April 30, 2012
Why are my credit and debit cards still embossed?
Having spent a number of years in the payments business focused on cards, I commonly receive questions from family and friends related to cards. I would be a wealthy individual if I received a dollar for every time someone asked me, "When am I going to get a card with a chip in it?" Although I am not able to offer any specifics on timing, I do feel confident in telling them that they are coming within a given time frame.
This past weekend, a neighbor out for a leisurely weekend stroll stopped me and asked, "Why do I still have an embossed credit card?" I must admit that I was a bit stumped by the question and couldn't offer him a reasonable explanation. I could not recall the last time that I had seen a "knuckle buster" machine used to make an imprint of a card. And who hasn't struggled trying to read your embossed card numbers and expiration date to make an Internet or phone transaction? Still pondering the question a few hours later, I did recall the food delivery driver who brought the old carbon paper slip, along with our food, to the door and used a writing pen to make an imprint of my card. I am quite certain that over the past five years, this was the only time an imprint of my card has been made—and this includes using my cards for purchases in taxis, from food truck vendors, and in developing countries such as Honduras, and remote Caribbean islands.
One answer to the need for embossed cards lies with network chargeback rules. Both MasterCard and Visa subject merchants to chargebacks on key-entered card-present transactions with no manual imprint. A key-entered transaction takes place when the terminal cannot read a card's magnetic stripe, so the vendor has to input the card number and expiration date. Even when this occurs, I am not so sure merchants follow the network's chargeback procedures. Do you remember a merchant making an imprint of your card in the rare instance your card information had to be manually keyed? Maybe it's time for the card networks to re-visit their chargeback procedures.
Another reason for maintaining embossed cards is that apparently some merchants, both domestically and internationally, still rely on imprints for transactions. I do not think that I am alone when it comes to my extremely limited experience with manual card imprints over the past five to even 10 years. With highly reliable telecommunication systems and the ever-growing number of mobile card readers, perhaps the networks should require all transactions to be swiped (for mag stripe cards), dipped (for EMV chip cards), or tapped (for contactless cards).
So while I have several answers to my neighbor's question, I am not convinced any of them are reasonable explanations in this day and age. Cards are embossed primarily for legacy reasons, and this embossing is irrelevant for most transactions. Maybe as issuers transition to chip-embedded cards (hopefully), they could subsequently transition away from embossed cards. In a recent American Banker article, Andrew Kahr discussed one good reason to change to nonembossed cards, and that would be to allow banks to instantly issue cards. I am quite certain my eyes would appreciate that change!
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 30, 2012 in cards, chip-and-pin | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016304f8a05b970d
Listed below are links to blogs that reference Why are my credit and debit cards still embossed?:
Comments
Posted by:
C. David |
May 01, 2012 at 08:50 AM
One of the reason that our company still issues embossed cards (in Europe) is that non embossed cards aren't taken seriously. This is obviously a public perception issue but when you have a piece of plastic with a printed PAN, expiry, etc, it just looks like a bit of a cheap imitation of a "real" card. I think this is most likely the biggest hurdle to get people using non-embossed cards.
For what it's worth, I haven't seen a knuckle duster in over 10 years, maybe even longer, but it's slightly different being in the UK as we migrated to EMV a while ago.
Posted by:
chunk |
May 01, 2012 at 07:04 AM
January 30, 2012
Is the United States payments industry following in the footsteps of the Netherlands?
The Forum recently took a dive into card fraud data from the many countries (not the United States, of course) that have tossed out their old magnetic-stripe cards and adopted the EMV standard. You can read the paper—it's available on our website—but here's a quick recap.
What we found in the data is a recurring pattern of fraud losses. For instance, the data show that chip-and-PIN has been highly successful in the domestic card-present environment in reducing counterfeit and lost or stolen card fraud. This chart depicts the United Kingdom's positive domestic card-present experience.
On the other hand, fraud on non-chip-and-PIN transactions—most notably in the card-not-present and cross-border environments—has actually increased. Ultimately, the net results to date on EMV chip-and-PIN's impact on total card fraud losses in these countries have been marginal. As an example, this next table shows Canada's growing card-not-present fraud loss trend.
The working paper uses the Netherlands experience as a case study because of the country's similarities to the United States. Much like the United States, the Netherlands was experiencing low rates of payment card fraud, so this country did not migrate to the EMV standard when all the rest of Europe was adopting it. Eventually, fraud loss rates in the Netherlands climbed, ultimately propelling the Netherlands banking industry into implementing chip-and-PIN.
Like the Netherlands, the United States is now seeing a growth of card fraud loss rates on both credit and debit cards. As we've blogged several times, the costs for an EMV implementation here in the United States have so far outweighed the fraud loss reduction benefits of chip-embedded cards, according to some industry stakeholders. But given the parallels between the United States and the Netherlands, it is reasonable to expect card fraud losses to continue to grow here as long as the industry relies on mag-stripe technology.
Clearly, there is a need for industry coordination for an EMV implementation to effectively reduce payment card fraud. Based on the fraud trends experienced by countries adopting EMV chip-and-PIN, implementing the EMV standard in the United States for only certain types of card products or without solutions for mitigating card-not-present fraud could lead to only a marginal reduction in total fraud losses as fraudsters seek to exploit the lowest hanging fruit.
It should be noted that while the card industry in each of the countries investigated in the working paper adopted PIN authentication, this method is only one of several options. The working paper focused on PIN authentication because of the abundance of card fraud and transaction data reported by these countries' payments industries.
For more details on the successes and failures that a number of countries have experienced in moving to EMV technology, read the paper on our website.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 30, 2012 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167615c8cea970b
Listed below are links to blogs that reference Is the United States payments industry following in the footsteps of the Netherlands?:
Comments
December 19, 2011
The many flavors of EMV
As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."
The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.
This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.
Offline EMV
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.
In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.
Online EMV
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.
In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.
What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.
The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.
From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.
Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 19, 2011 in cards, chip-and-pin, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01675efe7dfe970b
Listed below are links to blogs that reference The many flavors of EMV:
Comments
On your point relative to Online PIN I would like to suggest that most credit card networks (excluding the ATM portion) do not today support the transmission of the PIN from the POS device to the Issuer Host. To upgrade the credit networks to support the encryption and transport of the PIN to the Issuer has a cost. Not simply in the device but also in all the various processors in the chain. Further most POS devices now installed do not support Online PIN.
This whole question of Online versus Offline PIN is then compounded when one looks at the question of International acceptance. Again the International Credit Card networks and all the domestic networks would also need to support the transport of the PIN in order to allow PIN to be used as the means of cardholder verification.
Posted by:
Philip Andreae |
February 16, 2012 at 09:38 AM
August 22, 2011
Is recent EMV announcement the catalyst the U.S. needs to catch up?
During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?
The merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals. While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy.
Visa's recent announcement about its plans to accelerate chip migration and the adoption of mobile payments may just provide the clarity in direction and sufficient incentives to get merchants moving.
Reduced PCI compliance requirements and liability shifts: Carrots and sticks
Visa's plan will require merchants to invest in chip-acceptance terminals as well as bear responsibility for losses resulting from magnetic stripe card fraud if they continue to accept those cards beyond a specific transition period. Right now, the banks that issue the cards bear those costs. So Visa is essentially imposing a counterfeit fraud liability shift as the metaphorical stick to encourage merchants to comply with the plan. Since the United States is currently the last developed country to implement a plan to migrate to chip-based card payments and agree to such a liability shift, this is a significant move.
But Visa's plan also contains some compelling incentives for the merchant community. PCI data security compliance requirements are costly and increasingly ineffective in combating card fraud schemes like card skimming. The Visa plan will eliminate certain PCI compliance requirements for merchants for whom at least 75 percent of their Visa transactions originate from chip-enabled acceptance terminals. Merchants will still have responsibility for protecting customer authentication information such as security codes and PINs. The prospect for improved security coupled with the reduced PCI compliance costs should be a welcome benefit to merchants.
Building a future for mobile payments
By initiating a plan to migrate to both contact and contactless chip technology at the merchant point-of-sale, the Visa plan may actually speed up the adoption of mobile payments. Building out the acceptance infrastructure will be necessary to support contactless payments and other chip-based emerging technologies in the future.
Conclusion
The growing incidence of global card fraud schemes is drawing critical attention to the need to overhaul the U.S. card payment system. Not only are countries in the European Union moving to chip-and-PIN technology to support their card payments, but they've also discussed banning the acceptance of magnetic stripe cards as a possibility. What this means is U.S. travelers will not be able to use their payment cards abroad. As a matter of fact, if you've traveled to Europe lately, you've undoubtedly discovered that some merchants are not equipped to accept our U.S. payment cards now. The move to chip technology for card payments has been coming—but no one knew exactly when or how. Clearly for merchants, the Visa announcement represents a roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 22, 2011 in chip-and-pin, payments, payments risk, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015390e620d5970b
Listed below are links to blogs that reference Is recent EMV announcement the catalyst the U.S. needs to catch up?:
Comments
March 14, 2011
Why U.S. issuers might be reluctant to adopt the EMV standard
A hot topic for Portals and Rails and the Retail Payments Risk Forum has been the replacement of magnetic-stripe cards with chip-and-pin cards in the United States. In fact, a recent industry blog labeled my colleague Rich Oliver "the first U.S. banking industry executive to publicly declare that a U.S. migration to the EMV payments standard is inevitable." Many countries around the globe have adopted or are in the process of adopting the EMV standard, but the United States has not budged, despite a recent European Payments Council resolution suggesting an end to mag stripe. Meanwhile, U.S. industry participants, including a large payment network and issuer, are investing in improving mag-stripe cards.
Let's consider the migration to EMV from an issuing perspective using recently collected debit card information by the Federal Reserve Board to assist with its responsibilities under the Durbin Amendment.
Current status of EMV in the United States
With the recent announcement that the Raleigh, N.C.-based State Employees Credit Union will convert its debit card portfolio to EMV by year's end, there are now two (yes, two!) small financial institutions in the United States committed to converting their portfolios to the EMV standard. If reports on fraud reduction since implementing the EMV standards in countries such as the United Kingdom are true, why then are U.S. issuers slow to convert to EMV? In last week's blog, Rich states that, given current fraud loss levels and fraud management and mitigation costs, there may not yet be a near-term business case for the migration to EMV. However, peeling back the onion another layer, a key difference in the authorization environments of the United States to other markets, such as the U.K., has led to lower levels of fraud, albeit at significant investment levels, and a fundamental reason behind issuers' reluctance to migrate.
Online versus offline authorization
Nearly all card transactions in the United States are authorized online. In this environment, the transaction authorization uses telecommunications at the time of a sale to route a merchant's authorization request to the issuer to approve or decline, based on a number of factors such as available funds or credit limit and multiple fraud prevention and mitigation checks. U.S. issuers and networks have invested heavily in fraud prevention and mitigation controls for online authorization programs. As a result, issuers have recognized relatively low levels of card fraud—approximately $.02 per debit transaction, or 5.4 basis points of transaction value. For PIN-based debit transactions, these numbers are even lower: $.01 per transaction, or 3.3 basis points of transaction volume.
Unlike the United States, the United Kingdom has primarily been an offline authorization market. In this scenario, the transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuers. Most importantly, this type of authorization process does not support PIN debit transactions using magnetic-stripe technology. While the EMV standard supports both online and offline authorizations, the reduction of fraud for offline authorizations was a key driver of implementation in the United Kingdom, as EMV allows for offline authorization at the time of sale.
According to analysis of data from the UK Payments Administration, fraud rates on all cards at the end of 2004 (near the beginning of the EMV implementation) were significantly higher than fraud levels currently seen on debit cards in the United States. However, by June of 2010, fraud in the United Kingdom has fallen by more than 50 percent to £.03 per transaction, or 6.6 basis points of transaction volume, which is still higher than debit card fraud rates experienced in the United States today.
Will there be a case for U.S. issuers to adopt the EMV Standard?
With approximately 500 million debit cards in circulation in the United States, relatively low levels of fraud, and significant investments into current authorization systems, it seems reasonable that debit issuers currently have little appetite for investing in the EMV standard today. While recognizing that the credit card story might paint a different picture with higher fraud losses, the fact remains that both issuers and networks have made significant investments in authorization systems to prevent and mitigate credit card fraud from which they don’t appear to be ready to walk away.
In light of U.S. issuers' shunning the EMV standard to date, here are some questions for industry participants to ponder. Will there be a tipping point for the United States to adopt the EMV standard? If so, what will that tipping point be? Can the global card payment market exist in an environment similar to the electrical market, whereby the United States uses 110-volt electricity while most of the world uses 220 volt? Can chip-and-pin prepaid cards such as the Travelex Cash Passport Currency Card address differences in global payment standards for U.S. issuers in a way that electrical adapters address the voltage issue?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 14, 2011 in chip-and-pin, EMV, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e334dd29970b
Listed below are links to blogs that reference Why U.S. issuers might be reluctant to adopt the EMV standard:
Comments
March 07, 2011
Moving to chip-and-pin: The cost of foresight versus the price of hindsight
As I watched the dramatic events in the Middle East unfold over the past few weeks, I realized that revolution may be the only form of change in the world today that takes less than five years. This seems particularly true in the payments industry, where managing new technology is at the heart of the change process.
It has taken six years to implement Check 21 in the United States. Meanwhile, Canada has established a five-year plan to move to chip-and-pin technology for payment cards. The United Kingdom has announced a plan to eliminate checks in seven years, with a five year checkpoint. In Europe, the goal of achieving seamless cross-border payments services as codified in the Payment Services Directive is in its fourth year of implementation, and talk has turned to setting another set of deadlines for mandating implementation of actual payment traffic, as opposed to technical readiness.
The common thread in each of these as-yet-uncompleted initiatives is that they are all actually under way. They have a start date and an anticipated finish date, a known goal toward which all participants are driving. At such time that each effort was initiated, there was someone, or perhaps many "someones", who determined that there was a compelling societal, if not individual participant, business case for moving forward toward a somewhat distant vision.
Today in the United States, however, in the wake of the economic crisis that has created a backlog of payments and IT initiatives, new investments seem stalled under the jaundiced eyes of senior financial planners. In essence, key projects whose deliverables we know we will need in five years are in danger of never getting started. Why? Because a present business case based in today’s experience is hard to construct, and funding for projects with better short-term results may be given precedence over far more strategic long-term projects with better net-present-value results.
A case in point may be the effort to move from magnetic stripe card technology to the more fraud-resistant chip-and-pin technology now being deployed throughout the rest of the world's developed nations. My colleagues and I have written about this issue previously, and some very smart friends of mine in the industry have assured me that current card losses, and I assume current all-in costs of card fraud management and mitigation, are just not bad enough to create a positive business case for change, particularly for large issuing banks who are potential market movers.
My problem, however, lies in the fact that the business case should not be based on current costs, but rather on the anticipated costs five years from now when implementation is likely to occur and depreciated investment costs actually come on line. Of course, the $64,000 question is, "What costs of fraud should we forecast for 2016?"
Frankly, no one actually knows that number, but we do know that it is very likely to be much higher than today if the United States is the last developed country on the planet to move away from mag-stripe cards. The problem is further complicated by the fact that best estimates for fraud cost growth should be augmented by less quantifiable "soft" costs that also loom in the distance. For example, if other nations decide to no longer dual-provision their cards with mag stripes in order to prevent the immigration of fraud from the United States, what costs will U.S. banks incur to continue to provide services to their globetrotting customers? Will we be the ones now having to dual-provision our cards with chip-and-pin? Several U.S. financial institutions have already announced plans to do that very thing. Additionally, with no planned changes in sight, U.S. banks will be tempted to invest in bridge technology to mitigate the growing cost of mag-stripe fraud, thereby inflating the multiyear cost picture with interim investments.
What then should we do? Perhaps we should follow the lead of the U.K. Payments Council's efforts to signal the end of checks as a payment instrument. That is, establish a long-term roadmap for desired change by picking a reasonable future date for a move to chip-and-pin, set some known interim checkpoints for further reflection, and begin an orchestrated process of educating merchants and other key players on optional ways to make the change. With such a target in place, all parties—merchants, issuers, acquirers, processors, card brands, suppliers—could then make better interim investment choices aimed at minimizing long-run costs while maximizing short term benefits to their customers.
One of my favorite movies is Field of Dreams, in which the owner of an Iowa cornfield devotes some of his acreage to the fanciful construction of a baseball field on which the spirits of great players from the past gather each night to play. The movie's famous line, "Build it and they will come," may be the answer for some of our complicated payment investment decisions. Who then should make the call? Absent a probably not-so-welcomed mandate from Congress or a government agency, the job falls to enlightened market forces anxious to control their own destiny. Many groups like the Smart Card Alliance, the Merchants Advisory Group, and others have begun to lay out multiyear roadmaps. My hope is that huddling around these and other ideas in the very near future might be the best way to proceed. Without such efforts at collaboration, I have a gut feeling that five years from now we may, as an industry, be reflecting on the fact that, regardless of the end date, we should have started sooner.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
March 7, 2011 in chip-and-pin, fraud, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e30e3e51970b
Listed below are links to blogs that reference Moving to chip-and-pin: The cost of foresight versus the price of hindsight:
Comments
February 28, 2011
Gains made in reducing identity theft, but significant fraud losses still loom
Was it a mere coincidence that the day following the release of Javelin Strategy & Research's 2011 Identity Fraud Survey Report, CNBC aired American Greed: Operation Get Rich or Die Tryin'? This show examines Albert Gonzalez's hacking into computer networks of retailers (most notorious, TJX Companies) and a payment processor (Heartland Payment Systems) and the subsequent extensive fraud using compromised credit and debit card information.
While the CNBC story was intriguing, Javelin's 2011 report just might be even more intriguing given the surprising results that identity thefts and the related losses in 2010 were at their lowest levels since 2003, when the survey began. In 2010, the incidence rate for existing card account fraud stood at a lowly 2.3 percent and only 7 percent of consumers were notified of a data breach, compared to 11 percent in 2008. While many factors are responsible for these low levels, it seems that preventive and detection measures by financial institutions, merchants, and consumers are playing a positive role. However, the fact remains that in the current magnetic-stripe environment, all parties could still experience significant losses from counterfeit cards if a large data breach were to occur.
Merchants and PCI implementation: Success in reducing data breaches
At year-end 2010, Visa reported that 96 percent of its Level 1 and 2 merchants (merchants with more than 1 million transactions a year) were compliant with the Payment Card Industry Data Security Standard (PCI DSS), and 100 percent had been validated as not storing prohibited data. For smaller merchants (Level 3 and 4), Visa reports moderate PCI DSS compliance but does not offer any figures. Watching the CNBC special, it was a bit harrowing to fully understand the amount of card and personally identifiable data that merchants and processors store, sometimes without even encrypting the data. The PCI DSS was put into place to not only require the encryption of data, but also prohibit the storage of certain sensitive cardholder authentication data such as full magnetic-stripe data, CVV2 codes, and PINs. In the event that a PCI DSS-compliant merchant is hacked, it would be much more difficult to perpetrate a fraud as extensive as Albert Gonzalez and his accomplices pulled off. It’s possible that these strict data standards have been effective in thwarting fraudsters and hackers.
Financial institutions and consumers working together to reduce detection times
Not only are the incidence of existing card account fraud and related losses stemming from identity theft at all time lows, the detection time—and subsequent losses—for this type of fraud is significantly shorter than for existing noncard fraud and new account fraud. According to Javelin, 31 percent of all existing card fraud is detected within a day or so, and nearly another 30 percent within a week. The top three fraud detection methods as reported by Javelin are notification to a consumer by a financial institution, consumer's monitoring of accounts through paper statements, and consumer's monitoring of accounts through electronic means or ATM. With increased availability, and consumer usage, of online and mobile banking, consumers can more easily monitor their accounts and more quickly identify fraudulent transactions than with the traditional method of a monthly paper statement. Many financial institutions are also being proactive in their battle against fraud by using the mobile channel to push notification alerts of potential fraudulent transactions to the consumer. According to Javelin's 2010 Banking Identity Safety Scorecard, 85 percent of the top 30 banks or credit unions offer mobile phone alerts.
Still vulnerable from the mag stripe, but where to go from here?
Even though we've taken great strides to reduce identity theft and related fraud losses, we can't make the same claim for card technology in the United States. As history shows us, fraudsters are often a step ahead of the industry. And unfortunately, implementation of new standards and technology is often reactive to the latest fraud rather than proactive to fraud that could happen. As long as the United States remains a magnetic-stripe country, we'll continue to have the risk for widespread fraud losses from the counterfeiting of magnetic-stripe cards.
Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States. Though much has been written about the lack of a business case for contact or contactless chip form factors in the United States, will continued mag-stripe fraud and the potential for even larger losses—all while the rest of the world migrates to chip-and-pin—finally build that case?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 28, 2011 in chip-and-pin, fraud, theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8663ed46970d
Listed below are links to blogs that reference Gains made in reducing identity theft, but significant fraud losses still loom:
Comments
February 14, 2011
Can mobile address the rising tide of fraud in card-not-present transactions?
Combating fraud in credit and debit card payments is a challenge for all payment system participants, from the banks that issue the cards to the merchants that accept those cards as payments for goods and services. One particularly troubling channel, with a rising incidence of card fraud, is on the Internet. Retailers are increasing their efforts to attract customers online with discounts, online-only specials, and free shipping and returns. While the use of cards for website payments, also known as card-not-present (CNP) transactions, is inherently riskier than face-to-face transactions at a merchant's point-of-sale, the dramatic rise in e-commerce suggests it is a trend that is here to stay. As the mobile channel develops for card payments, can the security capabilities of mobile handsets protect consumers against CNP fraud?
CNP fraud: The U.K. experience
While data regarding fraud loss and mitigation costs are hard to come by in the United States, the U.K. Card Association gathers information that we can use as a good proxy for gauging experiences in other markets. This organization found that as the Internet environment has become an increasingly hospitable environment for commerce, CNP has risen dramatically, from just 16 percent in 1999 to 60 percent of total card fraud losses in 2009.
As we noted in an earlier 2010 post, CNP fraud escalated when the U.K. migrated from magnetic stripe technology to credit cards with microcomputer chips. Consequently, the more secure technology at the point of sale drove fraudsters to the more vulnerable online channel.
However, the U.K. took quick action against CNP fraud, implementing better screening and detection tools and, in 2009, U.K. CNP fraud actually declined 19 percent.
Though not directly measurable, CNP fraud, industry experts agree, has made its way to the United States, where the magnetic stripe card technology remains prevalent. In fact, according to the U.K. Card Association's 2010 report, the majority of online payment fraud involves the use of card data obtained through illicit means such as card skimming, a crime that is actually mitigated with chip technology.
Growing Internet sales and CNP: A perfect storm?
According to a report by Javelin Strategy & Research, which forecasts online retail payments, the United States has fostered a robust online transaction market in recent years despite the economic downturn. This trend is expected to continue as consumers and merchants alike become increasingly comfortable conducting e-commerce for everyday goods and services.
The proliferation of smartphone applications for retailer websites along with a broader use of social media to distribute coupons and loyalty rewards are working together to drive consumers to shop online where card payments are widely accepted.
As merchants embrace a rise in retail sales, how do we mitigate the growing threat of CNP fraud in the United States?
Mobile security advantages
One benefit of a contactless mobile payments system is the potential to reduce fraud by eliminating magnetic stripe technology in favor of more intelligent chip technology, which has better security features for combating CNP fraud. The future mobile payments system introduces the ability to layer security tools unique to both the hardware and software resident in the mobile handset. Furthermore, the chip that enables the payment can contain account credentials and additional authentication factors, including location awareness applications, which can enhance the security of the payments transaction.
It is time that merchants, issuers, and payment regulators seriously consider the growing threat of CNP fraud in the debate on how and when to move to more secure payment methods.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
February 14, 2011 in chip-and-pin, contactless, fraud, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e292a87f970b
Listed below are links to blogs that reference Can mobile address the rising tide of fraud in card-not-present transactions?:
Comments
October 25, 2010
Can mobile payment adoption define the "end game" for technology investment?
Payment cards in the United States have been stuck for years in a chicken-and-egg quandary when it comes to chip technology. Merchants are reluctant to invest in developing the technology until consumer demand for it is there. But without the technology, it may be that consumer demand just won't be there. Add to this the competing forces that are at play: various stakeholders are pulled in different directions—contact versus contactless technology—and the cost of capital for technological investment is borne disproportionately among these stakeholders.
At the same time, we hear anecdotal evidence that losses from payment card fraud are on the rise. As we've described in previous posts, like this one, this trend could change the paradigm, spurring those in the industry to invest in more fraud-resilient, smart-card technologies. With this pressure, it's inevitable that payments card will shift from magnetic strip to chip card technology. But the problem is that chip card technology is constantly evolving, and those stakeholders bearing the costs for investment in new computer chips and terminal hardware infrastructure want some assurance that their investments are sound before they choose which technology path to follow, contact, or contactless.
