NEW YORK — The October deadline for shifting EMV liability may still be months away, but even with several years of lead-up time, there is widespread skepticism in the payments industry about whether the change will help combat fraud.
That's according to a new study from the Ponemon Institute and Experian Data Breach Resolution, which found that barely half (53%) of respondents believe a shift to chip & pin will decrease their risk of suffering a breach, while nearly 70% said that pressures of migrating to new payments systems — either EMV or mobile payments — puts consumer data at risk.
Nearly 750 U.S.-based professionals in the IT, risk management, product development and payments systems industries were queried for the survey that the report is based on, including representatives from financial institutions, payments processors, regulators, merchants, and more.
According to Michael Bruemmer, VP of Experian Data Breach Solutions, even though EMV has been used in Europe for more than seven years and U.S. FIs and retailers have had four years to prepare, time has not reassured American payments professionals.
"They think [shifting to EMV] is necessary, whether it's because of a legal obligation because of the October 2015 deadline or they feel like their systems are out of date and they're rushing toward this, [but] they are still concerned," he said.
Part of what's driving those concerns, he continued, is that "As chip and pin has been implemented in Europe, you've seen a shift in fraud from in-store to online, so while the type of fraud and where it's occurred has changed, the total amount of fraud has not gone down as significantly as people expected."
Hackers Ready to Strike
Another problem, said Bruemmer, is that with the long lead time, hackers have had plenty of opportunity to figure out how to game the new systems.
"You've had three or four years for hackers to figure out how can I get around the system, whether it's taking advantage of those still on mag stripe that haven't shifted, whether it's targeting businesses in the middle of their transition, or having four years advance headstart to figure out how to build a better hacking mousetrap," he said. "That's the reality of what's happening. People' feel they're doing the right thing, but they're being honest about saying consumers are still at risk."
The Experian/Ponemon report also revealed a whopping 68% of respondents fear that migration to new payments systems will put consumer data at risk, despite the increased security from tokenization used in both EMV and mobile payments transactions.
"The prevalence of mega breaches in the retail payments sector that occurred during the last 12 months showed two things," said Bruemmer. "It showed that everybody's vulnerable, and that regardless of the types of systems or types of vectors of attack, that data is still at risk."
Bruemmer added that even though new payments systems are more secure, there are significant concerns within the industry that hackers are still "getting ahead and taking advantage of the weakest link in the system."
Much of what's driving these concerns, he said, is that the entire industry is fighting a battle that it can't ever truly win.
"It only takes a hacker being right or being successful one time to get into the system, where to be successful as an organization defending against fraud, you have to be right 100% of the time."
The CU Side of Things
Bruemmer predicted that as more and more FIs issue cards and more consumers start using them at EMV-enabled point-of-sale terminals, much of the skepticism around the issue will begin to disappear, but it may not be until well into 2016 — or even later — that everyone in the ecosystem has had their confidence boosted.
According to Bruemmer, there are three takeaways for credit unions. For starters, he said, Cus need to implement EMV, and they need to do it sooner rather than later, "because I think people that are going to in fact be caught in transition for a long period of time or who lag behind are going to be the targets."
Credit unions would also be well advised, said Bruemmer, to advise members which merchants accept EMV and which do not. And credit unions may even be able to boost their non-interest income streams by offering ancillary services such as credit monitoring for their members during the transition.
Not only is there plenty that credit unions can do to ensure that members understand the changes that are taking place, said Bruemmer, but conversations within the industry need to continue as well.
"There needs to be more focus on an industry dialogue on how to manage the balance between innovation and new technology, an making sure that companies have the right priority on security with that technology as they adopt it," he said. "The focus in specifically chip and pin and mobile payments is still ongoing and needs to be ongoing, but let's make it an industry dialogue."
The study is available online at http://www.experian.com/data-breach/2015-ponemon-payments-ecosystem.html