Much has been written about the impacts of the recent U.S. October 1, 2015 Fraud Liability Shift milestone and the migration to chip cards. Some retailers geared up for the fraud chargeback liability shift long before October 1st by upgrading POS software and hardware systems to accept the new EMV chip cards. Most U.S. merchants are still sitting on the EMV sidelines and have not made the commitment to upgrade.
When considering EMV acceptance upgrades retailers need to look at their total risk profile when it comes to fraud, security, and PCI Compliance. The EMV chip card standard was developed as a way to minimize in-store fraud. After October 1, 2015 card present merchants will be accepting more risk as transactions made with counterfeited EMV cards will now be the merchant's responsibility if it decides not to accept EMV chip technology at the POS. The benefit of the investment in new payment system upgrades needs to outweigh the risk of fraud and customer perception for the merchant.
Fraud and EMV in the Context of Risk
Any time a customer hands a credit card number to a business for payment -– whether virtually or in-person — they are entrusting the company with their payment credentials. The business is essentially assuming a financial risk. Businesses that fail to properly secure and defend their systems from cyber-hackers, card skimmers, fraudsters, and thieves risk damaging their brand reputation, face losing their relationship with the card networks, and the potential monetary liability from a breach and fraudulent transactions could mean millions in fines from networks, banks and litigation costs. Merchants of all sizes can reduce payments operating risks and make decisions to better protect themselves and their customers by better understanding the key payment acceptance threats.
A Framework to Analyze Payments Risk
Every business faces three major threats when accepting electronic payments. Fraud, Non-Compliance, and Account Data Compromise are related payment threats that face every company accepting electronic payments, but need to be combated with tactics specific to the threat.
- Fraud: The U.S. has seen a 70 percent increase in payment card fraud since 2004, and losses due to card fraud are expected to top $10 Billion in 2015*. Ecommerce merchants already accept the risk for fraudulent transactions.
- Account Data Compromise: Compromise and cyber-attacks are not a new phenomenon, but media scrutiny of the vulnerability has increased while the threat has extended to all business types. Forty-two percent of all breaches investigated by Global Security Company, Trustwave were eCommerce breaches, while another 40 percent of breaches were POS in 2014**.
- Payment Card Industry (PCI) Non-Compliance: Any business that stores, processes or transmits cardholder data is required to comply with the PCI Data Security Standards. Business that are not in PCI scope can get blacklisted by the networks and not be able to process electronic payments. PCI Compliance fines and penalties can range from $5,000-$500,000 for Tier 1 and Tier 2 merchants.
The EMV chip card standard was developed as a way to minimize in-store fraud. Simply put, with the right POS equipment the chip on the card authenticates the validity of the card, and if chip and PIN is implemented, it will validate the user as an authorized user of the card. Unlike a mag-stripe, the EMV chip is nearly impossible for fraudsters and counterfeiters to duplicate because of the dynamic data it generates.
Merchants need to look beyond EMV to prevent payment data from getting compromised. EMV does little to protect the consumer or merchant against POS network breaches or Account Data Compromise (ADC) events, nor does it help merchants meet PCI requirements. Additional technologies and business processes beyond EMV can be implemented in a merchant's’ network systems and operations to prevent ADC. Technologies such as payment tokenization, data encryption (E2EE) and PCI best practices should be implemented to ensure secure payment processing.
Retailers across the U.S. are investing significant resources to better protect the customers and their businesses from security and fraud threats. There is no silver bullet in fraud prevention and payment risk reduction, and the threats to merchants are constantly evolving. Success for omni-channel retailers require a focus on a multi-layered approach. To this end, eBusiness professionals must work with technology partners as well as implement businesses processes and practices that can help reduce or eliminate common threats and risks.
*Accenture 2013. Payments Transformation – EMV Comes to the U.S. https://www.accenture.com/us-en/~/media/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Industries_5/Accenture-Payments-Transformation-EMV.pdf
**Nilson Report July 2015. Issue 1068. http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1068
***Trustwave 2015. 2015 Trustwave Global Security Report. https://www2.trustwave.com/rs/815-RFM-693/images/2015_TrustwaveGlobalSecurityReport.pdf?mkt_tok=3RkMMJWWfF9wsRoguazAZKXonjHpfsX%2B4%2B4pXKG1lMI%2F0ER3fOvrPUfGjI4ESMdhI%2BSLDwEYGJlv6SgFQrHAMbJm17gLUhI%3D