CONTINUE TO SITE »
or wait 15 seconds

Article

Card fraud: The target on the US market's back

After a widely reported Target breach, consumers are being schooled in realities the ATM industry has known for some time.

January 17, 2014

by Daryl Cornell

CEO, Triton Systems

In the three weeks since the Target data breach was disclosed, news coverage of the event has continued to grow. The theft of an initial 40 million credit and debit card numbers along with names, addresses and encrypted PINs was subsequently upgraded to 70 million and now to more than 100 million customer accounts.

On the heels of Target, we are being told that a breach at Neiman Marcus has also exposed untold numbers of customers to potential card fraud. To be clear, these were computer breaches that provided hackers with customer information, card numbers and (so far) only encrypted PIN information.

(ed. note: It now appears that attacks Target and Nieman Marcus might not have been isolated events, but rather part of a broad data theft scheme focused on operators of point-of-sale systems. If this is the case, the full scope of the data theft remains to be seen.) 

Without unencrypted PIN data, the likelihood of ATMs being used to withdraw cash from these hacked accounts is small. However, the widespread press coverage has resulted in a newfound public awareness of the state of the U.S. debit and credit card industry.

The general public is now being schooled in a number of realities widely known for some time in the ATM industry:

The US debit/credit card market is among the least secure in the world

Now that Europe, Asia, Canada, Mexico and most of the rest of the world has moved to EMV, the U.S. is one of the few magnetic stripe markets left.  Many experts predict a surge in card fraud in the U.S. in advance of EMV adoption in 2016-2017, as thieves look to exploit the vulnerabilities of mag stripe technology.

While MasterCard, VISA, AMEX and Discover will absorb this fraud increase in the short term, negative publicity and a high nuisance factor will likely dent overall card use to the detriment of all industry participants.

Without a governing body in place (e.g., Interac, Link), US adoption of EMV is being driven solely by the threat of liability shift by the card schemes

This approach to technology adoption is not without its disadvantages. For starters, the relationship between the card schemes, ISOs and merchants has been strained for some time. Disputes over pricing, card fees and routing technology requirements have spilled over into the courts, eroding trust.

In addition, a history of spotty hardware upgrade enforcement and oft-extended deadlines by the card schemes has resulted in a "wait and see" approach to EMV by many ISOs.

Finally, a general lack of understanding on the part of ISOs as to the meaning of "subsequent fraud" has many deciding to roll the dice as they did successfully with both PCI and ADA.

Debit card risk is much higher than credit card risk

Sophisticated credit algorithms employed by the card schemes are continuously being strengthened and have reportedly done much to hold the line against fraud losses. The customer inconvenience resulting from credit data breaches is partially offset by low or no loss limit thresholds.

Debit card fraud, on the other hand, is limited only by account balances. This makes it much harder and more painful to rectify, even when customers are ultimately made whole.

Retailers might decide that private label cards are no longer worth the negative publicity resulting from potential breaches. Since a majority of retail ATM transactions are conducted using debit cards, any shrinkage in debit card use will negatively affect both ISOs and banks.

EMV is not a magic bullet

While constantly being improved, EMV is a 20-year-old technology. ISOs justifiably complain that it is all cost and no benefit (to them) and that the adoption of a newer technology would make more sense.

As in other markets, the first generation of U.S. EMV cards will contain both smart chips and magnetic stripe fallback for non-EMV ATMs and terminals. In addition, chip-and-signature will likely be maintained for many cards rather than the more secure chip-and-PIN.

Finally, card-not-present transactions will remain susceptible to fraud. As a result, U.S. card fraud post-EMV is likely to drop but certainly will not be eliminated.

The Target and Neiman Marcus breaches could still prove to be isolated cases with contained fallout. However, if we do see more large-scale exposure of cardholder information, look for Congress to weigh in on both card security and EMV adoption as early as this year.

This article has been republished from the Triton blog, atmAToM, with kind permission from Triton.

Read more about EMV.

photo: vizzzual.com

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push
Chase selects Nova Credit for cash flow underwriting
Metropolitan Commercial Bank named as an SBA loan provider


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'