“‘My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,’ he said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several years.”
The “he” in question is a Silicon Valley-based management consultant, quoted by Brian Krebs in his indispensible “Krebs on Security” blog, in a piece called “The Great EMV Fake-Out: No Chip For You!” The gist is that even though banks and credit unions have (mostly) issued new chipped cards, “comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip.” What’s going on here?, the post asks. And where does all this leave consumers?
It apparently leaves them waiting, if they want to be assume that every point-of-sale purchase they make will be more secure. According to a study released by the Strawhecker Group, “‘it appeared that some merchants delayed EMV migration completely until the holiday season ended to prevent friction and confusion at the checkout line,’ according to Jared Drieling, Business Intelligence Manager at TSG. However, merchants need to understand the consequences of delaying EMV migration now that they will face the fraud liability risk. ‘I suspect that many merchants that have delayed, especially merchants in higher risk categories, felt the impact of the liability shift last year and we’ll see them aggressively ramp up plans to migrate.’”
According to Krebs, “Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were ‘chip-on-chip,’ or generated by a chip card used at a chip-based terminal.”
And what should the response of your own business be to the current EMV situation? According to the IT security site Dark Reading, “So, yes, smart cards are more secure than the traditional magnetic stripe-only cards. If you are responsible for information security at your company, your first order of business should be to install point-of-sale terminals that can accept both chip and tap-and-pay cards, as well as mobile devices such as smartphones and smartwatches that include similar Near Field Communications (NFC) technology.”
But, the article cautions, “even with these new terminals installed, you have not eliminated the risk of fraud. For signature transactions, instruct employees to continue to verify customers’ photo ID. You must also be ready for an increase in online fraud as thieves, discouraged by an inability to use physical cards in stores, will turn to using stolen card numbers on your e-commerce sites.”
In countries that have adapted EMV standards, there was a noticeable spike in online fraud — if those pilfered account numbers couldn’t be used in person, they could maybe be used briefly for online purchases. However, “despite the cost involved in upgrading PoS systems and replacing magnetic stripe cards, the improvement in data security and reduction in liability will be dramatic.”
Yours is, after all, are exactly the kind of business that does care whether somebody uses a counterfeit card at your register.