New Retail Scam Targeting EMV Chip Terminals
Fraud can target nearly any business, but card-present merchants had been able to breathe a little easier in recent years thanks to the introduction of the EMV chip. This tiny piece of hardware has gone a long way toward reducing fraud from cloned cards and other longstanding methods that exploit the vulnerabilities of older technology like magnetic strips. It’s an undeniable fact, however, that fraud is constantly evolving alongside the technologies developed to stop it. Now, retail merchants are finding themselves increasingly victimized by a new scam that uses deception to circumvent EMV chip security features.
EMV Changed The Playing Field
Originally, point-of-sale terminals read credit card information off of the magnetic strip customers would swipe through them. The customer’s identity could then be verified with a signature, an ID, or a ZIP code. Of course, these safeguards were easy to defeat if you had a stolen card. Signatures and IDs can be forged, and a cardholder’s ZIP code is often easy to guess. Worst of all, fraudsters wouldn’t even need to steal your actual credit card. Devices called “skimmers” can read the magnetic strips on cards, copy the information they contain, and clone them onto a new card.
The presence of the EMV chip verifies the authenticity of the card and can allow for customers to use encrypted PINs to authorize transactions. Skimmers can’t read EMV chips, and fraudsters can’t create cloned cards with valid or functional EMV chips. By requiring customers to use EMV chip-verified transactions at the point of sale, merchants can screen out many of the more commonplace forms of credit card fraud.
Unfortunately, not all merchants are willing or able to upgrade their terminals, and most newer terminals are set up to allow for transactions to be processed off of the magnetic strip to accommodate older cards without chips, or cards with malfunctioning chips. This is the loophole that fraudsters are now trying to exploit.
Bypassing Security With Fake EMV Chips
In this new scam, the perpetrator takes a credit card and installs a fake EMV chip in it. When they make a purchase at a retail establishment, they insert the card in the chip reader, which will report an error because the chip cannot be read. Then, they will tell the sales clerk that they’re having problems with the EMV chip on their card and ask if they can complete the transaction by swiping the magnetic strip. If the clerk says yes, the fraudster can swipe the card and completely bypass the EMV verification.
In this way, a criminal can make a purchase on a stolen or cloned credit card without the EMV chip stopping them. But there’s another layer to this scheme, if the fraudster owns the credit card or has access to the full account credentials, they can call the issuing bank, report the transaction that they just made as fraudulent, and get the funds returned to them.
Chargeback Gurus handled a case where a cardholder made a high-value purchase at a jewelry store, complained that the chip reader wasn’t working, and was allowed to swipe their card. A few days later, they filed and were granted a chargeback on the purchase.
They walked away with both the jewelry and their money, and the store took a big hit.
Conclusion: Hold The Line On EMV Verification
The major card networks have established clear rules around EMV chips in order to encourage their use. If a merchant allows a customer with an EMV-enabled card to make a purchase by swiping the card instead of inserting the card in the EMV enabled terminal, then any chargebacks filed against that transaction will automatically be found in the cardholder’s favor. In other words, if the merchants won’t enforce the use of anti-fraud technology at their point of sale, then the card networks will hold them liable when fraud inevitably occurs.
The best way for merchants to prevent this new scam is to be very consistent about only running point-of-sale transactions via EMV chip insertion. Allowing customers to swipe EMV-fitted cards exposes them to too much liability and risk, given that they’ll have no standing to dispute any chargebacks filed against those transactions. While it is possible to lose sales and alienate some customers by refusing to allow them to swipe their cards when the EMV reader returns an error, most customers should be understanding—they know that EMV chip verification protects them, too—and the alternative is to risk significant revenue loss and a higher chargeback ratio.