper says.