The Green Sheet Online Edition
April 25, 2016 • Issue 16:04:02
From EMV to CNP: A look into U.S. authentication
Shopping has become such an integral part of daily life that consumers hardly think about the payment process behind it. However, shortening the process for the sake of convenience ‒ to a point where authentication is being set aside ‒ has given rise to serious security issues.
Decades ago, there was little need for authentication. In the 1950s, noncash transactions were rare. However, as travelers became more mobile and were disinclined to carry huge amounts of cash, facilitators such as Visa (whose origin goes back to 1958) and MasterCard (1966) came into being. Credit cards quickly turned into big business; credit card fraud soon followed.
Card-present (CP) fraud is a disproportionately big problem in the United States; half of all credit card fraud worldwide takes place here, Tom Gara stated in a February 2014 Wall Street Journal blog post. In 2014, about 31.8 million U.S. consumers had their credit cards breached, more than three times the number affected in 2013, according to Javelin Strategy & Research.
Experts attribute this to slow adoption of EMV (Europay, MasterCard and Visa) protocols in the United States.
Where does liability lie?
EMV is a global standard whereby payment cards are embedded with a chip that encrypts the information held on the card, making it virtually impossible to clone. However, the United States is only now catching up and has begun the process of adopting EMV, a process that moved into top gear after the October 2015 liability shift.
Since this game-changing shift, a party that suffers card fraud and does not have EMV technology in place will bear liability for the costs of that fraud. For instance, if a retailer is using the old system, the business can still process a transaction using the swipe and sign method. Nevertheless, it will be liable for any fraudulent transactions if the customer has a chip card. And vice versa: if the retailer has an EMV-compliant terminal, but the bank hasn't provided the customer with a EMV chip card, the bank will be liable.
Despite the proven ability of EMV to fight fraud, the United States was 10 years behind the EU in adoption, with costs of adoption proving to be the main barrier. Javelin reported that the United States has a payments infrastructure comprising over 1.2 billion payment cards and 8 million POS terminals. Before adoption, only 1.5 percent of cards and 10 percent of terminals were EMV compliant; it was estimated that it would cost $6.8 billion to bring U.S. cards to the EMV standard, according to Javelin.
Fighting CNP fraud
While EMV can greatly reduce CP fraud, it lacks effectiveness in tackling other types of card fraud, in particular, card-not-present (CNP) fraud. CNP is currently the most prevalent type of card fraud in the United States, accounting for 45 percent of all card fraud, and after full EMV adoption, it's likely that this will rise.
Countries that implemented EMV all saw instances of CNP fraud increase as criminals sought other ways to get hold of people's money. Nonetheless, failure to stop CNP fraud is not due to a lack of secure solutions, but rather a lack of widespread adoption of a consistent standard.
Many security solutions available in the market rely on passwords, tokens, and other ID and verification methods. Of all these innovations, biometrics is arguably most interesting. Biometrics relies on the unique biological characteristics of individuals to verify their identity.
Some of the latest innovations are: fingerprint identification, which has gained mainstream use and is already incorporated on the new Apple Pay wallets; facial recognition tools such as MasterCard's new "selfie" check; sound echo detection in the human ear; iris scanning; and even heartbeat measurement.
Security methods are at their best when they work in conjunction with others, a format known as multifactor authentication. By using more than one authentication method, the layers of security work together to provide a far higher level of security than one method alone.
Multifactor authentication provides increased levels of security by combining two or more of the following elements:
- Something only the user knows (such as a password, code or personal identification number)
- Something only the user possesses (a token, smart card or mobile phone)
- Something the user is (a biometric characteristic, such as a fingerprint)
If multifactor authentication gains widespread adoption among financial institutions and becomes mandatory for financial transactions, it will greatly increase the security of CNP transactions and reduce levels of fraud. For the European Union member states, this is becoming more of a reality. The European Commission (EC) recently released the revised EU Payment Services Directive (PSD2), which seeks to regulate payment services and is binding in all EU member states. PSD2 requires all payment service providers to carry out "strong customer authentication" (multifactor authentication) before accepting online transactions, as reported by the European Banking Authority in 2014.
Similar provisions are not in force in the United States, but steps are being taken in the right direction, with authentication increasingly becoming the focus of U.S. governmental agencies.
A standard solution for U.S. payments
The Federal Financial Institutions Examination Council, which works to unify the supervision of financial institutions, published a number of guidelines recommending that high-risk transactions should use multifactor authentication. Details can be found in a March 19, 2013, LoginTC blog post, www.logintc.com.
Despite not being legally binding, the guidelines are treated by banks as baseline compliance for safe online authentication and transaction verification. However, this still leaves the United States without a legally enforceable regulation that will effect standardization across the U.S. payments landscape. It is important that the United States begin to standardize solutions across its vast network. Such harmonization is key to reducing fraud.
The FFIEC has been instrumental in bringing about changes through new directives, but other actors in the payments industry have also been receptive to new changes and innovations. The U.S. payments sector needs to embrace newer technologies and adopt innovative security solutions.
Christoph Tutsch is the founder and CEO of Opex GmbH. He set up and funded the company in 2010 to provide businesses with a better way of handling online payments. He is responsible for the overall direction of the business and its continuing growth around the world. A lifelong entrepreneur, Christoph was previously co-founder and director of several companies in the telecom and marketing industries. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.