The Fraud Examiner
PINs of Omission
What CFEs should know about the U.S.’s approaching smart card transition
By Zach Capers, CFE
In October 2015, the U.S. will finally transition to the world of smart cards — sort of. As the deadline to adopt the more secure credit card standard swiftly approaches, many observers are concerned that the lack of a PIN requirement will undermine the effectiveness of the technology and result in only a minimal reduction of credit card fraud.
A smart card is the same size as a traditional credit card but is embedded with a memory chip or microprocessor. The technology is also known in much of the world as chip-and-PIN because the user typically must be present with the card and enter a PIN code to complete a transaction. However, rather than chip-and-pin, Americans will use a system called chip-and-signature, which — as is typical of a magnetic stripe credit card — requires a signature instead of a PIN.
The worldwide standard for smart card technology is known as EMV, which is an acronym for its developers: Europay, MasterCard and Visa. The EMV standard has already been adopted by more than 80 countries and has been proven to sharply reduce fraud related to counterfeit credit cards (magnetic stripe cards, in contrast, have proven far easier to duplicate). However, without a PIN requirement, EMV credit cards that are lost or stolen offer little more protection than the traditional magnetic stripe cards.
Fraud Liability Shift
While talk about the migration to the EMV standard has primarily focused on technology, the October deadline represents a fraud liability shift from card issuers to merchants for card-present (CP) transactions. Historically, when a card user experienced credit card fraud, the responsibility for resolving the issue was the purview of card issuers such as Visa and MasterCard. After the deadline, liability for fraudulent transactions will shift to any merchants that have not upgraded their point-of-sale terminals to process the more secure EMV credit cards.
While most major retailers are likely to be ready by the October deadline, many small businesses are scrambling to ensure that they have equipment in place to accept EMV cards. Several companies including Intuit, PayPal and Square have recently introduced affordable EMV compliant attachments for iOS and Android-based devices to fill the gap. Exceptions to the October deadline include owners of ATMs and automated fuel dispensers (AFDs), which have an extended deadline of October 2017.
Not a member? Click here to Join Now and access the full page.