Experian: EMV Chips Won’t Stop Payment Breaches


In-brief: Experian, the credit monitoring firm, predicts in a new report that many merchants will continue to suffer payment-related breaches in 2016, despite the shift to EMV technology from older, magnetic stripe credit cards. 

The long-overdue adoption of the EMV chip to secure credit cards in North America has fostered hope that a years long epidemic of credit card breaches will finally end. But one of the leading credit monitoring agencies is warning businesses not to start celebrating too soon.

Experian, the credit monitoring firm, predicts in a new report that many merchants will continue to suffer payment-related breaches in 2016, despite the shift to EMV technology from older, magnetic stripe credit cards. Slow adoption of the EMV technology by businesses, carve-outs for distributed payment systems like gas stations and ATM networks or a shift to attacks on e-commerce systems could mean that many businesses in North America continue to be vulnerable to large breaches. The result could be higher costs for businesses, given the shift in liability to merchants that comes with the adoption of the chip cards.

“It is important for companies and consumers alike to realize new payment technologies are not a panacea for payment breaches and fraud,” Experian wrote in its 2016 industry forecast. “If anything, it’s possible that e-commerce sites for retailers will bring the next wave of attacks. We’ve already started to see glimpses of this with the recent attacks on Costco and Walmart’s photo service websites.”

Consumers are confused about the new technology, explained Michael Breummer, the Vice President of Consumer Protection at Experian Consumer Services. Many believe the EMV chip will be a panacea for endemic problems like data- and identity theft, he said. “It won’t be.”

Rather, the U.S. will probably see the same dynamic that EU countries witnessed during their own EMV adoption more than a decade ago, during which fraud tied to physical stores declined, but online fraud increased, Breummer told The Security Ledger.

EMV – which stands for Europay, Mastercard and Visa – is a standard for cards equipped with embedded computer chips and technology to authenticate chip-card transactions. The chips make it very difficult to create counterfeit credit cards, even in situations where cyber criminals have an account holder’s information. After long resisting so-called chip cards, U.S. card issuers are migrating to EMV after years of massive data breaches at retailers like Target, Home Depot, and TJX. Merchants were given a deadline of October 1st to install card readers capable of handling chip cards. Those who did not transition to the new technology will be held liable by some card issuers for the cost of fraudulent, “card present” transactions – a major shift.

[Read more Security Ledger coverage of credit card breaches here.]

However, the new cards still haven’t made it into the wallets of most credit card users. A survey of credit card issuers commissioned by PULSE (PDF) in September found that 90% of U.S. financial institutions either have begun issuing EMV debit cards or currently plan to do so by the end of 2015, but only 25% of U.S. debit cards – approximately 71 million cards – will be migrated to chip by the end of 2015. By the end of 2016, that number will be 73% of cards, 96% by the end of 2017.

Consumer adoption is only one issue, however. The payment card industry has made exceptions for some kinds of institutions that accept credit cards. Specifically: small gas stations and automated teller machine (ATM) networks have more time to adopt the EMV card technology. Also: U.S. card issuers opted against the so-called Chip and PIN technology used in the EU, which requires users to enter a unique code at the credit card terminal to complete a transaction. That opens the door to fraudulent purchases in situations where the chip card is stolen and re-used.  

Beyond that, Breummer said that large retailers were the first in line to get the updated card readers that accept the EMV cards and that many smaller vendors in other industries are in line behind them, slowing adoption of the readers. It may take some months for that backlog to be filled.

In its 2016 Industry Forecast, Experian warned that 2016 will still bring headlines about payment breaches, despite the new EMV technology. “There will be some short term pain for the next 18 months as the industry works the loopholes out,” Breummer said.

Pessimism about payment cards isn’t the only warning in the Experian report. The healthcare sector will continue to be a target of malicious attacks and breaches, Experian said. Smaller doctor’s offices and healthcare facilities will likely account for most of the attacks, with many of those going unreported and unnoticed by the public, the company said.


Comments are closed.