Merchants hope this year's holiday shopping season is better than last year, when high profile data breaches stole the headlines.
They should be happy, if MasterCard vice president of emerging payments Oliver Manahan is right.
There have been major improvements in data security over the past year, said Manahan, adding that even as major breaches continue to occur, they don't automatically result in a massive increase in dollars lost through fraudulent transactions.
"As we get into this holiday season, we are absolutely further ahead with security from where we were 12 months ago," Manahan said. "The EMV [chip-based card] migration is underway now and there are more cards in the market and more merchants with EMV devices in the market."
But Nick Holland, senior analyst and payments expert for Javelin Strategy & Research, paints a more bearish picture on EMV, telling attendees at a mobile payments conference in Chicago that as far as EMV preparedness goes, the U.S. is "woefully unprepared for next year in most respects."
Holland cited recent Javelin research that reveals only 1.5% of an estimated 1.2 billion U.S. payment cards have an EMV chip and only 10% of merchant terminals are EMV-enabled. He also said small businesses aren't close to being prepared, with many of them holding back because fraud losses have indeed decreased.
Such slow progress also speaks to the fact that even if a merchant has an "EMV ready" terminal, it does not mean the business has all of the chip readers and other hardware in place to accept transactions.
Bank of America signaled key movement in chip-based card issuing with its recent announcement that it was sending EMV debit cards to its customers this month.
In the upcoming months, the numbers of cards and terminals prepared for EMV will only increase, Manahan said. "It is still just small steps, but we are going in the right direction of higher security."
The small steps will have to become larger steps quickly as the card brands' move away from magnetic-stripe technology with an EMV liability shift of October 2015 is now just a year away. At that time, the party unable to handle EMV transactions will bear fraud costs.
The level of EMV progress aside, the upcoming holiday season will be one of the last in which magnetic-stripe cards will continue to initiate the majority of U.S. transactions.
And that, ultimately, could prove to be problematic, even as more EMV chip cards are issued, Catherine Johnston, president and chief executive of ACT Canada, a non-profit payments association, told attendees at the Chicago conference.
EMV cards will continue to have mag-stripes for use as a backup technology or for instances in which EMV technology is not in use or available, such as at ATMs.
Canada converted to EMV a few years ago, but discovered that mag-stripes on the EMV cards were still being skimmed and the data was later used to commit fraud in the U.S., Johnston said.
Canada's Interac debit network plans to eliminate any use of mag-stripe as a backup technology next year, she added.
MasterCard and others in the U.S. payments industry are watching closely as to what other countries do with the mag-stripes on cards.
"We believe that in some future date that we would be removing the magnetic stripe and it would make sense at that time," Manahan said. "We obviously are not going to do it next year when there remains a reasonable percentage of mag-stripe cards and devices in market."
Removing the mag-stripe for good is "years out," Manahan added. "We are certainly entertaining those ideas and everyone has that concept in mind, but it will happen in the future when a very high percentage of cards and terminals and ATMs globally are EMV."
Beyond EMV, businesses and issuers are more aggressively deploying various layers of payment fraud intelligence within their networks, allowing them to spot suspicious card activity, halt transactions and issue new cards as needed, Manahan said.
"There's always a lot of conjecture as to what the criminals might be up to with access to so many accounts [after retail or bank breaches], but obviously if you are in the criminal element there is some sort of eye toward the financial gain in it," Manahan added.
Because a correlating spike in dollars lost through fraudulent transactions doesn't automatically occur after large breaches, how the criminals intend to reap that financial gain represents a "moving target" for law officials and security vendors, Manahan said.
Recent Javelin studies indicate fraud incidents may be on the rise, but the amount of money hackers are ultimately able steal through fraudulent purchases is decreasing.
If criminals intend to create fake payment cards and make transactions, the payments security industry has done "a pretty good job of locking that down, so maybe data breaches have become less valuable," Manahan added.
Card data security may get an added boost during the upcoming holiday shopping season if consumers adopt Apple Inc.'s new mobile pay system.
The 2014 shopping season will be the first in which consumers with new iPhones will have the option to make contactless Near Field Communication payments through Apple Pay.
Use of Apple Pay will equate to even more transaction security, Manahan said.
"It is absolutely secure, as all contactless transactions carry some form of dynamic data, so you are already better [protected] than the static data on the magnetic stripe," Manahan said.
Apple Pay will also deploy a unique token for each transaction, leaving payment credentials off of networks or merchant systems. "The data will have less value [to hackers] that way," Manahan added.
MasterCard partnered with Apple to be engaged in "all aspects of the payment" and is confident that Apple Pay will prove to be a secure product and deliver a good customer experience, Manahan said.