It’s been just over two years since the liability shift around EMV pushed retailers and financial institutions towards adopting chip-enabled cards and terminals, and the fraud landscape for cybercriminals has shifted along with that adoption.
In June, Visa reported that it had issued nearly 450 million chip cards and that 50% of U.S. storefronts now accept the more secure payment cards. Visa also said that merchants who have upgraded their systems saw their counterfeit fraud dollars drop substantially from the previous year.
However, fraud is not disappearing, it’s just shifting, said Monica Eaton-Cardone, the co-founder and COO of Chargebacks911, on SurfWatch Labs recent Cyber Chat podcast.
“We have enough adoption — enough people, enough merchants are making that transition — that it’s already scared a lot of the criminals who were preying on these card-present ways of stealing cards, and they’ve already started leaving that market,” Eaton-Cardone said. “Unfortunately, what has happened is that all of that criminal activity has just migrated to the online environment.”
Squeeze one area of fraud, and malicious actors will simply rush to exploit other areas — a “fraud balloon,” as SurfWatch Labs Adam Meyer describes it. For example, in recent months SurfWatch Labs has observed an increase in both cryptocurrency attacks and attacks against consumer accounts tied to payment card information, and gift card fraud is expected to surge in the coming months as well.
Although the fraud landscape is shifting, ample opportunity still remains for fraudsters to exploit the old payment cards. The EMV liability shift for gas station pumps, which holds merchants using outdated technology responsible for fraudulent transactions on EMV cards, was originally set to go into affect last month — but that has since been pushed back until October 2020. Visa said the delay was due, in part, to gas stations needing more time to upgrade because of issues with a sufficient supply of regulatory-compliant EMV hardware and software.
Merchants have traditionally been focused on removing friction from purchases and making the process as fast as possible, Eaton-Cardone said. As a case in point, Chipotle announced a point-of-sale breach earlier this year after reportedly stating prior to the 2015 EMV deadline that it did not plan on upgrading its point-of-sale systems due to concerns such as increased transaction times.
“When you’re focused on speed, you’re probably not as focused on security, so maintaining that balance really can be a lifesaving item when it comes to protecting your business from liability,” Eaton-Cardone said.
That security should start with the basics, she said, such as:
- continually keeping software up to date in order to avoid known exploits,
- having a layered approach to fraud that includes both technology and human review so there is more than one line of defense,
- and putting a key focus on protecting data by following the Payment Card Industry Data Security Standard (PCI-DSS) and other well-established best practices.
Fraud is a dynamic issue, not a static one, and organizations need to adapt as the landscape changes — and that shift is increasingly towards the theft of data, Eaton-Cardone said.
“The world is transforming into a digital environment. It’s no longer cash is king. It’s really data is king.”
Listen to the podcast for more from Monica Eaton-Cardone on EMV technology, how organizations can defend against fraud, and what the fraud landscape will look like in the future.