The Fraud Blog with Tracy Kitten

Time for EMV in the U.S.

Time for EMV in the U.S.

Magnetic-stripe cards are quickly showing their age, and are increasingly giving the rest of the world a reason to point a finger of shame at the United States. The chip-and-PIN standard, better known as the EuroPay, MasterCard, Visa standard (EMV) mandated by Europe's EMVCo., is catching on in virtually every global market - except the U.S.

While other parts of the world, such as the United Kingdom, started some 10 years ago seeing massive leaps in mag-stripe card skimming, the U.S. remained sheltered. Some fraud existed, but nothing great enough to raise alarm.

Well, that's all quickly changing.

See, when financial losses in Europe related to card fraud were traced back to weaknesses with the mag-stripe, most countries in Western Europe started the EMV migration. The U.K. led the charge and learned a few lessons along the way. But fraud losses dramatically began to drop.

The benefits reaped by EMV-compliant countries encouraged neighboring countries and continents to follow suit; and now the rest of the world is sitting back as it watches fraud increasingly migrate to the U.S.

But there is hitch to all of this - one that is increasingly putting pressure on U.S. financial institutions and the card networks.

U.S. reluctance to move forward with chip-and-PIN has forced other countries to maintain a piece of the lingering technology. And that tether is making way for security gaps that are compromising EMV-compliant cardholders. A messy business, to say the least.

The European ATM Security Team Ltd., also known as EAST, last week released a fraud update for 2010. In it, EAST reports that skimming at ATMs remains a problem, even in EMV-compliant countries. Why? Because despite the move to chip-and-PIN, EMV cards must retain the mag-stripe. Cardholders from non-EMV-compliant countries must be able to use their cards when traveling abroad. And EMV cardholders need to have the mag-stripe to use their cards when traveling to countries that have not adopted chip and PIN. That means ATMs and POS terminals, even in EMV countries, have to continue accepting mag-stripes. Some countries, such as Germany, have implemented additional layers of protection on mag-stripe transactions - protections that have often led to the decline of mag-stripe cards.

The primary challenge - U.S. cardholders. It's not a new concern. To help eliminate card problems related to the mag-stripe for its members traveling and living abroad, United Nations Federal Credit Union in May announced it would be issuing chip-and-PIN credit cards to its members as a backup option.

But here is where the problem comes in. Let's look to the U.K. as an example. A U.K. cardholder conducting a card transaction in-country does not need the mag-stripe - only the chip in the card and then the PIN. But since the mag-stripe still exists on the card, and because the POS terminal still has the ability to read the stripe, when a transaction is conducted, the stripe can still be skimmed. Once skimmed, fraudsters can create fake cards and then use those cards overseas, in countries where the mag-stripe still reigns - i.e., the U.S.

Lachlan Gunn, director of EAST, says the mag-stripe is the problem. "You could see how the issuance of separate chip-and-PIN cards for travelers who travel internationally could be a possibility, or having the mag-stripe turned off when the card is not being used in a mag-stripe market," he says. "But the fraudsters can get around that, as long as the mag-stripe is still there."

While Gunn admits losses related to skimming are migrating away from EMV-compliant countries, losses are still being felt.

In 2008, 10,302 incidents of card skimming and losses of 484 million euro were reported in European countries that fall within the Single European Payments Area (SEPA). SEPA countries, in a nutshell, are merely countries that accept electronic euro payments and consider them domestic. Western Europe, and increasingly more of Eastern Europe, falls within the SEPA lines. In 2009, losses related to card skimming fell 36 percent, to 310 million euro and 10,184 incidents.

"We've made progress since 2006, 2007 and 2008, when we saw a spike in skimming incidents," Gunn says. "But as long as the mag-stripe is here, we will continue to see some incidents. It's unavoidable."

In the U.S., card skimming is growing. Think pay-at-the-pump, ATM - anywhere a card is accepted, especially at an unattended device. They are all vulnerable to skimming. Because of that growth in skimming fraud, some unexpected voices are echoing Gunn's sentiment.

I came across a blog last week written by Richard Oliver, the executive vice president of the Federal Reserve Bank of Atlanta. In it, Oliver says the U.S. remains the only substantial global economic power that has not embraced EMV. "That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States in growing numbers," Oliver writes.

He adds, "If we want to mitigate the possibility of the United States being a center of card fraud and enable our consumers and business folks to travel abroad more easily, it may be time to charge someone in government with developing a well-thought-out, participatory, multiyear plan to move this country to the emerging global payments card standard."

Mr. Oliver, I could not agree more!



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.