Six months after the October 2015 U.S. EMV (Europay, MasterCard and Visa) deadline, consumer chip card distribution is sluggish and merchant adoption is even slower. And based on other countries' experiences, fraud experts predict the United States will see an onslaught of card-not-present (CNP) fraud.
The Green Sheet recently interviewed Tim Critchley, Chief Executive Officer of global voice security company Semafone Inc., to learn more about the similarities and differences between the U.S. and other countries' post-EMV fraud experiences.
We definitely see an increasing concern among our merchants here in the United States around issues of card-not-present security. I suspect that is in response to concerns that the EMV implementation is shifting fraud to these channels. We saw it in the U.K. when chip-and-PIN was introduced there, and though it is still a little early to see data trends, the industry believes these are valid concerns.
There's no denying that in the U.K., there was almost a 180 degree shift. However, the industry 10 years ago was different from today. There are more transactions now, and merchants can take payments in many different environments. There is also a significant difference between chip-and-PIN and the chip-and-signature systems being implemented in the United States.
There has also been rapid adoption of frictionless ways for consumers to pay, and the industry is also investing considerable resources in prevention. This creates a different measuring landscape, so it is going to be hard to compare.
Nevertheless, what we saw in the U.K. with EMV shifting the fraudsters away from the physical retail target, as well as later in Canada, suggests the fraud shifting to CNP channels in the United States is very likely to occur.
There are three main risk areas in the call center:
In the call center, in particular, fraudsters are using stealthy social engineering methods to hack systems, and their tactics for getting CSRs to open up networks are becoming more sophisticated. They often come in through emails that pose as people in the company to get someone to divulge information that helps them capture the data they're after.
We've also seen examples of USB drives being left around in public areas where certain agents would go. It's very easy to mistakenly pick that up and plug it into a network triggering an attack.
Social engineering is a vital part of any company's security strategy and approach. A training and education program for employees on how to be wise on this type of fraud to protect the company is always smart. We naturally like to trust and believe people's intentions are good. Unless we are conscious of the potential risks, it can be easy to innocently open a door to a fraudster.
Both merchants and the payments industry have responsibilities for how to grapple with fraud. The numbers are big - $5 billion is lost annually in the United States to fraud. Everyone should take it very seriously.
In the U.K., there are lots of ways companies can protect themselves, including third-party storage vaults. The overriding philosophy is you can't be hacked for data that you don't hold, so if you don't need to store or keep it, hand it off to a company who can protect it.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next