US Retail and the Great EMV Migration

One of the merchants, Target, has since expedited plans to issue chip-and-PIN-enabled store credit cards to replace the magnetic-stripe cards involved in the breach. In March, Target announced an accelerated US$100m plan to move its REDcard portfolio to chip-and-PIN technology. It plans to have the new technology installed in all US stores by the end of this month, six months ahead of schedule. Other retailers are likely to follow suit, and shipments of the higher-security cards to US consumers are projected to reach 344m by 2019.

Market Size

During 2014, there has been a rapid acceleration in the number of Europay, MasterCard and Visa (EMV) cards in the US. Shipments of the higher security smart payment and banking cards are projected to increase to 84m in 2014, according to IHS Technology’s recently-issued ‘Payment and Banking Cards Report – 2014’, from which the table below is taken:

 
IHS US card market

EMV Wouldn’t Have Prevented The Target Security Breaches:

It is important to note that EMV technology would not have prevented the Target breach, which involved the installation of malware inside point of sale (POS) terminals’ memories, where data is unencrypted regardless of the type of card from which it originated. However, criminals’ ability to reuse that payment information – specifically to create and sell counterfeit cards – would have been greatly reduced.

More Cards in Circulation:
In August 2014, a joint statement issued by Visa and MasterCard announced that “more than 575m US payment cards will include EMV chips by the end of 2015.”

Liability Shift in 2015 Will Also Drive EMV Migration:
Coupled to the ramp-up of EMV cards in 2014, the liability shift by Visa and MasterCard in October 2015 is also projected to increase the demand for EMV cards and EMV compliant POS terminal in the next 13 months and beyond.

Stolen Credit Card Data from Home Depot:
Most recently, this month has seen the news that Home Depot may be the latest US retailer to suffer a credit card breach. This was after a website reported that a large cache of stolen data had appeared on black market sites. According to information first reported by Krebs on Security, the breach may have extended as far back as last spring. So what can retailers and the payments industry do to protect us from the increasing threat of fraud and security breaches?

Potential Next Steps in Keeping Ever-Innovative Fraudsters at Bay:
One area in which the card issuers concede EMV technology will not prevent fraud is when stolen information is used to make purchases online or over the phone – so-called ‘card-not-present’(CNP) transactions, where no chip transaction is involved. In fact, evidence exists that CNP fraud has increased in countries that have adopted EMV cards. The UK, for one, saw losses from CNP fraud triple between 2000 and 2010.

For this reason, many of the world’s largest banks are urging adoption of a tokenisation standard. This would help protect card data by substituting the account number with a unique, randomly generated sequence of numbers and alphanumeric characters that would make it difficult to use the same card repeatedly. In any case, as both consumers and criminals alike continue to abandon the physical POS to make their purchases online, increasingly sophisticated security technologies – whether they be tokenisation or other advanced encryption methods – will have to follow. It is important to look at this area as part of a layered approach that includes tokenisation, end-to-end encryption and EMV cards.

Conclusions

There are a number of conclusions that can be drawn from the state of play of EMV migration in the US:

  • There is no ‘quick fix’ in regards to EMV migration. It will take time for the US to be EMV-compliant. On average, EMV migration within a country can anything between three and five years to fully complete.
  • EMV expansion to the US may have been slow over the past few years, but at least it is properly standardised and regulated.
  • There needs to be a layered approach when it comes to keeping ever-innovative fraudsters at bay. This will include tokenisation, end-to-end encryption and EMV cards.

 

20 views

Related reading