Oct
6
The encouraging, the ouch, and the plus ça change
The payment industry and the payment-fraud industry are locked in a perpetual arms race. Each time our side develops bigger and badder defense weapons, the bad guys set to work inventing bigger and badder assault weapons. And so it goes, back and forth.
One year from this month, Europay, MasterCard, and Visa will up their side of the arms race by making chip-embedded payment cards standard in the United States.
It’s about time. While a number of African nations, China, Japan, Australia, Canada, all of Europe, and others are already onboard, nearly half of the world’s payment card fraud takes place in the United States. The Economist puts worldwide payment-card fraud at $11.3 billion in 2012, up 15 percent from 2011, and puts the United States’ share at 47 percent.
The encouraging news is that EMV (the banal moniker represents the first letter of each triumvirate member’s name) promises to cut dramatically down on fraud. Breaches the likes of those that this year plagued Target, Michael’s, and The Home Depot will, we hope, be a thing of the past. At the very least, they will be far less frequent. We know this from—and this is an advantage of coming late to the game—observing the experience of nations that embraced the technology ahead of us.
The “ouch” news is that merchants will once again have the privilege of ponying up for new point-of-sale devices. They can, of course, elect to stick with the old technology. But if they do, they may risk assuming all responsibility for fraud at their registers, letting E, M, and V off the hook. That could be a lot costlier than new terminals, and not just if you happen to be, say, Target. More and more, payment fraudsters are going after medium-to-small businesses, precisely because these tend to invest less in security.
Then there’s the plus ça change, plus c’est la meme chose news. Though EMV represents quite the obstacle for bad guys, it is not insurmountable. Given the dollars involved, the most parsimonious criminals may view upping their side of the arms race less as prohibitive and more as a worthwhile investment. Fortunately, experience shows that lesser-heeled criminals drop out of the game. That alone results in a considerable net gain for our side.
As we engage in the ongoing arms race, we will continue to chip—get it? chip—away at fraud, saving our industry billions, and earning the confidence of cardholders.
Meanwhile, there will always be someone on the other side chipping away right back at us. I suppose that’s job security for programmers specializing in security, regardless of whether they work for the good or bad guys. Of course, anyone working for the bad guys may end up unemployed, living off the state, and wearing an orange jumpsuit. That is not the course that I would recommend.