Fraud , Payments , Payments Fraud

EMV Struggle: 7 Lessons from Europe

Security Experts Warn U.S. Needs Flexible Deadlines, Better Education
EMV Struggle: 7 Lessons from Europe

What can the United States learn from the successful rollout of EMV chip cards and readers in other regions - including Europe - that began more than a decade ago?

See Also: A Smarter Approach to Third-Party Vendor Risk: A Case Study

Payment card experts note that just like the United States, European countries faced numerous challenges when attempting to first justify the expense of EMV migration, and then adopt it. Based on those experiences, the key to U.S. success, they say, will be the right "carrot and stick" approaches, well-designed educational initiatives for merchants and cardholders, awareness that successful rollouts may take a decade to reach maturity, as well as an understanding of the types of fraud that the U.S. chip-and-signature approach will - and will not - help reduce.

In Europe, MasterCard in 2005 and Visa in 2006 began holding merchants liable for any fraudulent transactions they processed, unless they were using systems compatible with the standard known as EMV, which is named for the three companies that created it: Europay, MasterCard and Visa. After reaching high levels of EMV adoption, Europe saw a dramatic decline in "card present" fraud due to lost, stolen or counterfeit cards.

In the United States, however, EMV migration has lagged. While U.S. card issuers have set an Oct. 1 EMV liability shift date that follows the European model, recent estimates suggest that only about one in five U.S. payment cards and POS terminals will be EMV-compliant by then (see EMV: Why U.S. Will Miss Oct. Deadline).

Based on the lessons learned from EMV rollouts in various European countries, experts say there are multiple strategies that card brands could - and should - be applying to encourage and accelerate U.S. adoption.

1. Pay More Attention to Education

For starters, U.S. card brands need to pay more attention to education, says Tom Wills, who's a director at consultancy Ontrack Advisory, and based in Singapore, which is also in the midst of its own EMV rollout. Wills says that the U.S. EMV rollout delay can be ascribed, in large part, to card issuers failing to do "a better job of educating merchants and cardholders about the migration," especially for small and medium-size businesses who "don't fully understand what the EMV rollout means for them."

But he says education must also be tailored to a second group of merchants: the ones who have crunched the EMV migration numbers and found that the likely fraud losses they would have to absorb would cost less than the expense of upgrading to new terminals, training staff and demonstrating compliance. Of course, education alone likely won't entice these holdouts to migrate.

London-based payments expert Peter Comben, an associate executive consultant at payments consultancy Double Diamond Group who previously worked for both Visa and POS terminal manufacturer VeriFone - and who was involved in the European rollout of EMV and contactless payment systems - says that it's time for U.S. card brands to get serious about educating cardholders. "It should not be underestimated how much the cardholder has to do with the migration. It is a significant part, and I don't think in the U.S. they have even started on that side of things."

2. Adopt Rolling Deadlines

To make the U.S. EMV migration succeed, Comben also recommends that U.S. card brands embrace the "carrot and stick" playbook that card associations used when rolling out EMV in Europe. "What we have seen here is an incremental shift of the liability date, where the message is: 'That was the date, but here's another date, which is six months away, and between now and then, we'll give you a breakdown every month of what it would have cost you if the mandate had actually been in force."

Disseminating those fraud numbers was a soft-touch way for the card brands to try to move more merchants and issuing banks to adopt EMV, he says, before they finally began offering further incentives. "That's typically what I've seen in Europe, these types of arrangements, and I suspect they have that up their sleeve" in the U.S, he says.

3. Fraud Won't Disappear

One cautionary lesson from Europe is that an EMV chip alone will not eliminate online payment-card breaches. Accordingly, when educating merchants and cardholders, U.S. card brands must guard against overselling EMV's security upsides, experts warn.

For example, EMV discussion in the United States surged following the Target breach (see Government Rolls Out Chip and PIN). But numerous security experts have noted that EMV would not have prevented the breach at Target - or numerous other retail organizations - from occurring, because attackers used POS device memory-scraping malware.

4. EMV Can Be Defeated

The European EMV rollout has also demonstrated that just because a card sports an EMV chip, that does not mean it offers bulletproof security, says Ross Anderson, a professor of security engineering at the University of Cambridge. As Anderson's research has demonstrated, EMV cards can be cloned - via so-called "chip and skim attacks" - and used to commit "card present" fraud that makes it look like the cardholder was responsible for a transaction.

Other researchers, including London-based MWR InfoSecurity, have also demonstrated how EMV terminals can be defeated using Bluetooth or malicious smartcards when manufacturers insecurely implement the EMV standard.

5. Expect Fraudsters to Shift Focus

Once the United States does achieve widespread EMV compliance, it could trigger a surge in other types of fraud, both in the United States and globally. "Our experience here is that it won't cut fraud so much as move it around," Anderson says. "You can expect an initial displacement of fraud in stores to online fraud - and also to thefts from the mail, if there are mass card reissues - followed by a push to make customers more liable for fraud when the bank says that a chip card was used."

Wills likewise cautions that while chip-and-PIN technology has been proven to reduce the incidence of "card present" fraud in Europe, it will not reduce "card not present" fraud levels, because such transactions are not protected by a card's PIN code. "That was the experience in the U.K., for example. There, total fraud losses actually went up in the years immediately following completion of the EMV rollout, despite a big drop in physical point-of-sale fraud," he says. "Fraudsters are extremely good at finding the path of least resistance."

6. Mourn Lost U.S. Chip-and-PIN Opportunity

Another lesson offered by European experts may prove tough for U.S. cardholders and merchants to palate: Namely, many security experts believe PIN codes are much more secure than the chip-and-signature approach being adopted in the United States, owing to the ease of forging signatures, as well as the fact that many merchants do not verify signatures.

As a result, Ontrack Advisor's Wills does not expect that the U.S. will see "card present" fraud decline to the extent that Europe did, because of the "strategic mistake" made by U.S. card brands choosing a chip-and-signature approach. "Merchants - especially in the States - notoriously fail to check cardholders' signatures, and there's no reason to believe that they'll start all of a sudden when using EMV terminals."

Double Diamond Group's Comben likewise is critical of the U.S. failure to adopt chip-and-PIN cards, saying it represents a "lost opportunity" to have reduced lost-and-stolen card fraud. He notes that while there were also pre-EMV rollout concerns in the United Kingdom over cardholders' ability to remember card PIN codes, this did not turn out to be a major issue.

On the other hand, the U.S. signature-based approach should make it easier and less expensive to introduce EMV, "because they won't need the same education that was needed in the U.K., and we were talking massive advertising here - press and television advertising to get the message out - and that was a significant part of the UK success story," he says.

7. Keep Looking Ahead

While EMV is an old specification, Comben says it has not only done what it was designed to do, but still has application today. "Some people would argue that now it's reaching the end of its life expectancy, but I still think it has a long life in the card-protection space," he says.

But the widespread belief among security experts that the U.S. selected the wrong EMV approach will likely precipitate questions of whether the country should next adopt chip and PIN, or else something entirely new. Wills argues that it's time for the card industry to rethink its entire approach. "EMV is essentially 1980s security technology being applied to 21st-century criminality," he says. "The real answer to this is to migrate away from cards completely; but that's a longer discussion."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network