Engineering Blog

Are credit card skimming attacks easier with EMV disabled?

In early February, TechCrunch reported that several USA Aldi supermarket locations were targeted in a credit card skimming attack (New credit card skimmer worked in plain sight at Aldi stores). This attack overlaid a skimmer on top of Aldi’s terminals to capture cardholders’ credit card numbers and PINs.
This attack compromised legacy magnetic strip based transactions, and was particularly effective because Aldi had reportedly disabled EMV chip support on its terminals. TechCrunch reported that “[Aldi] has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay). This is important because these overlay skimmers are designed to steal card data stored on the magnetic stripe when customers swipe their cards.” According to a commenter, “I asked one of the managers and he said corporate required them to switch back because ‘swipes are faster.'”
Disabling EMV on your payment terminals is a decision that puts both cardholders and merchants at risk, as Aldi recently learned the hard way. Magnetic strip data is easy to clone and cheap to create new forged cards. For EMV chip based cards, this is much less so. With the introduction of chip based payment cards in late 2015, liability for chargebacks and fraud passed from acquirers to merchants. By forcing cardholders to swipe instead of insert their chip-enabled cards, merchants are liable for all resulting fraud and chargebacks. By disabling EMV, merchants are trading security for speed, and are not only putting themselves at risk for chargebacks, but are placing their customers at greater risk for identity theft and fraudulent charges on their cards.
The speed of EMV at the checkout is indeed a blemish on the payments industry state-side, though checkout speeds have gotten consistently better in the nearly 2.5 years since EMV launched in the US. Presently, the 4 major card brands are making a concerted effort to improve the situation. They are promoting initiatives like contactless EMV card technology, which is popular in Europe, and QuickChip, which allows for fast “swipe ahead” type interactions with EMV-capable payment terminals. The larger phone and mobile technology vendors – including Apple, Google, and Samsung - are also promoting contactless NFC payments using mobile phones and wearable tech, which use dynamic PANs, which further insulate your card from fraud.
TechCrunch dismissively regarded point of sale terminals to “offer the best of security theatre – [sic] with a quick addition of a skimmer, you create something that is deeply unsafe.” While there is an element of truth in that statement, all hope is not lost. Had these terminals used EMV, this attack would have been largely mitigated. Data from the European adoption of EMV chip technology shows that EMV adoption was quickly followed by a marked decline in card-present fraud and a shift to card-not-present fraud, which is an easier attack vector for criminals. According to the US Payments Forum, while only 59% of merchants in the US have adopted EMV, their adoption of EMV in the US has already halved the amount of card-present fraud. For merchants using EMV enabled terminals, card-present fraud is down 70% since September 2015. As adoption of EMV chip technologies continues to spread, we can expect the US to eventually reach parity with Europe, where today, more than 2/3 (and growing) of card fraud happens online, rather than in merchants’ storefronts.
While EMV and NFC are an important part of the solution to protecting against cardholder data breaches, another key is the P2PE 2.0 standard, which is starting to gain traction in North America. With P2PE, the PCI Security Council has established a “defense in depth” framework for how merchants and solution providers can secure payments – covering everything from encryption of data to how to physically secure payment terminals. These standards not only benefit merchants – who will see a dramatic reduction in their PCI scope and fees when they adopt SAQ P2PE compliant solutions and processes, while at the same time shifting much of the liability for breaches to their solution providers. P2PE certified solutions also protect cardholders by holding all vendors in the payments chain to a strict standard, and using strong cryptography throughout the authorization process.