In Wake of EMV Switch, US e-Commerce Fraud Soars!

Payments Specialist, Risk Specialist

As the US switched to EMV chip cards system, e-commerce fraud rates jumped by 33% last year, according to Experian. In late 2015 the US finally followed much of the rest of the world when Visa and other card schemes switched the liability for fraud-related losses to retailers that have not upgraded their hardware for EMV.

Experian notes that the increase in e-commerce fraud follows a similar trend pattern from countries that previously rolled out EMV cards – UK, France, Australia, and Canada – that also saw gradual increases in card-not-present fraud.

“We suspect that the EMV liability switch and increased adoption by merchants of chip-and-pin enabled terminals have had a profound impact on driving up e-commerce attacks,” says the firm.

Fraudsters that typically relied on committing counterfeit fraud have shifted their focus to the digital channels where they could have more success, and as more attackers enter a rapidly growing mobile and online commerce space it becomes increasingly difficult for merchants to spot them.

This means that businesses need to expect the increase in e-commerce fraud to continue over time and to be prepared to deal with it by employing a multi-layered approach that pairs transactional data elements with details about the user and their device.

Experian says that the biggest component of credit card fraud trends is the fact that 2016 was a record year for data breaches. There were 1,093 breaches, a 40% increase from 2015, according to the Identity Theft Resource Center.

Meanwhile, the Federal Trade Commission recently revealed a jump in consumers who reported that their stolen data was used for credit card fraud, from 16% in 2015 to more than 32% in 2016.

The record number of data breaches is a signal that future fraudulent activities will take place, warns Experian.

What Bill Trueman, an Eminent Risk Specialist Says About This:

1. Of course e-commerce fraud will rise. It is rising everywhere as e-commerce and m-commerce get used more.

2. Naturally, if you stop fraudsters using cards at the point of sale with EMV, they will move to CNP.

3. If you do not put in protections in your CNP channel, fraud will rise.

4. USA fails to adopt (or plan for) protections in the e-commerce channel.

5. The late adoption of EMV in the USA, has caused a lot more data compromises for longer in this market.

6. EMV adoption is starting to see fraudsters deterred from CO fraud opportunities already as they move to other softer targets.

Bill Trueman is an eminent independent payments and risk specialist helping business and bank owners manage risk & fraud and save millions. He is director of globally well known RiskSkill, and UKFraud and is an active member of a worldwide fraud and risk advisors organization i.e. AIRFA.

Advertisements

Cameras at the POINT OF SALE? Worldpay Trial Analysis

As a risk, security, fraud, compliance specialist; I should be shouting from the rooftops that this MUST be a great idea to reduce the risks and add a layer of security to the transactions. But in reality, it is not that simple, and veers towards being a big mistake and a legal and operational disaster waiting to happen.

EMV Chip Card

CUSTOMER POSITION

I am also a customer. I am a customer of a bank that issues me with a card and a customer of a retailer where I shop. As a customer of a bank who issues me with a card, I might be happy to let them have a picture of me to put on my card or to make sure that it is me that visits their ATM. But when I signed up for a trial 20 years ago for this, I had to give explicit consent for my issuer to store and use these details on the card and on their systems.

In this case, it is not my issuer that is collecting my photograph or checking it. It is not even the retailer that I am transacting with who is collecting it; it is the bank who is processing the card for the merchant; and as a customer, I DO NOT WANT MY PHOTO taken, kept or processed by the retailer, nor do I want the merchant’s acquirer to keep or store it without my consent.

This is an invasion of my privacy. Do not do it. You have no consent from me to take, keep, store or use my personal details (my photo and card details) for any other purpose than is necessary to undertake the transaction. Indeed, you should be encrypting and anonymising my personal details as is required by many anti-fraud measures, and mandates in-play at the moment. Just how legal this is we will no doubt learn from the Information Commissioner in days, weeks to come. The fraud issue is one for my card issuer, and is of no interest to the acquirer (or merchant) so long as I use a card with a CHIP and a PIN and an EMV protocol.

SECURITY POSITION

OK – so in the customer journey, there is no justification, but what about the security. We have already established that this is not the acquirer’s problem. The acquirers need to focus their attentions upon making their part of the process secure, with encryption, stronger depersonalisation (tokenisation) of the transaction, storing less data, and not losing data. They should also focus upon looking for unusual transactions that are likely to cause future difficulties and improving security at the till, staff training, improving merchant awareness, ensuring PCI DSS conformity and clarity and better terminal and tampering awareness and notifications; all of which could help stop compromises, data theft and attacks that cause £€$millions in losses and crime at the point of sale.

It is a pure folly to introduce a ‘photo at the point of sale’ (as well as a customer invasion of privacy), and certainly NOTHING to do with improved security or reduced fraud: and a big diversion from more important things that MUST be done at the point-of-sale to help security, and help the merchants.

Equally, it is not too great a security foundation to start letting ALL acquirers (WorldPay is one of many 100s globally) store data somewhere without controls. And how legal is it for them to store pictures for those from other countries, or of a picture of my child hanging on to me.

STRATEGY

I would suspect that the eye catching ‘biometric trials’ headlines will make it all sound like a good idea, and let’s all applaud Worldpay for ‘doing something’ – even if it has not been fully thought out yet. But I would suspect that these trials are not very big at all yet – maybe just a staff canteen? – as the legal issues may not yet have been addressed or looked at properly yet. I am also certain that the Information Commissioner will not have been involved either – but I’d hope it will be on the agenda with Christopher Graham’s  when I see him tomorrow morning!

The whole industry though is also racing faster into biometrics with fingerprints via Applepay and Androidpay / Googlepay etc. with the added security of tokenisation, secure element, customer control of the biometric (i.e. it is stored nowhere other than on the phone by the customer), etc. So, what happened to the transaction if there is no PIN, or if it is an NFC payment. Mmmmmm – more thinking to be done somewhere about where all this is going.

PRACTICALITIES

And let’s not ignore the issues around whether I change my hairstyle, make-up, or remove my beard this week, wrap-up warmer with a hat as we will do next month etc.

SCHEME RULES

Is this allowed by the schemes? Is there a compliance issue here? Yes – dammed right there is; The message collected with the card must comply to a format, the full messaging must be sent to the issuer, and it is the issuer that must make the authorisation decision about the customer – NOT THE ACQUIRER. If the card schemes have been involved and/or permitted this – which I doubt – then the normal route that is taken with these things is for the scheme to join in with the publicity and announcements – which I have not yet seen.

Great idea Worldpay, great initiative, but it is not for me as a customer, as a merchant, nor as an issuer or as a card scheme.

For further information, contact Bill Trueman or Kevin Smith  both eminent risk and fraud specialist, or you can contact at http://www.riskskill.com/ and enquiries@riskskill.com

News Source

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Fraud Specialist, Risk Specialist, Compliance Specialist, Due Diligence Specialist

I do not agree with this at all, we should exercise some degree of balance:

Maybe we should have called for a ‘national’ business-case to be written – as this has not been done.

Perhaps we should have examined the global context too: USA is only one country in the world, and just about the only one that has not attempted to create the business case, and the only one where the retailers are/have been (allegedly) feeling this way. Again, the US is the ONLY developed country that has not implemented this USA designed and led initiative.

In many (most?) countries, the retail consortia / lobbying groups have driven these initiatives forward in order to make the sales process better and smoother. For instance, in most countries now, the retailer no longer even touches (or sees) the card – the customer simply dips the card – on his/her/its side of the counter, enters a PIN and removed the card and leaves with a printed receipt. Retailers have insisted on this to:

  1. a) Ensure that the process is speeded up
  2. b) To increase / improve security – by avoiding retailer ‘touched’ on the card
  3. c) To make the transaction fully electronic and thereby reduce chargebacks, a need for paper handling and re-handling when chargebacks and disputes occur.

There needs to be a lot better thinking before we start calling EMV the “Money Pit” for Retailers.

Author (Bill Trueman) is Payments, Fraud and Risk Specialist helping businesses worldwide for risk review, risk management, due diligence, compliance solutions, fraud prevention, mobile payment fraud prevention, card fraud prevention, and much more.

Also visit another blog post on EMV Chip and Pin by Kevin Smith, an eminent fraud and risk specialist and Joint Chief Executive at AIRFA.

For more information on EMV Chip and Pin technology, fraud, risks, pros and cons visit here.

Other Posts Which You Would Also Find Useful:

25 FAQs on Risk Review, Risk Management, Compliance, Due Diligence and Fraud Prevention

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

11 FAQs on EMV Chip & Card Technology