Shift to EMV cards expected to increase online fraud

Next year's scheduled changeover to chip-and-pin debit and credit cards is expected to reduce in-store fraud, while significantly increasing fraudulent purchases online, experts say.

Recent high-profile break-ins of electronic cash registers at retailers Target and Neiman Marcus has added urgency to Visa and MasterCard's plan to dump the swipe-and-sign cards used today by U.S. consumers. In their place will be so-called EMV cards that store security data in an embedded chip.

Carolyn Balfany, head of MasterCard's U.S. product delivery group, told The Wall Street Journal that a key deadline, called the "liability shift," would occur October 2015. That's when retailers and banks still supporting the kind of debit- and credit-cards used today will be liable for losses resulting from fraudulent use of the cards.

"Whenever card fraud happens, we need to determine who is liable for the costs," Balfany said. "When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability."

EMV cards, which have been used for years in Europe, require people to input a PIN to complete a transaction with a retailer.

Payments cards in use today in the U.S. have a magnetic stripe for storing data, a decades old technology that hackers can easily mimic when using stolen credit-card numbers to make counterfeit cards.

While in-store fraud with bogus cards is expected to decline, the reverse is predicted for online retailers, which won't experience any significant improvement in security with the switch to EMV cards, experts say.

Instead of using stolen credit-card numbers at stores, criminals will intensify such activity online.

"Fraud is much like natural phenomenon, whether that be the flow of water or electricity, in that it moves to the path of least resistance," Al Pascual, analyst for Javelin Strategy & Research, which focuses on the financial industry, said.

While websites could require the PIN before completing a transaction, hackers could just as easily steal that data along with the card number.

"It's uncertain to see how moving to EMV can really secure anything online at this point," said David Kennedy, founder and security consultant of TrustedSec.

In time, the credit-card industry could develop ways to leverage the technology in EMV cards to bolster online security.

For example, a near-field communication (NFC) reader, either built into a PC or sold as a USB accessory, could be used to authenticate the EMV card to complete an online transaction. The chip embedded in the card could also be used in making purchases through a mobile phone, many of which support NFC.

"EMV cards do not currently offer much in the way of protection from CNP (card-not-present) fraud," Pascual said. "(But) there is talk of leveraging the NFC capabilities of mobile devices and contactless EMV cards to authenticate e-commerce and m-commerce transactions."

Pascual predicts some form of NFC authentication will become popular between 2015 and 2016.

The use of EMV cards is supported by the Payment Card Industry (PCI) Security Standards Council, which sets the rules retailers follow in accepting payment cards. The council has said that use of EMV cards will not change current security standards.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about JavelinNFCVisaWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts