The deadline nobody’s talking about
That didn’t take very long. Six months after the release of Apple Pay — a potentially revolutionary secure mobile wallet technology — cyber criminals have found a low-tech way around the payment verification process using stolen credit card numbers.
Although Apple Pay’s encryption has not been compromised, fraudsters have found a way around the system by leveraging a loophole in the verification process some banks use when an Apple user adds a new credit card to their Apple Pay account, according to news reports by The Wall Street Journal. The loophole is possible because some banks use a less rigorous process for verifying credit card data — requiring simple details that are easily obtained by identity thieves.
This latest wrinkle in the cybersecurity landscape reflects more on the state of security in the banking and payment card industry — and Washington’s inability to promote broad industry adoption of global standards — than it does on Apple Pay. But if history is a guide, payment card security will remain a moving target in the U.S. for some time to come.
It’s been three years since the big payment brands — Europay, MasterCard, Visa, American Express, Discover, UnionPay and others — established a deadline for banks to transition away from cards that store information on magnetic stripes and toward chip-based cards, known as EMV cards. Banks and other card issuers, as well as merchants who accept credit cards, have until Oct. 1 to make the transition. But the transition’s estimated $6 billion price tag and the tangled mess of policy implications that Congress will have to act upon should the industry fail to transition before another massive data breach make this year a critical turning point for U.S. cybersecurity.
The U.S. is already dead last when it comes to adopting the EMV card global standard. The rest of the world is already well on its way to transitioning to chip-based cards, with nearly 2 billion cards issued across 80 countries. And yet the U.S. bears a disproportionate credit card fraud burden compared to the rest of the world, according to the Congressional Research Service. The U.S. accounts for only a quarter of the world’s credit card payments but is responsible for nearly half of the losses from fraud — more than $5 billion.
And while the industry’s self-imposed deadline is generally a good thing, there are more questions than answers when it comes to the practicality of the strategy. In addition to the high cost, the same factors that have contributed to the slow adoption rate in the U.S. for the past three years continue to cast a shadow on the 2015 goal. A lack of technical standards, the inability of banks to agree on an industrywide standard card verification process and Congress’ knee-jerk policy reactions to major data breaches will result in more uncertainty this year, not less.
The uncertainties and disagreements between all of the industry players with a vested interest in how this issue is managed could actually contribute to a spike this year in payment card fraud. The Congressional Research Service found that some countries that migrated to EMV credit cards without also simultaneously migrating debit cards actually saw a temporary increase in fraud. And thanks to litigation by the National Retail Federation challenging the debit card transaction fees established by the Federal Reserve Board, years were lost in the U.S. effort to transition debit cards to EMV technology.
“If the United States migrates to chip-and-PIN without market consensus, agreement, or in a timely and concerted effort; those issuers, networks, or merchants who are slow to migrate will see increased fraud levels and the impact on overall fraud levels could be minimal,” a study by the Federal Reserve Bank of Atlanta states.
There is one area of relative clarity in America’s lumbering approach to EMV card technology adoption: liability. Things are about to get interesting. When Oct. 1 rolls around, liability for payment card breaches will shift dramatically. The entity that has not made the shift by the deadline — either the card issuer or the merchant that employs the payment terminal — will accept liability for fraudulent transactions. So if a bank issues a chip-based card and a merchant doesn’t yet have a chip point-of-sale terminal, the merchant is on the hook for any fraudulent transactions. Likewise, if a merchant has a chip point-of-sale terminal but a customer uses a card with a magnetic stripe, the bank assumes the liability.
But will this pressure be enough to make the transition finally happen in the U.S. this year? What about the incentive to do nothing? If a card issuer and a merchant choose not to make the change to chip-based payment cards and terminals, the liability framework remains as it is today with about 60 percent of losses picked up by the card issuer and 40 percent by the merchant.
As with many pressing issues facing national cybersecurity policy, the wild card in the payment card industry’s EMV transition plan remains Congress. Lawmakers introduced four pieces of legislation during the 113th Congress dealing with data breach issues and credit card theft, none of which became law.
As of March 6, there are 208 days to go before the Oct. 1 deadline. There are about 1.1 billion credit and debit cards in use in the U.S.