GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Change agents, the democratization of retail

Ann Train


Industry Update

Visa unlocks innovation

Small Business Finance Association lays out guidelines

NYPay panel deliberates blockchain's future

Transaction Alley drives fintech innovation


Online lending drives main street small business satisfaction and growth

Approaches to prepaid program management

Are CNP fraud warnings on target?

Mobile rules the roost


Trade Association News: Transact 16: A defining moment for post-disrupted payments

Beating the payment fraud carnie game

Patti Murphy
ProScribes Inc.

Can ISOs and MLSs sell banking services?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
The alternative small business loan

John Tucker
1st Capital Loans LLC

Review residual reports, protect your profits

Jeff Fortney
Clearent LLC

Education, the key to unlock consumer innovation adoption

David Poole

Strategic conclusions traditional acquirers can draw from Square

Marc Abbey and Brooke Ybarra
First Annapolis Consulting

Company Profile

Go Direct

New Products

Newly enhanced payment platform for small to midsize merchants

Genius STX
Cayan LLC

Compact, versatile EMV solution

Miura Systems Ltd.


Applying the five W's to merchant services


Letter from the editors

Readers Speak

GS Book Notes

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 09, 2016  •  Issue 16:05:01

previous next

Are CNP fraud warnings on target?

Six months after the October 2015 U.S. EMV (Europay, MasterCard and Visa) deadline, consumer chip card distribution is sluggish and merchant adoption is even slower. And based on other countries' experiences, fraud experts predict the United States will see an onslaught of card-not-present (CNP) fraud.

The Green Sheet recently interviewed Tim Critchley, Chief Executive Officer of global voice security company Semafone Inc., to learn more about the similarities and differences between the U.S. and other countries' post-EMV fraud experiences.

What has your company seen after the first six months of EMV transactions in the United States?

We definitely see an increasing concern among our merchants here in the United States around issues of card-not-present security. I suspect that is in response to concerns that the EMV implementation is shifting fraud to these channels. We saw it in the U.K. when chip-and-PIN was introduced there, and though it is still a little early to see data trends, the industry believes these are valid concerns.

Are the U.S. statistics expected to parallel what occurred internationally following EMV adoption?

There's no denying that in the U.K., there was almost a 180 degree shift. However, the industry 10 years ago was different from today. There are more transactions now, and merchants can take payments in many different environments. There is also a significant difference between chip-and-PIN and the chip-and-signature systems being implemented in the United States.

There has also been rapid adoption of frictionless ways for consumers to pay, and the industry is also investing considerable resources in prevention. This creates a different measuring landscape, so it is going to be hard to compare.

Nevertheless, what we saw in the U.K. with EMV shifting the fraudsters away from the physical retail target, as well as later in Canada, suggests the fraud shifting to CNP channels in the United States is very likely to occur.

Are call centers particularly vulnerable to fraud?

There are three main risk areas in the call center:

  1. Customer service representatives (CSRs) may unwittingly open up a back door. You also get the criminal agents that are hacking for their own benefit or may have been coerced by criminal gangs to help them extract data.
  2. The basic network is also a target, and big organizations with lots of systems often have card data floating around. The network is always open to cyber attacks, so the infrastructure is a big area of risk.
  3. Specialist systems, such as agent customer relationship management, call recording and voice over Internet protocol systems, also present fraud possibilities.

How does social engineering factor into payment card fraud?

In the call center, in particular, fraudsters are using stealthy social engineering methods to hack systems, and their tactics for getting CSRs to open up networks are becoming more sophisticated. They often come in through emails that pose as people in the company to get someone to divulge information that helps them capture the data they're after.

We've also seen examples of USB drives being left around in public areas where certain agents would go. It's very easy to mistakenly pick that up and plug it into a network triggering an attack.

Is there a greater need for social engineering in the United States to prepare for post-EMV fraud?

Social engineering is a vital part of any company's security strategy and approach. A training and education program for employees on how to be wise on this type of fraud to protect the company is always smart. We naturally like to trust and believe people's intentions are good. Unless we are conscious of the potential risks, it can be easy to innocently open a door to a fraudster.

Both merchants and the payments industry have responsibilities for how to grapple with fraud. The numbers are big - $5 billion is lost annually in the United States to fraud. Everyone should take it very seriously.

In the U.K., there are lots of ways companies can protect themselves, including third-party storage vaults. The overriding philosophy is you can't be hacked for data that you don't hold, so if you don't need to store or keep it, hand it off to a company who can protect it.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios