What You Need to Know About Credit Card Fraud and Protections
There’s good news and bad news as chip credit card technology is set for U.S.
Last year, McDonald’s Corp. caught an employee at one of its Florida restaurants skimming customer credit card numbers while working the drive thru-window. He’s now accused of stealing some 70 card numbers per day. It took the careful eye of a security camera to catch the thief making the extra swipe through an illicit card reader, actually copying card data while customers waited for their burgers and fries.
With the U.S. still reliant on magnetic stripe-based credit cards, we’ve seen this type of scenario play out all too often as credit card skimming and copying is pretty easy. Hand a waiter your card to pay for your meal and, in the three minutes they’re gone, they can copy your card data and then either program it onto other plastic cards and use or resell them for fraudulent purchases. You’re none the wiser until you get your credit card statement or, if you’re fortunate, your credit card company calls about some odd transaction behavior.
This type of credit card fraud cost U.S. card issuers $3.4 billion and merchants $1.9 billion in 2012, according to The Nilson Report.
EMV Chip Cards Address Card Skimming
The new Europay, MasterCard, Visa (EMV) standard is coming to U.S. credit card companies in earnest starting October 2015. EMV cards have a chip on the card which conducts a two-way handshake with the point of sale (POS) terminal to authenticate that the card is valid using a complex algorithm. This makes the cards much more secure as a retail worker or POS skimming device can’t capture the chip data like they can copy the data off the magnetic stripe. Many countries require the card holder to also enter a PIN for added security.
Further emphasizing the importance of this shift is an executive order signed by President Obama on Oct. 17 stating: “In order to strengthen data security and thereby better protect citizens doing business with the Government, executive departments and agencies (agencies) shall, as soon as possible, transition payment processing terminals and credit, debit and other payment cards to employ enhanced security features, including chip-and-PIN technology.”
If you travel internationally, you may already hold one of these cards or have seen them used as virtually all major non-U.S. markets have already adopted EMV chip technology. Many skipped the magnetic strip era all together, moving from verifying cards against old-school log books of bad numbers right to EMV Chip.
In the U.K., the move to EMV Chip card technology helped reduce counterfeit card fraud from €148.5 in 2002 to €42.1 in 2012, a drop of more than 71 percent, according to statistics published by Fighting Fraud Action UK in its “Fraud, The Facts 2013” report. That same report shows lost or stolen card fraud topping out at €114.4 million in 2004 before falling to €55.2 in 2012, a drop of more than 50 percent.
We fully expect to see a similar drop in this type of credit card losses here in the U.S. once the EMV chip standard is fully implemented.
Online Fraud on the Rise
Of course, there’s a catch. Criminals are not likely to go on the straight and narrow because it’s going to be harder to steal physical cards. The financial fraudsters will turn to the next path of least resistance: online transactions or card-not-present transactions.
Fighting Fraud Action UK’s report that showed the dramatic drop in counterfeit card fraud also shows an equally dramatic rise in Card Not Present fraud over the same period, rising from 26 percent of losses in 2002 to 63 percent of losses in 2012, with counterfeit card losses dropping from 35 percent to just 11 percent of the total. Other loss types remained pretty steady over the decade. While total U.K. counterfeit card fraud losses declined, they were offset by the rise in CNP fraud so that total loss amounts were relatively stable over the time that EMV chip cards were introduced.
This rise is not a surprise as the popularity of online shopping grew, making it somewhat easier for criminals to conduct fraudulent transactions anonymously without the worry of a store surveillance camera catching their move.
This is all something to consider as you prepare for Black Friday and Cyber Monday shopping in the U.S.
U.S. Card Issuers Can Act Now
Does this mean card issuers in the U.S. (or anywhere for that matter) have to simply accept greater card-not-present losses once EMV technology arrives? No. There are steps card issuers can take today to get more proactive at identifying online fraud before losses are recorded.
One way is to implement solutions that use 3-D Secure, a protocol developed to improve the security of online payments and help identify fraudulent transactions in real-time. During an online transaction, 3-D Secure, used in Verified by Visa, MasterCard SecureCode, American Express SafeKey and others, makes an additional connection directly to the issuer to authenticate the cardholder and transaction. In that process, an extra window pops up asking the card holder to enter some information to help authenticate they are indeed the card holder.
As always, there is a catch: When consumers are accustomed to the speed and immediacy of Amazon 1-Click style of shopping, getting a pop-up window asking you for more information to complete the transaction can tarnish the user experience, even if the intentions are good. This can result in abandoned transactions.
But advances over the past few years can enable merchants and issuers to leverage the fraud-prevention benefits of 3-D Secure while minimizing the impact on the end-user experience. Some merchants are now pre-scoring transaction risk before invoking 3-D Secure, and many issuers are using advanced transaction risk scoring technologies in conjunction with 3-D Secure. Both efforts enrich the user experience.
The 3-D Secure protocol enables a direct connection between the issuer and the device being used for the online transaction. This connection is how the additional authentication takes place to validate the identity. It also can be used to collect information on device or fingerprint characteristics, which can be coupled with data such as what the person is buying or typical buying velocity to determine risk and score the transaction for fraud detection in real time. In most cases (more than 95 percent), online transactions are legitimate and can proceed without challenge or requesting extra input from the cardholder. The small number of transactions scored as a high-fraud risk can either be authenticated or declined.
EMV is coming to the U.S. and with it will come an increase in card-not-present fraud as criminals turn to the easier path of success when skimming is rendered obsolete. Now is the time for card issuers to act and put better online fraud detection in place before the losses start to mount.