The Green Sheet Online Edition
February 11, 2013 • Issue 13:02:01
Fraud, data breach concerns drive EMV support
We are approaching a major milestone in the evolution of retail card payments. That's because beginning in April, all U.S. acquirers and processors must be able to support merchant acceptance of Europay/MasterCard/Visa (EMV) chip cards.
Acquirers and processors must carry and process data included in chip transactions, such as the cryptographic messages that authenticate transactions, beginning April 1, 2013, or face increased liabilities from card fraud.
EMV is a global standard for ensuring the compatibility of chip-based credit and debit cards and card terminals, and is considered far more secure than traditional mag stripe cards, and therefore less susceptible to fraudsters and hackers.
The term, itself, refers to Europay International (which merged with MasterCard Worldwide in 2002), MasterCard and Visa Inc., the three companies that developed the standard nearly 20 years ago.
According to EMVCo, the company that manages the standard, 40 percent of all cards and 70 percent of all terminals deployed outside the United States were EMV compatible in 2011.
Here's how Dom Morea, Senior Vice President and Division Manager, Advanced Solutions and Innovation at First Data Corp., described the situation in a 2011 white paper: "In the realm of major financial markets, the U.S. stands alone in its hesitancy to adopt a smart chip payment standard."
Among countries that were early adopters of EMV, the results have been positive, Morea said. In the United Kingdom, for example, card fraud losses dropped from 18 basis points to 12 basis points between 2001 and 2008.
The card brands have aggressive strategies for moving the United States away from mag stripe cards, culminating in October 2015, when issuers and merchants that fail to support EMV will begin to be held liable for fraudulent transactions that occur.
Last fall, for example, Visa began giving merchants a pass on validating compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) for any year during which at least 75 percent of a merchant's Visa card transactions originate from chip-enabled terminals.
PCI still needed
Yet, EMV is not a replacement for PCI, said Linda Grimm, Director of Consulting Services at Compliance Solutions and Resources. "EMV is a great resource that will help card fraud, but it won't stop the fraudsters," since identity fraud can be accomplished without stealing card data, Grimm told attendees at the Northeast Acquirers Association's Winter Seminar, held in January in Vermont.
The PCI DSS and related security standards comprise the prevailing U.S. standard for securing credit and debit card and cardholder information. PCI consists of a set of policies and procedures for ensuring the integrity and security of card transactions, networks, databases and facilities.
All entities that handle card data have to demonstrate compliance at least once a year. However, PCI compliance has been spotty, especially among smaller merchants.
According to a research report published in January 2012 by PCI compliance company ControlScan and the Merchant Acquirers' Committee, Level 4 merchants, which represent 98 percent of all U.S. retailers, "show a lack of awareness and overall apathy toward PCI compliance and cardholder data security."
That's problematic, Grimm said, noting that in 2011, 63 percent of data breaches occurred at companies with fewer than 100 employees. That's according to the 2012 Data Breach Investigations Report by Verizon.
In all, there were 855 data breach incidents reported in 2012, worldwide, that resulted in 174 million compromised records - the second largest data loss total since Verizon began keeping track of breaches in 2004.
Randy Vanderhoof, Executive Director of the Smart Card Alliance, said his group is seeing significant interest in EMV, as well as near field communication (NFC). NFC is a chip-based technology that supports contactless mobile card payments. But if previous experience is an indication, the transition to EMV and NFC will take time, requiring much testing and merchant training.
"Based on experience in other countries, we've learned that it's much more complicated and takes much more planning and testing and training of merchants to be ready to begin accepting EMV," Vanderhoof said.
Fraud, an $8.6 billion-a-year problem
Getting a precise fix on the cost of card fraud isn't always practical, given the numerous parties to these transactions. But in a report published in 2010, the consultancy Aite Group LLC took a stab at it, estimating that card fraud costs payments companies about $8.6 billion a year, with the bulk of those losses falling on issuers.
The top forms of card fraud include card-not-present transactions, counterfeit cards and fraud related to lost or stolen cards. The single biggest category, though, was "first party fraud," which can be carried out by a card thief or a cardholder who runs up the balance on a credit card with no intention of ever paying it off, Aite reported.
