Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/29/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

EMV: The Anniversary Of One Deadline, The Eve of Another

How merchants and criminals responded since the EMV liability shift for point-of-sale devices one year ago. And what changes can we expect after the liability shift for ATMs, which is just days away?

The US on Saturday celebrates the one-year anniversary of the EMV liability shift on point-of-sale systems and will ring in a brand-new liability shift: for Mastercard EMV cards on ATM machines.

If a merchant is unable to process EMV purchases, liability for chargeback losses shifts from the EMV payment card issuer to the merchant. Visa's deadline for EMV on ATMs is next October. 

Thanks to EMV on POSes in the US, counterfeiting is down, and account-opening fraud is way, way up. 

How much of that fraud -- which Experian counts as a subset of "e-commerce fraud," which is slightly up overall -- is attributable to greater EMV adoption? That's a matter of debate.

Some of the increase in "card-not-present" fraud is indeed a result of adaptable attackers shifting their tactics -- as one door closes, a window opens -- but some of the increase in e-commerce fraud could just be because of an increase in e-commerce.  

Besides, merchants have a long way to go before they're fully EMV-capable.    

On the 1-year anniversary, how are merchants doing with the migration of EMV technology on the POS?

According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. What's worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.

"You're seeing a lot of pieces of paper over the chip readers," says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  

Why the tape? Because each POS system -- not just each terminal but the back-end systems --must go through a testing and certification process before the EMV terminal can be activated. First, says Drieling, procrastinating merchants found themselves waiting in a long queue just to buy the terminals from backstocked suppliers, and now they find themselves in a long queue to get their certification processed. 

Contributing to the trouble was the timing of the deadline. October 1, says David Britton, vice president of fraud and identity industry solutions at Experian, is the "absolutely worst time to do anything from a change perspective," because retailers are not going to do anything to disrupt their holiday season. Therefore, any merchants that hadn't migrated before the deadline, weren't likely to do so until January.

2016 kicked off with a surge in demand for terminals and a rush of certification requests. That's how backlogs started to build up.

The saturation of EMV also varies by industry and organization. Fast-food restaurants, for example, are behind on migration, because they cannot accept the extra seconds EMV transactions add to wait times, and more importantly fast-food joints "don't see a lot of fraudulent activity," says Drieling.

If you're a fraudster, he says, "you're probably going to the Rolex store" or some other high-end store where you can buy something that can be resold; not a Big Mac. Meanwhile, jewelry and electronics stores, regardless of size, and shops in high-fraud states are ahead of the curve, he says.

Plus, although the EMV POS liability shift of Oct. 1, 2015 is often referred to in grand sweeping terms, it didn't actually apply to all POSes. Self-service gas pumps were given until Oct. 1, 2017 -- an additional two years -- before the shift kicks in.

Despite it all, though, Drieling says merchants have made "significant progress."

Does EMV work? 

"EMV is actually a good thing because it does do a very remarkable job of preventing counterfeiting," says Britton. "As long as we remember that was the intent of it."

Mastercard reported that its fraud data from April shows that year over year, not only are the costs of counterfeit fraud going down for those merchants who've adopted EMV, but costs of counterfeit fraud are going up for merchants that have not adopted EMV.

According to the Mastercard figures, US retailers with EMV rollouts that are completed or near completion saw counterfeit fraud costs decrease by 54% while "large merchants" that had not migrated or just began migration saw increases of 77%. 

EMV doesn't eliminate card-present fraud entirely, though, for several reasons.

How are criminals doing with migrating their crime?

Continued On Page 2

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
CVE-2020-6009
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.