Future of lp By Tom Meehan, CFI
EMV: Not the End of Fraud, but a Helpful Tool
Meehan is the corporate manager of data, systems, and central investigations with Bloomingdale’s where he is responsible for physical security, internal investigations, LP systems, and data analytics. Meehan specializes in new technology deployments, business intelligence, industrial intelligence, and systems implementation and design. Meehan brings nineteen years of expertise in retail LP, information technology, and process improvement, the last eleven years with Bloomingdale’s and eight years prior to that with Home Depot. Meehan is also chair of the LPRC’s future of LP working group and co-chair of the fraud working group. He can be reached at tom.meehan@bloomingdales.com.
raud and cyber security have never been more on the forefront of asset protection professionals’ list of things that keep them up at night than they are today. With the introduction of the EMV chip, we were hoping to get a little bit more sleep at night. However, the EMV isn’t exactly “new” technology; it’s decade old, and the bad guys already can defeat it. EMV was first developed in 1994 as a way to mitigate credit card fraud, but before we get too deep in the issue at hand, let’s start with some basics.
was patented over fifty years ago in 1966. Hopefully that fact sets the frame for you as to why our old pay methods were so easily pirated by bad actors. To comply with many stores’ legacy systems, the EMV-chipped cards are backward compatible to still use the magnetic strip. Those who have updated their systems now have customers “dip” or place the card into a reader for a moment of time, and the information is accessed off of the integrated chip. The consumer is then prompted to either include their signature or put in a PIN—hence, chip and PIN or chip and signature. This is meant to alleviate some of the more basic methods of gathering card information like skimming.
EMV Basics
The Challenges
F
EMV was originally implemented to try to solve fraud and to better protect a customer in the omni-channel environment. EMV stands for Europay, MasterCard, and Visa. EMV cards are typically used in three ways for transactions: smart cards, chip and PIN, or chip and signature. An EMV chip and PIN card creates a unique code for each transaction and (ideally) requires the consumer to enter a PIN (personal identification number) associated with the card instead of relying on a signature. Chip-enabled cards store their information in an integrated circuit as opposed to the magnetic strip that
The good news is that not every bad guy who had tools to get information off magnetic strips can do the same with the EMV chip. The bad news is that organized crime rings adjusted their tactics and found ways to skim and capture the information from the chip, including the PIN number for a chip card. 26
march–april 2016
|
Not many associates are familiar enough with your signature to verify that it is yours. Thus, the FBI recently released a survey that basically said EMV (chip and signature) was not going to solve the problem. The US needs to deploy chip and PIN for EMV to reach its full effectiveness. Research coming out of the UK shows that after the move to chip and PIN, counterfeit card fraud losses in the UK decreased almost two-thirds from 2005 to 2013. In that same time span, fraud losses from lost or stolen cards decreased over 40 percent. While the result is significant overall, fraud increased year over year in other channels. However, the lessons learned in the UK may not be an accurate representation of how the EMV chip will behave in the US. More than half of all card fraud occurs in the United States. In 2015, the US was responsible for 47 to 60 percent of the world’s card fraud, while only accounting for 24 to 30 percent of total worldwide card volume. To further obscure the issue, in 2005 there was no buy-online-pick-up-in-store, curbside-pickup, someday-deliver, or other omni-channel program the way they exist today—another reason the UK results probably won’t paint a clear picture. The other problem is data breaches in the US. There were more than 1,500 data breaches in 2014, about a 46 percent increase from the year prior affecting more than one billion data records. Both retail and financial services account for about 20 percent of the breaches, almost evenly split. This is a problem: more info to the bad guys equals more counterfeit cards and IDs. In 2014 over 75 percent of reported data breaches worldwide were reported in North America. Forty-seven percent of fraudulent cross-border transactions on UK debit cards
LOSSPREVENTIONMEDIA.COM
