In October 2015, the long-awaited "liability shift" from payment card issuers to merchants took effect in the U.S., which for years had been one of the last strongholds of magnetic stripe-only cards. This change meant that merchants without EMV technology built into their point-of-sale terminals became liable for fraud. In other words, whichever party in a given transaction had implemented the most secure technology would prevail in a chargeback scenario.
It has not yet been a year since the shift occurred, and the EMV rollout has been steady yet uneven across the country:
One of the most substantial effects of the EMV rollout has been the impact on card-present versus card-not-present (CNP) fraud. EMV chips make many classic types of card data theft, such as skimming and point-of-sale malware, impractical, which is crucial considering that many of the biggest breaches were related to magnetic-stripe exploits. That being said, attackers are now channeling their energies toward online fraud, since e-commerce is still a weak spot for many merchants.
"With the introduction of [EMV] cards, card skimming attacks have become significantly harder for cybercriminals to carry out, particularly in-store," explained the 2015 Entrust Datacard document "Securepay Compliance Guide." "However … the switch to EMV cards will cause merchants to implement fraud resistant chip point-of-sale devices in their brick and mortar stores, leaving them open to online attacks and liable (as well as the banks that fund their store cards) for losses resulting in fraudulent use."
It is also important to note that in the near term, the EMV shift could also increase POS fraud in tandem with e-commerce, as cybercriminals rush to cash in before the magnetic stripe window closes. An iovation/Aite Group study estimated that $10 billion in fraud would occur between 2016 and 2020 as stockpiles of stolen cards are used up. This would echo the 79 percent jump that the U.K. saw in the first three years of its EMV migration a decade ago.
In the years ahead, both e-commerce and digital banking operations will feel the pressure from rising levels of CNP fraud initiated by the EMV shift. The paramount goal for vendors and banks will be to secure their users' identities to prevent data breaches. The bulk of all such incidents start with a stolen login credential such as a weak password; the 2016 Data Breach Investigations Report from Verizon pegged the share at 63 percent.
Fortunately, there are now numerous options that can help establish trusted identities even as more transactions move to the cloud and across multiple computing devices:
Establishing trusted identities will be as important as ever in the coming years as merchants and banks attempt to keep threats at bay. How each firm approaches risk-based authentication will depend on its particular requirements, but it is crucial that security teams start thinking today about what they can do to ensure trusted identities as the EMV shift pushes more fraud into the online realm.