The Green Sheet Online Edition
January 14, 2013 • Issue 13:01:01
Mitigating POS terminal fraud in India
Editor's Note: While the majority of our readers are doing business in the United States, The Green Sheet periodically publishes articles about the payments landscape in other countries and regions. This is because the various economies of the world are interconnected, some U.S. payment professionals are already expanding or wish to expand their businesses beyond our borders, and cross-pollination of ideas and practices across global regions could foster further innovation to boost business within the U.S. payments market and elsewhere.
Fraud is a growth industry, and payment card fraud is a growth industry on steroids. Annual card fraud runs into the tens of billions of dollars, and India remains a top destination for card fraud done on POS terminals. Existing mitigation efforts are touching only the tip of the iceberg and are focused primarily on reducing financial liability, not preventing fraud before it happens.
The future of fraud
While e-commerce transactions are on the rise, card fraud in that realm has largely been contained because of mandatory two-factor authentication on all transactions done using Indian cards on Indian websites. This article focuses on card fraud done on POS terminals because it is very likely this is where large-scale fraud will happen going forward.
The number of POS terminals in India, depending on whom you ask, currently ranges from 400,000 to 600,000, with the industry having seen no real growth in the past few years.
This is set to change. A consortium of government-owned banks recently put out a request for proposal that "involves the selection of Service Providers who can manage the entire Merchant Acquiring Business of the Public Sector banks on a fully outsourced model by giving an end-to-end solution related to deployment of POS terminals at Merchant locations and providing the complete range of Managed Services."
The consortium expects the deployment of 1.5 million terminals in the first year of operations and 2.6 million in the second. These numbers are impressive and almost certainly mean that fraud on POS terminals is going to rise.
POS transactions in India
Currently there are 18.5 million credit cards and 306 million debit cards in the country. In fiscal year (FY) 12 (which began in April 2011 ended in March 2012), credit card transactions volume was 319 million, and the value was 966 billion Indian rupees (INR). There were 327 million debit card transactions for a value totalling INR 534 billion.
In the first seven months of FY 13, the number of credit cards in circulation went up 5.2 percent year over year; the volume grew at 22.6 percent; value was up 25.3 percent.
For debit cards, the number went up by 20.1 percent; transactions volume grew at 36.7 percent; value was up 30.4 percent. With this sort of solid growth, this space will inevitably look more attractive to fraudsters.
Types of card fraud
The types of card fraud occurring in India, especially in the case of POS terminals, are:
- Fraudulent/collusive merchants: Overwhelming evidence suggests that this is how most of the card fraud being committed in India is done. In most cases, these merchants use a legitimate business as a front and look to card fraud to provide most of their income.
- Counterfeit cards: The use of skimmed cards at legitimate merchants seems to be on the rise; most cards used are foreign, and in a large number of cases, they are from the United States.
- Cash funding: As a side income, merchants swipe the credit cards and then provide cash to the cardholders instead of any goods or service for a small fee. If the cardholders pay attention to the timing of transactions, and they almost always do, they get cash for less than what they would pay to other funding sources.
While certainly not high on the fraud scale, this is widely viewed by risk managers as a gateway to more serious fraud. A big problem in this scenario is that some cardholders do not pay their credit card bills, and issuers sometimes attempt to recover this money from acquirers by initiating disputes.
In India, the fight against fraudsters is compounded by problems on several fronts. These include:
- Documentation: Documentation quality is poor in India; most small businesses do not even have a full set of know-your-customer documents. More worrying is the ease with which legitimate government identity documents can be procured using different variants of the same name, such as initials, since most government issued IDs are not biometric-based.
- Multiple terminals: The Indian acquiring industry is a dog-eat-dog world in which many merchants have more than one POS terminal - each terminal belonging to a different bank. Merchants have no problem with this because they do not pay for the terminals. More often than not, fraudulent merchants make a killing using multiple terminals from multiple banks.
- Databases: There are no negative merchant databases maintained in India like the Member Alert to Control High-Risk Merchants list kept of U.S. merchant accounts that have been terminated for cause.
While there are negative databases derived from schemes that have been detected, they are largely ineffective because people often use initials in India, and if known fraudsters use variants of their own names, they become virtually undetectable. The same applies if the name of a shop is changed from, say, ABC Cleaners to BCD Cleaners.
Obviously, fraud will never fall by 100 percent, but steps can be taken to dramatically reduce it. Some steps being taken, apart from monitoring transactions using fraud detection tools, are:
- PIN on debit cards: Starting in April 2013, regulators will require that all debit card transactions done on POS terminals in India will have to be authenticated by a PIN.
- Chip and PIN credit cards: Issuers have started issuing chip and PIN credit cards, but costs prevent them from going beyond their premium customers, meaning they have barely scratched the surface.
Despite these measures, credit cards account for nearly 64 percent of all payment card transactions in India, and these cards are still liable to be stolen or skimmed.
Because of this, true fraud mitigation should go beyond reducing financial liabilities and should include detection before the fact. That said, acquirers are not entirely at fault because no merchant underwriting is available in India.
Proper mitigation can only be achieved if a negative merchant database is established, which has been proposed by regulators. However, for a negative database to work in India, it must be tied to a biometric database.
The Unique ID (UID) program, which is tasked with assigning each Indian a unique identification number in addition to maintaining a database of biometric information, may provide the answer. The program has already rolled out over 300 million such IDs. If the proposed database is not tied to the UID program, it will be dead on arrival, and with it, a large part of India's effort to fight card fraud.
Sunil Rongala is the Head of Risk Containment and Business Strategy at MRL Posnet Private Ltd., a technology-driven transactions facilitator based in India. He is a professional economist and holds a Ph.D. in economics from Claremont Graduate University in California. To reach him, call +91-99490-61784, fax +91-40-2355-4002 or send an email to firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.