Partner
Recent reports have indicated that the new chipped credit cards, i.e., credit and debit payment cards equipped with EMV technology, are not as secure as initially hoped, and show that fraud involving payment cards is still on the rise despite the full deployment of the new, more secure technology. The new chipped credit cards were touted as being safer and more secure since the they integrate EMV (which stands for Europay, MasterCard, and VISA) and pin technology, meaning that not only must the user have the chip associated with the credit card, but he or she must also have the appropriate PIN, in order to use the credit card. How is so much fraud being committed with these new chipped credit cards that are supposed to be more secure than the old magnetic strip version?
Fraud Committed with Chipped Cards is Committed in Familiar Ways
Not surprisingly, most of the new chipped credit card fraud involves exploiting old ways of committing fraud. For instance, whether a stolen credit card is chipped or not has little effect when the fraud is done by making online purchases. To make a fraudulent online purchase all you need is the credit card number and the CV code for the card; the chip plays no role. For this reason, online purchasing is the leading type of fraud that is committed with chipped credit and debit cards.
The other way that criminals are exploiting chipped payment cards is by using stolen cards at retailers that have not yet implemented chip reading equipment in their payment systems. There are plenty of retailers who are holding off as long as possible to upgrade their payment systems, which means that they have the older, magnetic swipe reading payment machines.
Additionally, hackers are able to gain access to vulnerable payment systems that are connected to the internet. Once hackers breach the security of a vulnerable payment system, they can install files that will track and transmit payment card data that are used at the compromised payment system. The credit card number and CVV code can be stolen and it is even possible to record and transmit the corresponding PIN code for the card. With the stolen card information, hackers can produce cloned cards, or can use the stolen data for online transactions.
Hackers Create Cards With Chips That Impersonate Real Chipped Cards
Another way that hackers have taken advantage of chip card technology is to create cards that impersonate real chipped cards. Chipped cards are supposed to be harder for thieves to duplicate, so while the new chipped payment cards are more difficult for thieves to clone, they are not necessarily more difficult to impersonate. For instance, there are ways in which a chipped card can be impersonated or mimicked to make an ATM shim, which can be inserted into an automated teller machine to make the ATM dispense cash.
Data Breach Lawyers
Revision Legal understands the dynamic nature of Cyber Security. If your payment system was compromised by a cyber attack, or your customers’ payment card information was stolen in a data breach, you need to work with an experienced data breach lawyer. Revision Legal can help with ensuring compliance with state notification laws and international law. Contact us using the form on this page or call us at 855-473-8474.
Payment card fraud does not occur in a legal vacuum. Merchants, processors, and financial institutions operate within an overlapping framework of contractual obligations, federal statutes, and state laws that govern who bears liability when fraud occurs. Understanding this framework is critical for any business that processes payment card transactions.
In October 2015, the major card networks — Visa, Mastercard, American Express, and Discover — implemented an EMV liability shift for card-present transactions. Under the pre-shift rules, card-issuing banks typically absorbed losses from counterfeit card fraud. After the shift, liability for counterfeit card fraud moved to whichever party in the transaction had the lesser technology. In practical terms, this means that a merchant who accepts a counterfeit chipped card using an old magnetic stripe terminal bears financial responsibility for the resulting fraud, rather than the card-issuing bank.
This liability shift created a powerful financial incentive for merchants to upgrade to EMV-capable terminals. However, because the shift applies only to counterfeit card fraud at the point of sale, it does nothing to reduce card-not-present fraud — the category of fraud, including all online transactions, that exploded in the years following EMV deployment in the United States. This pattern, sometimes called the waterbed effect, was well documented in countries that deployed EMV earlier, such as the United Kingdom and Australia.
Any business that accepts, transmits, or stores payment card data is subject to the Payment Card Industry Data Security Standard (PCI DSS), a contractual framework imposed by the card brands through merchant agreements and payment processor contracts. PCI DSS requires merchants to implement a set of technical and administrative security controls designed to protect cardholder data, including network segmentation, encryption, access controls, and regular vulnerability scanning.
Non-compliance with PCI DSS does not give rise to a direct private right of action by cardholders, but it can significantly affect a merchant’s liability exposure after a data breach. Card brands impose fines and penalties on non-compliant merchants through the acquiring bank, and non-compliant merchants who suffer a breach may be responsible for the cost of the forensic investigation, re-issuance of affected cards, and fraud losses. Courts have also admitted PCI DSS non-compliance as evidence of negligence in data breach class actions brought by customers and financial institutions under state negligence and unfair business practices statutes.
All 50 states, the District of Columbia, Puerto Rico, and Guam have enacted data breach notification laws that require businesses to notify affected individuals when their personal information — including payment card numbers in combination with other identifying data — is exposed in a security incident. Notification timelines vary significantly: California’s law (Cal. Civ. Code § 1798.29) requires notice in “the most expedient time possible” but no later than 72 hours in certain circumstances under CPRA amendments; other states allow 30, 45, or 90 days. A handful of states, including New York (N.Y. Gen. Bus. Law § 899-aa), require notification to the state Attorney General in addition to affected individuals.
For businesses that process payment card data across state lines — which describes virtually all e-commerce merchants — multi-state breach notification compliance is a logistical challenge. Determining which states’ laws apply, drafting compliant notices, coordinating with credit monitoring service providers, and responding to regulatory inquiries from multiple attorneys general simultaneously requires experienced legal counsel working quickly under significant time pressure.
Businesses that process payment card transactions should treat EMV adoption as the floor, not the ceiling, of their payment security program. The following steps significantly reduce both fraud risk and legal exposure:
If your payment system has been compromised or you are unsure of your legal obligations following a payment card data breach, contact the experienced data breach attorneys at Revision Legal immediately. Time is critical — breach notification deadlines begin running from the date of discovery, and prompt action is essential to minimize both legal exposure and reputational harm. Contact us using the form on this page or call us at 855-473-8474.
Image credit: Finance Blue.
Cyber attacks fall into two categories: active attacks that disrupt systems and passive attacks that silently steal data. Here’s how each type works and how to defend against them.
Read more about Active vs Passive Cyber Attacks Explained
Advanced persistent threats are sophisticated, long-term cyber attacks targeting organizations for data theft or disruption. Here’s how APTs work and how businesses can defend themselves.
Read more about What Are Advanced Persistent Threats?
Smart TVs connected to home networks can be compromised by ransomware and other malware. Here’s what the risks are and how consumers and businesses can protect connected devices.
Read more about Smart TV Ransomware Risk: What You Need to Know