finance & strategy
EMV Rollout: A Strong Head of Steam
cnp & pos Fraud trends
T h e n u m b e r o f U . S . v i c t i m s , i n m i l l i o n s , f r o m C N P a n d P O S f r a u d :
5.6
6.0
5.4
4.8
CNP POS
4.3
6.7
3.0
5.3
0 2 4 6 8 10 12
*Data breaches in 2014 account for the increase of POS fraud victims in 2014, according to Javelin.
source: Javelin Strategy & Research
public relations, for the National Retail Federation trade group.
The retailers that have met the
EMV October liability shift deadline have spent, on average, about $2,000 per compliant payment terminal, a cost that includes installation, software, connecting the POS into the inventory system and all other necessary tasks. (MasterCard says that basic EMV- compliant terminals run about $200 to $300 each, but that  gure doesn’t include associated costs.)
Retail Targets
Besides smaller retailers and chains, grocers are, in general, a step or two behind in EMV compliance in the U.S., experts say. That’s a product of many grocers operating large chains, increasing terminal costs, and the general tendency
of criminals to try card fraud at other types of merchants—for instance, jewelers and sellers of sports equipment—where the gains are higher than with groceries. In fact, the next wave of EMV migra- tion likely will involve those smaller retailers of relatively high-priced goods, as criminals shift from the big box stores with EMV to the weaker defenses of smaller mer- chants, says Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research.
“There are also a lot of holdouts
in the travel industry, hotel and restaurants, which is another
area of concern,” he adds. That’s not because criminals will target a restaurant more than an electronics
store for direct fraud, he says, but because travel and entertainment will represent a juicy target for criminals bent on stealing mounds of mag-stripe data, which then can be used for fraudulent transactions, often after the data are sold on the underground market. In short, the move to EMV could lead to more breaches among hotels, restau- rants and travel providers.
New Javelin data show that the EMV rollout “has not tangibly lowered card fraud so far,” but experience in the U.K. and Canada suggests that fraud will decline— or at least move to new areas.
For instance, criminals frustrated by the stronger security o ered
by EMV chips may move to other types of fraud, such as taking over consumer accounts and  ling fraudulent credit card applications. Although still a small percentage
of U.S. consumer fraud in 2015
at 0.62 percent, application and account takeover fraud was up from 0.29 percent the previous year.
“We expect that trend to continue,” Pascual says. That growth is also signi cant because losses from application fraud tend to be higher than other forms of associated criminality: a $2,379 mean loss compared with $1,424 for an account takeover. (Most consumers pay nothing for fraud conducted via their payment cards, though legal fees can mount for consumers who had their identities stolen or compromised, he points out.)
Overall, Javelin says fraud is shifting to card-not-present transactions but the massive data breaches in 2014 caused a tem- porary shift in the opposite direc- tion. At press time, the company had yet to release its 2016 fraud forecast but said fraud hit some
6 million CNP victims and about 5.6 million POS victims in 2015, compared with the 4.8 million CNP victims and 5.4 million POS victims in 2014. “EMV has a good head of steam,” Pascual says, “but fraud remains.”
60