The transition to EMV chip technology has been an ongoing process for financial institutions, ATM operators, and site owners over the past few years – in a race to meet EMV preparedness prior to final liability shift deadlines. As of October 2017, the final implementation date has passed. However, a good portion of U.S. ATMs remain swipe only. But what are the real risks for ATMs without EMV?
EMV Risk #1 – Fraud Migration
Despite being relatively new in the United States, EMV chip card technology has been around for over a decade – with many European countries having begun implementation as early as 2004. Complete shift to EMV technology has resulted in significant reduction in card-present fraud. Canada, who began implementation in 2009, reported $142.3 million in fraudulent transactions during their first year. This has since decreased to a record low $38.3 million in 2012.
Similar to what was witnessed in Canada, the majority of regions have seen a temporary increase in initial card fraud spurred by the original announcement of upcoming changes and start of implementation. Fraud has then migrated to the least protected source, typically generating significant increases in rural areas and previously little-used locations where EMV implementation was not seen as a specific risk.
Speaking at the 2014 ATM & Mobile Innovation Summit in Washington, DC, Alvero Cordoba, ATM & Channels head for Citibank Latin America discussed an instance of rampant card fraud which forced the bank to reduce their ATMs in a specific country from thousands to a mere three hundred ATMs. Despite the decrease in availability, fraud still increased the following month.
Current EMV implementation numbers for the U.S. are looking positive. As of September, industry estimates put approximately 110,000 of the roughly 125,000 bank and credit union ATMs as EMV ready by October 2017. Similarly, nearly three-quarters or more of independently operated ATMs are anticipated to be EMV compliant. However, that still leaves a large number of independent, merchant-owned, and financial institution machines lacking EMV chip technology – creating a ripe environment to entice fraud migration.
EMV Risk #2 –Fallback
Fallback transactions occur when a chip-enabled card is used in an EMV-ready ATM but there is an error encountered and the transaction is performed utilizing the card’s magnetic strip instead. Fallback transactions should be a rare occurrence as EMV chips are designed for robust use. In some cases, however, a criminal may create a counterfeit card with a “damaged” chip in order to incur fallback transactions. As the issuer of the card is considered responsible for fallback transactions, many select to decline authorization. While payment networks are working with issuers to discourage across the board declines for all fallback, they also consider a fallback rate of over two percent (2%) at any single location to be indicative of an equipment problem.
ATMs that have already implemented EMV should keep an eye on their fallback rates for the foreseeable future. While some instances of high fallback may be a result of overzealous issuers, the EMV Migration Forum notes that some locations with high fallback may be incorrectly configured. Due to higher fallback issues during liability shift, VISA has issued a “Managing Fallback Transactions” chart for reference. ATMs that are not currently EMV compliant should not display fallback and are subject to liability for fraudulent activity at their machines should an EMV card be utilized.
EMV Risk #3 –Chargebacks
Typically, a chargeback has been performed in cases where a consumer made a claim of fraudulent activity with their card – referred to as a Regulation E (Reg E) chargeback. However, EMV chargebacks are a completely different animal. A chargeback coded for EMV is generated based on the technology performance occurring within the transaction being evaluated. An EMV chargeback should only be triggered when information from an EMV chip card is used to perform a transaction at an ATM that is not EMV compliant. As such, only non-compliant ATMs should be capable of receiving EMV-coded chargebacks.
Despite this, there have been some errors in chargeback coding presented to merchants and ATM operators. Industry experts recommend vigilance in reviewing any claims to ensure additional Regulation E claims are not being miscoded as EMV. An EMV chargeback is valid only if a counterfeit hybrid card is utilized at a non-compliant magnetic stripe only ATM. The card must be identified as an EMV chip card and the DE 61 field 11 identifies the terminal as magnetic stripe.
Invalid chargebacks can be disputed with appropriate documentation within 45 days from the chargeback date. Documentation is often dependent on the network implementing the chargeback but typically requires proof the transaction occurred prior to the liability shift, the service code in the authorization is incorrect, or the transaction was not properly reported as fraud according to the brand or network’s EMV chargeback requirements.
Keeping ATMs and Business Secure
Fraud migration, fallback, and chargebacks are a real risk for ATMs post EMV liability shift. As the full impact of the EMV liability shift continues, fallback should begin to fall off significantly – while fraudsters continue to look for the most vulnerable access points. The best way for financial institutions and businesses to protect themselves now is to ensure proper EMV installation and thoroughly monitor performance and processing records to ensure ATMs continue to operate with proper functionality.