In the interest of promoting global interoperability as well as battling magnetic-strip payment card fraud, now may be the time for an industry dialogue on a strategy for investment in smart technology. One question we should be asking ourselves in this discussion is, should we avoid investing in contact card technology if contactless mobile payments represent the end game?
Smart card basics: Contact versus contactless
Contact and contactless smart cards are so named because of the way that the embedded computer chip communicates with a terminal at a merchant's point-of-sale or at an ATM. In the case of contact technology, the data stored in the embedded computer chip is transferred to the reader when the card physically touches the reader. With a contactless card, the data is transferred using some type of radio frequency transmission such as near-field-communication (NFC) technology, which is the current contactless card technology standard. NFC technology, of course, precludes the need for a physical connection between the card and the reader. The user can use it in a variety of devices, including the mobile phone. Importantly, contactless technology in the chip can work with the phone itself to authenticate the user and thereby reduce payments fraud.
Countries that rely on smart card payments are using various combinations of contact and contactless payments that conform to certain security standards and specifications to protect consumers and merchants from payments fraud. To encourage consumer adoption, some issuers have introduced dual-interface cards, with both contact and contactless functionality, so that consumers can use either card at the point-of-sale terminal. This approach, with a dual-interface card, optimizes utility for consumers as retail payments evolve to the mobile channel, potentially empowering both the use of contact cards and contactless mobile payments.
The outlook for contactless mobile payments
Although the evolution of mobile payments in the United States has so far been slow, merchants are introducing new pilots with increasing frequency, and many industry stakeholders want to accelerate the deployment of a universal contactless mobile payments infrastructure. Moreover, U.S. consumers are relying more and more on their mobile phones for new and unexpected applications, which points to a good chance of success for mobile-based payments and related activities in the future. In fact, according to a report from the Pew Research Center, 85 percent of American adults today own a mobile phone, more than any other device.
|
|
|
|
Building consensus in the face of market forces
The recent deployment of contactless card payments in global markets is contributing to the establishment of an infrastructure for contactless mobile. In essence, here in the United States, we can go in either direction, contact or contactless. However, in a world where all stakeholders shared the same fully transparent information and vision for the future, could it be possible to leapfrog spending our investment dollars on contact cards and readers and instead use capital on contactless technology? We can avoid the costs for interim technology solutions if industry stakeholders can agree on a future direction despite the different economic incentives and costs demanded. Really, if NFC deployment is the ultimate endgame for mobile payments, bypassing the investment in contact technology as an interim step is a viable, if not ambitious, consideration.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
October 25, 2010 in cards, chip-and-pin, consumer protection, contactless, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013488750d21970c
Listed below are links to blogs that reference Can mobile payment adoption define the "end game" for technology investment?:
Comments
July 26, 2010
Can chip-and-pin technology address payment card fraud in the United States?
Last week's blog discussed how the United States has been slow to adopt the chip-and-pin payments card technology that many other countries are already using. We suggested that the continued reliance of the United States on the magnetic-stripe standard leaves consumers here more vulnerable to fraud. In fact, the Federal Reserve Bank of Kansas City recently published a paper that looked at global security standards within the payment card industry and found that "the difference between U.S. fraud rates and those in other countries is sufficiently large."
This week's blog looks a little closer at some of the numbers behind magnetic-stripe and chip-and-pin payment cards, including the cost of payment card fraud in the United States and what it would take to move to the EMV chip-and-pin technology. (Recall that EMV is an abbreviation for the originators of the standard: Europay, MasterCard, and VISA. EMV is now also owned by other card companies: the Japanese company JCB and American Express.)
Fraud losses on credit, debit, and prepaid cards in the United States totaled $6.89 billion in 2009, up 7 percent from 2008—a figure said to be on pace to reach $10 billion by 2015. According to PULSE 2010 Debit Issuer Study debit card fraud for signature-based debit card fraud increased 43 percent last year and personal identification number (PIN) debit card fraud loss rose by 24 percent.
|
|
| ENLARGE |
Exploiting the weakest link
The magnetic stripe stores data on a band of magnetic material on the back of a credit card. The stored data on a magnetic stripe can be read by swiping the card through a reader. The chip-and-pin card, on the other hand, most commonly exists as a smart card embedded with a microchip. The microchip can store a unique PIN, which ultimately replaces the cardholder's signature and can be used in contact or contactless mode. Chip-and-pin cards can therefore protect against card swipe fraud, cloning, and stolen data from lost or stolen cards—the most common kinds of fraud experienced by magnetic stripe cards.
