Threat Management, Incident Response, TDR, Vulnerability Management

Despite intro of chips, credit card fraud still a risk, FBI

It's not the chip cards themselves but the slow adoption of the platform in the U.S. that is leaving consumers vulnerable to credit card fraud, an FBI representative said in a recent interview with The Washington Times.

The new technology rolling out across the U.S. – so-called EMV cards (an acronym for Europay, MasterCard, Visa) – adds a chip to traditional cards which must be inserted into new hardware in order to be accepted

Chip cards have been in use in Europe for a decade and have proven to be more effective in combatting fraud than magnetic strip cards as the integrated circuit the EMV cards contain are practically impossible to duplicate.

However, U.S. retailers and financial institutions have been hesitant to adapt the technology for a variety of reasons, namely the cost to switch out hardware, like point-of-sale terminals.

Additionally, the FBI rep told The Washington Times that the chips themselves in the new EMV cards are still vulnerable, though no further explanation was offered.

The problem is that the new cards are a hybrid: Although supplemented with chips they still contain the legacy magnetic stripe as well. Consequently, businesses which have yet to make the transition to EMV technology are still capable of accessing the personal information of card users. And, criminals can still readily exploit the security of magnetic stripe cards – as they have been doing since the 1960s – by counterfeiting identities.

Many expected the rollout to gain momentum owing to new rules that went into effect in October 2015 shifting the liability for most fraud losses in a face-to-face environment (not phone or online commerce) from the issuer of the consumer's card to the merchant. Specifically, if fraud results from the compromise of a mag-stripe card transaction, the merchant will be held liable if it is not equipped to accept EMV-compliant chip-card transactions.

But earlier this year, Deborah Baxley, principal for Capgemini Financial Services, told SC Magazine that less than half of merchants would be ready to process EMV chip-based transactions by that date. She estimated about seven in 10 U.S. payment cards would have a chip. And, even if the card had a chip and the point-of-sale terminal accepted chip cards, there would be no guarantee that the payment would not be run as an old-fashioned non-EMV-compliant magnetic stripe swipe transaction, since the frontline staff who are taking payments may or may not be aware and trained in the new technology and method of transaction.

A spate of recent high-profile data attacks that hit big merchants like Target and Home Depot did raise concerns about payments fraud and motivate some merchants, said Baxley. Wal-Mart Stores, for one, has been very “gung-ho” about its move to EMV at its points-of-sale, she added. But, many smaller and mid-sized retailers, especially those with slim margins, simply see the cost of adding new chip card-reading terminals and EMV-compliant middleware and going through a certification process as a costly proposition with little short-term payback – even if they will have to cover the cost of fraudulent transactions when the liability shifts. “A lot of mid-sized merchants figure they're not going to be the first place for counterfeiters anyway,” Baxley said.

While the business case might seem somewhat elusive, especially to overwhelmed mid-sized merchants that lack the deep pockets or the wider margins of their larger counterparts, Baxley maintained that EMV typically offers a solid return on investment within seven to 10 years or less. And, given the diminishing number of first-world countries that are still on magnetic stripe, there is also the justification that payments industry participants will simply want to avoid becoming the default destination for fraud criminals looking for weakness, she said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.