Fraud Displaced During EMV Transition

GUEST BLOGGER

Zach Capers, CFE
ACFE Research Specialist

Last year, I wrote about the U.S.’s transition to EMV credit cards and the associated fraud liability shift from card issuers to merchants. The article mentioned the possible side effect of fraud being displaced from in-store to online transactions as has happened in many countries that have undergone similar transitions; one year later, the initial data is in and that possibility is now a reality.

A new report from ACI Worldwide shows that online credit card fraud during the 2015 holiday season increased by 8 percent over the 2014 holiday season. Furthermore, the report shows that 1 out of every 67 online credit card payments was a fraudulent attempt compared to 1 out of 72 the year previous. While there are many factors at play and online purchases continue to increase year over year, the findings correspond with increases expected by industry experts and follow the trends previously experienced by other countries.

Meanwhile, the transition to EMV credit cards has resulted in other forms of turmoil for merchants big and small. Visa was recently sued by Wal-Mart over the card issuer’s insistence on a signature verification system rather than a PIN requirement that Wal-Mart and many others claim would significantly increase security for customers while reducing fraud. Wal-Mart’s central claim is that Visa makes more money by processing signature based transactions than they would with a chip and PIN system, thus profiting at the expense of retailers and their customers.

Another complication wrought by the adoption of the new credit card systems is the slow certification process for new credit card terminals required by last year’s liability shift. A New York Times report in March documented the plight of mid-sized business that were still waiting for their new payment terminals to be certified despite having them in place since the November 2015 deadline. Some merchants argue that relationships between financial institutions and certification firms leave little motivation to speed up this process since uncertified merchants must continue to pay for any fraudulent activity incurred on their terminals.

On Capitol Hill, Wal-Mart and others seem to have an ally in U.S. Senator Dick Durbin who recently assailed the credit card industry’s refusal to allow PIN based transactions and the delayed certification process. The senator also echoed the frustration of many consumers regarding long waits at retail checkout counters caused by slow software processing in new card terminals.

As more consumers adapt to their new EMV credit cards and new merchant terminals are certified and updated with improved software, some of the unexpected issues with EMV adoption will be resolved. Unfortunately, many of the most significant problems with the transition were either widely predicted or entirely avoidable.

For Credit Card Security, U.S. Banks Need to Rethink PINs

FROM THE PRESIDENT

James D. Ratley, CFE
ACFE President and CEO

Verifying a credit card purchase with a signature is less burdensome to a consumer than having to remember a four-digit personal identification number (PIN). Unfortunately, it is also considerably less secure. According to a recent CFO article, the Association for Finance Professionals found in its 2015 Payments Fraud and Control Survey that 61 percent of respondents believe chip and PIN will be the most effective authentication method for mitigating fraud, while only 7 percent saw chip and signature as most effective.

In the coming weeks and months, several major U.S. banks will roll out new credit cards with embedded computer chips for added security. Rather than combining this technology with a PIN, as implemented in countries in Europe, Latin America, the Asia-Pacific region and elsewhere, they have decided (for now) to use the more familiar and traditional verification method of a signature as a matter of convenience for customers.

U.S. credit cardholders must ask themselves which is more of a burden: completing their purchase using a PIN; or dealing with the fallout from a compromised account, stolen identity or damaged credit history? Most people would agree that the latter are frustrating and potentially life-changing burdens that far outweigh convenience.

Chip and PIN security measures combine to substantially decrease the risk of fraud. The technology is not new – European banks introduced it in 2002, and experts predicted then that it would become the global standard. Chip-and-signature authentication, by comparison, comes up short. Signatures can be copied or forged and do not offer the same level of security as a unique PIN known to the legitimate card holder.

Merchant groups agree. In a December 29th letter to the president and CEO of the Independent Community Bankers of America (ICBA), leaders of seven prominent U.S. merchant groups stated that “ignoring PIN technology leaves us all more vulnerable.” The letter goes on to explain: “’Chip-and-PIN’ has already shown success throughout the world and could reduce fraud losses in the U.S. by as much as 40 percent, according to the Federal Reserve Bank of Kansas City. The added security provided when each customer is given a unique personal identification number or PIN has already been shown to make debit card transactions 700 percent safer. Alternatives such as ‘chip-and-signature’ do not provide this level of security. Furthermore, PINs would also make ‘card-not-present’ transactions safer by adding another layer of authentication.”

The message to J.P. Morgan Chase, Discover, Bank of America Corp., Citigroup Inc. and other large banks is clear: consumer protection is paramount. After the massive data breaches involving Target Corp., Home Depot and other large retailers, Americans are looking for reassurance that their personal and financial information is secure. According to a Unysis Security Index, “the top three threats most worrisome in the United States in 2012 were identity theft, bankcard fraud and national security as it relates to terrorism.” More than half of Americans surveyed were seriously concerned about someone obtaining and using their credit or debit card information.

It is true that in today’s digital age, most individuals must remember a host of passwords and codes for various accounts and online activities, including existing PINs for any debit cards they might use. Having another PIN to remember certainly places a burden on the credit card holder. But it is not an undue burden when considering the added level of protection.

For its part, Target announced in the wake of its data breach that beginning early this year, all Target-branded credit cards and debit cards will include chip and PIN technology. If customers at nearly 1,800 Target stores across the U.S. can become accustomed to using a PIN to complete their credit card purchase, fellow Americans can follow suit. In fact, consumers will likely embrace the two-factor security as they have in Europe, knowing it is providing an increased level of protection from credit card fraud.

Certified Fraud Examiners (CFEs), the experts who investigate financial crimes around the globe, know the importance of preventing the next fraud before it occurs. In all frauds, including those involving credit cards, recovering the proceeds of the crime is often difficult or impossible. Whether it be the bank, merchant or customer, someone always loses. When a method such as PIN promises to decrease the incidence of fraud, it should be implemented.

Credit card fraud is a harrowing experience for the victim. Just ask those who spend months or years dealing with investigators, their bank, credit reporting agencies and others just to repair their credit history. The technology is here to better protect consumers from having to take such a journey. The sooner we collectively join our neighbors in other parts of the world in providing both chip and PIN technology, the better.