Protecting payment cards: Security versus cost concerns
The implementation of chip technology will require a merchant to use new hardware and the consumer to use a new smart card with a microchip. Javelin Strategy & Research estimates the basic cost for the implementation of the EMV chip standard stands at $8.6 billion. Is this a figure the payments industry is ready and willing to dispense in this current economic climate? Today, we know of at least one U.S. financial institutions that have migrated to EMV. Will this cause others to migrate, or is it too early to tell?
Defining the next logical approach
Some experts predict that the globalization of the EMV standard will drive the initial issuance of chip-and-pin cards in the United States. Other experts do not foresee the United States' immediate migration to chip-and-pin cards. Yet the growth of U.S. chip payment cards may prove migration to EMV sooner than most believe.
Continuously guarding against debit and credit card fraud loss solidifies consumers' confidence in card payments and the financial system. EMV chip-and-pin and its methods for combating payments card fraud seems like a natural choice to replace the magnetic stripe card in the United States. With Europe, and other parts of the world, documented success rate in combating payments card fraud since their move to EMV chip and pin, it may turn out that EMV chip and pin's global interoperability may become the next security vehicle that can rein in magnetic stripe card fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 26, 2010 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485a00088970c
Listed below are links to blogs that reference Can chip-and-pin technology address payment card fraud in the United States?:
Comments
A large number of vendors will accept signatures for card transactions without even looking at the card. They don't ask for identification to verify the card holder. The resulting fraudulent transaction usually becomes the liability of the bank. Obviously, the vendor isn't regulated and has little liability. It is past the time for chip-and-pin cards. Signatures (although convenient for the customers) should no longer be allowed. At least if the card number is compromised, the chances that the PIN number is also compromised, is slim. The EMV standard for tighter security doesn't seem to be progressing very quickly. For the protection of our customers and banks, we should be one of the front runners in a push for more security of our card transactions. Instead, we are at the mercy of the EMV standards which don't seem to be keeping up with the rest of the world.
Posted by:
Michelle Johnson |
September 14, 2010 at 11:49 AM
As an argument against adopting EMV, critics have pointed to EMV fraud weaknesses, such as susceptibility to man-in-the-middle-attacks. On the other hand, other countries that have adopted EMV and Chip-and-PIN have witnessed a reduction in counterfeit and skimming fraud. While EMV may not be foolproof, it is important to keep in mind that any single fraud deterrent solution needs to be part of an larger, overarching fraud strategy. Financial institutions still need build in layered security into their products and implement vigorous application screening controls when issuing cards to new clients. Also, financial institutions should integrate enterprise fraud management systems and real-time analytics to more accurately predict fraudulent transactions as they happen.
Also, to address the debate as to whether or not the U.S. should adopt EMV, the good news is that we are ready for it. The smart card technology infrastructure that supports EMV or Chip and PIN is already available today and will even be able to evolve with next-generation chip-based card innovations.
Thanks, Jim!
Posted by:
Jim Schlegel |
August 04, 2010 at 01:44 PM
EMV in the U.S. business case:
U.S. EMV Migration Cost = $8.6 billion (once off);
U.S. Card Fraud = $6.89 billion (per annum);
ROI = 1.25 years!
Cost savings over next 5 years = $34 billion!
Even assuming a 100% error in the migration estimates, its still an ROI less than the average 3 years a card is valid.
I'm not an Economist, but this looks like a pretty good investment to me. I say go, go, go! :)
Posted by:
Wynand Vermeulen |
August 04, 2010 at 06:24 AM
One thing to consider as a positive for embossing is someone who has difficulty seeing; they can feel the embossing if they are using the card over the phone, or even if they are swiping at POS to make sure they're getting their card back.
Of course, what I've found when designing card plastic is that embossing can also step on the text on the back of the card, obscuring fun things like Customer Service phone numbers.
Your article makes a good point tho; do we really need embossing in the 21st century, especially with the push to EMV that will happen in the next few years?