Security is the ultimate point/counterpoint effort. But instead of a one-for-one ratio — instead of a 50% increase in security here reducing fraud attacks over there by 50% — many of the security measures adopted in retail result in a net increase of fraud success. Such a situation exists with EMV, and Visa and Mastercard have just made it worse.
Let's start with the good security news. EMV, executed properly, should pretty much block all cloned cards. In the olden days of retail fraud, that was the most popular means of cashing out stolen payment card credentials. As expected, as EMV slowly makes its way into physical retail storefronts — and by slowly, we mean that today, more than a year after the deadline for EMV came and went, the vast majority of stores have yet to activate EMV — online fraud has increased.
Interestingly, fraudsters have discovered that online fraud is a lot easier and more profitable than physically making cloned cards, let alone less risky. Cyberthieves were never in love with the idea of walking into a store, risking arrest if the cloned cards were discovered. That's why clueless locals were almost always used to cash the cards in. If they were arrested, there theoretically would be no way to connect them to the real bad guy.
The result is that online fraud is increasing more than in-store fraud is decreasing. And don't forget that the vast majority of stores don't yet have EMV protection, so retail is now getting hit from both sides.
This requires fast action from the forces behind retail payments. And so, in December, both Mastercard and Visa announced that they were further extending the EMV deadline for gas stations by an additional two years. Wait a second, what?
Mastercard and Visa are basically telling cyberthieves that they should push their physical fraud operations to gas stations.
By the way, this EMV delay for gas stations is on top of an earlier delay for them. Triple sigh.
In fairness, gas stations do tend to need more time for POS changes, given the nature of their card swipes and the physical changes needed. Those needs, however, should have been addressed with the initial delays — delays lasting two extra years, mind you.
This is how Visa described it's decision in its statement: "We knew that the (gas station) segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017."
Makes sense, so far. Then Visa offered this rationale: "An important element of our study has been that fraud rates at fuel pumps are relatively low — approximately 1.3 percent of total U.S. payment fraud." Perfect. The best response to that is to announce to thieves everywhere that gas stations will have the weakest security of any merchant, so please redirect your attacks.
The main reason that gas stations have relatively few current attacks is that they offer a fairly low ceiling on how much can be stolen at any one time. Convenience store snacks and even a full tank of premium for a large SUV simply can't compare with a chain that sells $500 gift cards and multi-thousand-dollar TVs. But those limits will be irrelevant as merchants increase their EMV rollouts. This accomplishes little beyond painting a red bulls-eye on gas stations everywhere.
The card brands could have worked with the industry to accelerate the availability of that POS equipment years ago, back when it first decided to push EMV in the U.S. A very legitimate criticism of both Visa and Mastercard is that they set in motion this huge EMV effort without doing what was needed to fulfill the demand they were creating.