A security analysis firm called Gemini Advisory recently posted a report saying that credit card fraud is actually on the rise in the US. That’s surprising, because the US is three years out from a big chip-based card rollout. Chip-based cards were supposed to limit card fraud in the US, which was out of control compared to similar fraud in countries that already used EMV (the name of the chip card standard).
Chip cards work by creating a unique code for each transaction, and (ideally) require a customer to enter a PIN to verify that they want to make the purchase. This doesn’t make it impossible to steal information from chip-based cards, but it does make it much harder to reuse a stolen card. By contrast, using a magnetic stripe to swipe a card simply offers all the relevant information to the merchant’s card reader, which is much easier for a bad actor to steal.
Gemini Advisory now says that 60 million credit and debit card numbers were stolen in the US in the past 12 months, and most of those were chip-based cards.
The firm found this information by trawling Dark Web sites where stolen credit card numbers are routinely sold. The firm said that 45.8 million, or 75 percent, of the numbers posted this year were stolen from a physical point-of-sale (POS) terminal in a brick-and-mortar store, while the other 25 percent were stolen from online breaches. EMV can’t protect against online fraud, so that 25 percent doesn’t say anything about chip-based card security.
But what about the other 45.8 million? Ninety percent of those cards were EMV-enabled cards. Still, that doesn’t mean that the chip security isn’t working. “These results directly reflect the lack of US merchant compliance with the EMV implementation,” Gemini writes.
While nearly everyone in the US has had their old magnetic stripe cards replaced with new cards that have a chip, it’s not uncommon to try to pay for something at a brick-and-mortar store with a chip card, only to be asked to swipe the magnetic stripe on the back. That puts a customer at risk of having their card information stolen, no matter whether they have a chip or not.
When EMV was being rolled out, proponents said that merchants would be incentivized to upgrade their POS terminals to accept chip cards because the liability for any fraud would be shifted from the banks to the merchants or whoever was not supporting chip cards during a transaction. To avoid fraud costs, merchants would buy expensive new terminals, big card networks reasoned.
But in some cases, merchants have chosen not to upgrade. In other cases, merchants buy those expensive new terminals and can’t use them because they have to be certified by the merchant’s payment service provider. (Behind every credit or debit card transaction you make, there are several parties that are responsible for relaying information about the money being exchanged and the credit limits of the customer. You can read more about this ecosystem here.) Some of these payment service providers have been slower to act than others.
There are thousands of payment service providers, each offering small- and medium-sized businesses slightly different services for different fees. From a customer’s perspective, it’s difficult or impossible to tell which companies are providing a merchant’s payment processing services and who is responsible for lack of EMV support.
From the merchant’s perspective, the cost of fraud might be less than the cost of figuring out what needs to be done after they buy a chip card reader. In 2016, Visa and MasterCard said they would “limit the costs retailers might incur for counterfeit transactions while they wait” for EMV support, according to CreditCards.com. Visa promised it wouldn’t make merchants liable for fraud costs below $25 or fraud costs from more than 10 transactions from the same account. Limiting merchant liability is good for merchants, but it also takes some of the urgency out of the need to make sure your EMV terminal is working.
Still, it’s unclear what actions big card networks like Visa and MasterCard plan to take to make chip card readers more ubiquitous. In February 2018, Visa wrote that only 59 percent of US storefronts were able to accept chip cards, not including ATMs and gas station pumps that have until 2020 to become EMV-compliant. That’s a concern because, not only are customers vulnerable to having their card information stolen when they can’t use their chips, but also fewer EMV-compliant storefronts give fraudsters more places to actually use the stolen card numbers.
Neither Visa nor MasterCard responded to Ars’ request for comment.