The Green Sheet Online Edition
October 14, 2013 • Issue 13:10:01
Will EMV save us from fraud?
Despite the hesitation by U.S. merchants and financial institutions to fully adopt Europay/MasterCard/Visa (EMV) migration, the reality is that by 2015, we will be joining most of the global community by integrating EMV in the United States. Though you may see this as a cause to worry, it is important to remember that EMV will essentially reduce fraud - and who doesn't want that?
The idea behind the security of EMV cards is that fraudulent purchases are much harder to pull off because EMV cards contain a "smart chip" that is nearly impossible to clone. While conventional mag stripe technology reveals card information with one quick scan, chip cards require dynamic verification and hold significantly more information within the chip, making life harder for fraudsters.
So, once every U.S. merchant has an EMV terminal and every consumer carries a smart card, will credit card crooks be out of business? The answer is complex, given the experiences of other countries with EMV conversion, the adaptive spirit of the fraud-committing community and the changing technological landscape around transaction authentication.
Two things are certain, however. First, EMV will bring about a reduction in counterfeiting and lost and stolen card fraud in the United States. Second, EMV is coming, and we must be ready and able to pave the way for a smooth transition. It is time for merchants to prepare by re-focusing now on the tried-and-true basics of fraud prevention and embracing new methodologies as they become available.
Previous EMV lessons
EMV has been widely adopted around the world, and now that the U.S. transition is underway, networks are beginning to implement their own EMV migration plans. While fraud patterns before, during and after EMV migration have varied from country to country, common threads exist.
Typically, fraud has surged in the card-present environment prior to migration deadlines and dropped dramatically after EMV cards have been introduced. I wish I could tell you that all fraud will disappear once EMV is in place, but sadly there is no "perfect protection" against crooks.
Historically, fraud has shifted to overseas, card-not-present (CNP) transactions because EMV cards don't offer the same protection in that milieu as they do in environments where face-to-face transactions occur. In France, for example, the new standards significantly reduced counterfeit fraud but resulted in a commensurate increase in CNP scams. In the United Kingdom, overall fraud for both transaction environments increased during the changeover period until additional authentication measures were introduced.
Migration to EMV in the United States has been slower than elsewhere, and it's hard to predict what the impact will be here. But "watch and wait" may not be the best strategy. Those who are slow to adopt EMV technology may put themselves at risk, as counterfeiting schemes will naturally surge toward the most vulnerable transactions and merchants.
And for CNP merchants, EMV has a different set of issues. If history is any guide, CNP merchants will likely see fraud increase as face-to-face fraud falls following the EMV adoption.
Argus Payments Inc., a payment gateway that specializes in CNP for high-risk merchant categories, expects that after the EMV shift, the rate of fraud in CNP transactions in the United States will rise - migrating away from card-present (CP) targets. In preparation, online merchants and processors may do well to add dynamic authentication capabilities to their checkout processes.
Unfortunately for CNP merchants, authentication requirements add friction to the online checkout process. Argus predicts that monitoring and balancing conversion rates of authenticated transactions against overall fraud rates will be a key practice for merchants seeking to maintain revenue while mitigating an increasing amount of fraud.
Those merchants may wish to enforce policies in real-time using risk-scoring and categorization (high-value tickets or affiliate-based traffic sources may be good categories) to determine the appropriate situations in which to require authentication, while allowing low-risk carts or customers a more streamlined checkout.
Meanwhile, all merchants must take a fresh look at their authentication practices. Merely operating an EMV-enabled terminal is just half the equation, as mag stripe cards will remain in consumer wallets for some time, sustaining the need for old-school screening practices.
Face-to-face merchants should now bolster their card-acceptance protocols in preparation for any surge in counterfeit and lost- or stolen-card fraud as the deadline approaches. The most low-tech practices like examining signatures and photo IDs - while imperfect - remain simple and effective deterrents to scammers seeking low-hanging fruit.
As for CNP merchants, it is likely wise to prepare now for a wave of threats. Simple and proven protocols such as requesting card verification value and card identification number codes should be a given. Gateways should authenticate Internet Protocol addresses.
In France and the U.K., the surge in CNP fraud was brought largely under control by moving to 3D Secure practices such as remote PIN entry. 3D Secure is a payer authentication protocol that comprises Verified by Visa and MasterCard SecureCode and enables cardholders to create PINs that can be confirmed by issuing banks during online transactions.
From biometric fingerprinting tools for home PCs and mobile devices to "social fingerprinting" solutions that authenticate consumers by analyzing their social data from sites like Facebook, new solutions for verifying CNP practices will continue to emerge as online transactions become the preferred target for crooks.
Improved fraud mitigation
It is likely that fraud incidents similar to those experienced by other countries will play out in the United States as we migrate to EMV technology. It's also likely we'll face some surprises - all of which make it crucial to shore up the fraud mitigation tools we already have in both CP and CNP environments. We must put tried-and-true protocols in place now and support the innovations of the future.
For ISOs, the task at hand is to fully educate and support merchants during the transition phase and beyond, ensuring they (and their cashiers) understand and embrace the new processes while adhering to security fundamentals. EMV adoption will ultimately strengthen fraud reduction in the United States, but there will be bumps in the road.
Awareness, education and vigilance will help us all make the transition as smooth as possible.
Cliff Teston is co-founder, Chief Executive Officer and President of Signature Card Services. He has a long history of leadership and innovation in all aspects of the ISO/MSP industry. Contact him at firstname.lastname@example.org .
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.