Solving Card Fraud
Chip by Chip
Since 2012, all four of the major card brands, MasterCard, Visa, American Express, and Discover, in the US have set a series of readiness deadlines for US issuers, acquirers and processors to be EMV capable. As of October 15, 2015 the liability will shift to acquirers for domestic and cross-border counterfeit fraud card-present POS transactions, if the merchant does not install an EMV-enabled POS device. The liability shift date for gasoline retailers is October 15, 2017.
EMV, standing for Europay, MasterCard and Visa, refers to a smart chip that is embedded within payment cards, following the security standard already in place in Europe. Many merchants, are slow to get up to speed because of the cost. For some smaller retailers and restaurants, the risk of liability is minimal.
A recent Javelin study on identity theft estimated the median theft from existing credit and debit card fraud in 2014 was $300, while the mean (average) was $989. The mean direct cost to consumers was $79, with an estimated six hours of resolution time.
Then again, Mercator Advisory Group reports on the rise of credit card and debit card use, along with online payments and transactions, leading to a rise in fraud and counterfeiting. It is accepted that the smart chip embedded in EMV cards to store and protect cardholder data will thwart counterfeit card fraud in card-present transactions.
T. Jack Williams, President of Paymentcard Services, agrees that the EMV chip does have the capability of lowering fraud. Using credit card reader/writer devices on the internet, fraudsters are able to counterfeit payment cards.
“The EMV chip brings great value to issuers, it means less losses and eliminates the need for banks to replace cards when data is hacked,” said Williams.
Driving the transition to EMV were massive data breaches at big retailers, including Target, Home Depot, and others, in 2013 and 2014. Target recently announced a $10 million settlement of a consumer class action stemming from its late-2013 data breach, a significant event not only because of its size, but also because it signals that courts are becoming more attentive to the harm consumers suffer from data breaches even if the payment card networks’ zero-liability policies reimburse them for fraud losses, according a researcher who specializes in data security.
A federal judge in St. Paul, MN approved the Target settlement, under which Target also could pay up to $6.75 million in legal costs. The retailer also agreed to pay an estimated $7 million in breach-notification expenses, according to the St. Paul Pioneer Press.
Consumers can file claims of up to $10,000 under terms of the settlement. Target still faces claims from the card networks as well as federal and state investigations. Earlier this month, Target reported that it has paid $162 million in net breach-related expenses.
“Chip and signature will put the bad guys back a step. Fraudsters won’t be able to replicate a chip and signature card that they can clone by using a credit card reader/writer that is available on sites like eBay,” said Williams. “For credit card companies and issuers, chip and signature is going to be easier to implement. But the issuers and processors are not ready for the European version of chip and pin. The liability shift is to scare merchants.”
It’s unlikely that all merchants will be EMV ready by this year’s end. “The reality is that EMV will not be a universal platform in this country by October 15, 2015, because it will take more time for merchants to balance the cost of potential liability against the cost of replacement of hardware and software,” said Williams. “We also have to remember that EMV is only relevant to card-present transactions; it is not relevant to online transactions, when card-not-present is the case.”
Meanwhile, consumers are accustomed to mag stripe cards and are not demanding chip embedded payment cards from their banks.
EMV Chips for Prepaid Cards
Mary Ann Miller, Senior Director, Fraud Executive Advisory, NICE Actimize, pointed out that prepaid providers in the US used to be a pacesetter for EMV, but now are laggards. As EMV is migrating across the US, prepaid providers and alternative payment companies are not wrapping their arms around this.
Again, cost is a main consideration since the chip and pin cost more than a mag stripe card. A closed loop card or gift card, often is a one-time use making a chip on a gift card an expensive proposition. What about a prepaid debit with chip and pin? Miller said there’s a stronger argument for that since it can go into a mobile wallet and might become more popular.
“Debit card with chip and pin is more likely to happen than closed loop,” Miller noted. “The message from prepaid providers should be about safety and security,” Miller said, “because prepaid products require a different approach to analytics and much more flexibility and agility than classic portfolios in the past.”
NICE Actimize, a provider of financial crime, risk and compliance solutions, has been able to create a unique environment for prepaid customers to write custom rules, models and policy on a seamless platform.
According to Miller, when she worked in the UK she observed an organized approach to introducing the public to chip and pin. The prepaid marketers there launched EMV with balloons and promotions. In the US, Miller believes we will see the product rolling out with much less fanfare. At first the pin and chip will lag, and maturity will take time, unlike the UK.
“There will be a tipping point,” said Miller. “Banks and financial institutions will be the first to issue EMV chip enabled cards and those products will be less vulnerable to fraud. Then as soon as we see large retailers make the transition to EMV, and as counterfeit cards decrease in numbers, there will be an increase in merchant adoption.”
Those lagging and prepaid will be the last out of the gate and be the weakest point. Fraudsters will see this and force prepaid and other laggards to catch up. “Why wait?” said Miller.
As EMV rolls out, fraud will become more complex. There will be more complex fraud within the fraud hub. Software protects against fraud.
Miller cited some of the advantages of the fraud hub: Enablement to nicely segment your products closed loop (store products, gift cards, and GPR) can each have a separate strategy with profiles, predictive analytics and indictors all on the same platform; and the ability to incorporate channel data from the digital and cyber to inform the analytics.
“This is a holistic view to the table, and very important as we see more account takeover post EMV and the convergence of mobile wallets and cards,” said Miller. “There is also the ability to write logic and new rules across all products as the need to pivot and react to flash fraud becomes more and more important.”
Mobile Payments May Leapfrog EMV
The rollout of EMV may start the war between carriers and networks. In a payments clash, networks, including MasterCard, Visa, Discover and American Express, will be pitted against mobile carriers, such as Verizon, AT&T and T-Mobile. “These are the two 600-pound gorillas in the room fighting for the same interchange dollars,” said Williams.
Google recently acquired Softcard (formerly ISIS) technology, creating a mobile payments joint venture with Verizon, AT&T Mobility and T-Mobile. The battle is between card-based networks that rely on a piece of plastic with an EMV chip and the carriers which rely on a SIM chip in the phone, noted Williams. “So far, the cards are winning because of ATM transactions. But if you can withdraw money from an ATM without a plastic card, then you have a total solution.”
All in All
EMV might be a short term solution to prevent counterfeiting of cards, but it could take about ten years before EMV is universally accepted. EMV is setting up the battleground between networks and carriers. The big question is: Will mobile become the standard or the EMV chip enabled plastic card? Miller believes that generally, EMV will be a rocky road. “Continued data breaches will push the transition. Ensuring customer confidence will be a driver.”