Cardholders, of course, aren't always the perpetrators; very often they are the victims. In fact, according to the 2012 ACI Worldwide Global Fraud Report, one in four consumers were victims of fraud involving credit, debit or prepaid debit cards in the previous five years.
Mike Braatz, Senior Vice President for Payments Fraud at ACI, said the study reveals that card fraud is a major concern for consumers, financial institutions and retailers. "These results should serve as a call-to-action for financial institutions and retailers to remain constantly vigilant and earn the trust of customers," he added.
Results of the LexisNexis Fourth Annual True Cost of Fraud Study drive home this point. Conducted by Javelin Strategy & Research, the study calculates the overall cost of chargebacks for merchandise, as well as fees and interest paid to financial institutions and processors to replace and redistribute lost or stolen merchandise. In 2012, that cost worked out to $2.70 for every $1.00 in fraudulent transactions, up from $2.30 in 2011, and that doesn't count costs associated with lost business.
"Our research clearly indicates that customers are less inclined to do business with merchants with which they've experienced fraud, yet a surprising majority of merchants surveyed in this study are not aware of this costly after-effect," said Jim Rice, Director of Market Planning for Retail and E-commerce at LexisNexis Risk Solutions.
Mobile, e-commerce most vulnerable
Merchants hardest hit by card fraud are those with mobile, e-commerce and international transactions, the LexisNexis report revealed. In 2012, mobile merchants paid $2.83 for every $1.00 lost, compared to just $2.00 in 2011. The analysis further indicated that criminals are shifting more attention to merchants who use an array of channels, including the web and NFC, which has significant implications for businesses.
CyberSource Corp., a leading security firm that tracks online fraud, reported that merchants are especially hard hit by online fraud, losing an average 1.0 percent in online revenues to fraud.
Fraud involving international orders is almost three times more likely to occur as fraud involving domestic transactions, according to the 2012 CyberSource Online Fraud Report. Industrywide, CyberSource estimated that online fraud losses at North American firms with e-commerce operations totaled $3.4 billion in 2011, a $700 million increase over 2010.
Malware is another problem that has grown with increased use of mobile devices for payments and other critical functions. Juniper Research Ltd., a Sunnyvale, Calif., firm that tracks mobile threats, said it saw a 155 percent increase in reports of mobile malware between 2010 and 2011.
Android platforms are especially vulnerable to malware. During the last seven months of 2011 malware targeting the Android platform jumped 3,325 percent, according to Juniper's 2011 Mobile Threats Report, released in 2012.
"This year, cyber-criminals have become so advanced that security professionals are struggling to detect many of their attacks in a timely manner," said Andreas Baumhof, Chief Technology Officer at security firm ThreatMetrix.
A recent survey sponsored by ThreatMetrix found 45 percent of all retail and financial services companies were victims of malware, Trojan and phishing attacks, lost or stolen mobile devices, and data breaches last year.
"We've seen a trend this past year where fraudsters who have traditionally attacked larger financial institutions are now working their way down to less protected organizations," Baumhof added. The Verizon study noted above confirmed this.
Cyber attacks, data breaches hit U.S. hardest
An even more disconcerting trend: despite the fact that customer and company data is being compromised in these breaches, fewer than 20 percent of companies breached made significant changes to information technology (IT) security as a result of breaches, according to ThreatMetrix.
A unique attribute of cyber-crime is that it knows no national boundaries. However, there is evidence that U.S. companies are especially hard hit. In the 2012 Cost of Cyber Crime Study, the Ponemon Institute reported, "U.S. companies were much more likely to experience the most expensive types of cyber attacks," which it identified as malicious insiders, malicious code and web-based intrusions.
The average cost incurred by U.S. companies attacked, which topped $8.9 million per attack, dwarfed the $3.25 million average incurred by companies in the United Kingdom, according to Ponemon's survey.
