Prime Factors’ makes a point of providing in-depth industry and market education to our customers and contacts. We’ve seen very strong response to our EMV education series, both in the US where the liability shift date is looming and internationally. After receiving an announcement related to the first webinar in that series, EMV Basics, Fabian Soler contacted me to share his thoughts about how EMV adoption could play out in the US. I read his comments with a good deal of interest and respect – Soler carries a number of security certifications and was, at one time, CSO for Payments Solutions Group of Fiserv.
Reflecting on the lag in universal EMV adoption in the US that many anticipate, Soler observes, “The deadline for full EMV support in Canada is Dec 2015 after which no payment terminal will be allowed to process magstripe domestic debit transactions – they will simply be declined by the Acquirer. This might be something you choose to share with your customers because the research here indicates all the fraudsters are moving their activities to the US. As such, not only are US merchants subject to the October liability shift but the frequency and amount of fraud they pay for will be higher.”
This point represents something we all have to keep in mind – the US market is in no way isolated. Globalization is a given, in illicit markets just as much as legitimate markets. We’ve already seen a shift of counterfeit card fraud from the markets such as the EU that have adopted chip&PIN cards toward the US. The principals of investment, return, and margin affect the decisions that professional card fraudsters make in exactly the same way it affects those of manufacturers, financiers, or any other vertical.
Likewise, there are switching costs from one kind of fraud to another that disincline participants from changing – a criminal who has become adept at navigating the darknet to purchase stolen payment card numbers, then applying them to counterfeit card fraud is unlikely to immediately drop that activity and pick up another more complicated and risky means to obtain illicit income (consumer identity theft, merchant identity theft, check kiting, etc.). Certainly, not when it is trivially easy to shift focus from a local market to the US market, which remains entrenched in the use of magnetic stripe payment cards. (Likewise, some of this activity will shift from point-of-sale [counterfeit] card present transactions to online card-not-present [CNP] activity.)
I believe this dynamic is, at least in part, driving some of the targeted data breaches of US retail chains in recent months. Obtaining the payment card primary account numbers (PANs) and other cardholder details represents a source to the primary supply chain of the counterfeit carders. It is part of the ecology of global cybercrime and influenced by environment just as any ecology must be. If the demand for US payment card PANs increases and the price carders will pay for them rises, providers of the stolen data will find ways to steal more, with less effort, to increase their margins.
A tip of the Prime Factors’ hat to Soler to his insights regarding how movements in international markets will impact US card issuers and card accepting merchants. For issuers, it clearly incents them to ensure EMV-compliant cards are provided to cardholders on or before the liability shift date in October, to reduce the impact of counterfeit fraud on their bottom lines. Merchants, on the other hand, need to ensure that their estimates of potential counterfeit fraud losses they may incur before compliant terminals are in place appropriately account for thid anticipated increase in fraud volume directed their way.
To learn more about the background of this discussion, register for a replay of the first in our five part education series, EMV Basics, by clicking on the image below.