The survey, commissioned by HP Enterprise Security, identified information theft as the highest external cost, accounting for 44 percent of total external costs, up from 40 percent in 2011; costs associated with disruption to business and lost productivity accounted for 30 percent.
Companies participating in the Ponemon survey sustained 1.8 successful attacks each per week. The average time to resolve a cyber attack was 24 days, Ponemon said.
"You should consider a breach likely, and plan accordingly. It's not a matter of if, but when," Grimm told attendees at the NEAA event. "And you need to protect all data, not just card data."
Stolen card data can lead to fraud, at an average cost of $339 per card. But stolen identities are far more costly and more time consuming. Out-of-pocket expenses to consumers whose identities have been stolen average about $1,000, and it takes an average of 330 hours to rectify a stolen identity situation, Grimm said.
It's not all bad news, however. By being proactive, merchant level salespeople (MLSs) and their partners can turn the situation to advantage. "This is an opportunity to go out and explain to merchants how they have a problem and that you have a solution that can help them," Grimm said.
Complacency not an option
In its report - Risk and Revenue: Second Annual Survey of the Acquirer's Perspective on Level 4 Merchant PCI Compliance - ControlScan made a similar pitch. "Now is not the time to maintain the status quo," the company stated. "Today merchant acquirers have both an opportunity and a challenge to proactively serve small merchants as a trusted business enabler."
One problem, however, is that many acquirers, ISOs and MLSs are as much in the dark about PCI as many of their merchants. One third of acquirers surveyed by ControlScan said their own lack of knowledge challenges their ability to support effective PCI programs; this is up slightly from 31 percent in 2011.
The ControlScan report detailed steps that can be taken by acquirers and their sales partners to increase Level 4 compliance, and to better serve small merchants. First and foremost is education: maintain a consistent message and communicate it often through multiple channels, electronically and face-to-face.
"PCI compliance messages should appear throughout and beyond the merchant onboarding process. Make it your goal to establish clear expectations with all merchants," the report said. And be sure to enroll high-risk merchants in PCI-compliance programs immediately upon boarding them.
Offering solutions that bring value beyond peace of mind is equally important. These are some examples:
- Positioning PCI compliance as a value-added service
- Offering strong support, as well as technology that simplifies the compliance process, such as services that reduce a merchant's scope of compliance or simplify the compliance validation process
- Offering breach insurance as a safety net, but not as a replacement for PCI compliance
- Keeping things simple
"When action steps are presented in a way that's easy to emulate, both the acquirer and the merchant benefit," the report stated. So the smoother ISOs and MLSs can make the compliance process for their merchants, the easier it will be on their own businesses, and the more effective the industry's fraud prevention strategies will be overall.
PCI compliance: to charge or not to charge
Although data breach security remains a priority with acquirers, risk reduction seems to be taking a back seat to revenue generation. Asked to rank the goals of their PCI compliance programs, generating revenues was tops, and reducing the risk of breaches came in number four in ControlScan's latest survey of acquirers on PCI compliance among Level 4 merchants.
That represents a reversal of priorities since 2012, when the top priority was risk reduction, ControlScan reported. The second and third priorities remained unchanged between 2012 and 2013; these were to meet card brand requirements and achieve high compliance rates, respectively.
Taking on check fraud
In payments, as in most things involving money, fraud is a multipronged and ever-present danger. Specific types of fraud that threaten payment companies and their clients include unauthorized credit and debit card payments, card skimming and cloning, data compromises, and even bad checks.
The irony is that the more automated and sophisticated payment options become, the greater the potential for risks - especially when payments are being executed in real time, stated Glen Fossella, Chief Operating Officer at CTS North America Inc., a Michigan company that sells check and document scanners.
"Whenever you're dealing with exchanges of anything of value, that's when the merchant and the bank are at risk," Fossella said. "They need to be able to verify payments at the point of capture; otherwise they may not get their money."
The response at CTS has been to develop fraud prevention tools for check cashing and payday lending stores. The company's latest creation: ID card scanning software that integrates with the company's full line of check scanners. "It's more bang for the buck from a hardware perspective," Fossella noted.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.