Tag: credit card

Posted on

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

rollingballNo retailer wants to become the next Target (pun intended).  Payment card fraud costs businesses and consumers billions of dollars every year.  What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys.  The Target breach in 2013 exposed the data of 110 million payment cards.  Hackers got into the network using perfectly good credentials of the HVAC company.  Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.

EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries.  As it was implemented in various countries, guess where it pushed the fraudsters?  Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report[1]”.

EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much.  A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP).  Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers.  As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.

Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system.  Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information.  There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase.   The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.

Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push.  Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions.  Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security.  The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.

jmbunnyfeetMake Sense?

J

 

[1] Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1071

Posted on

EMV and Retail – Your Trusted Advisor Should Be Advising You about This

EMV and Retail – Your Trusted Advisor Should Be Advising You about This

EMVChipCardThere is ‘big change a comin’ for retailers, merchants and any business that accepts credit cards for payments, and there are a great many businesses that are completely unprepared for it.  The change, what is being referred to as the “Payment Networks’ Liability Shift”, goes in to effect in October 2015 and places the burden of liability for fraud squarely on the shoulders of the merchants and card issuers who are not compliant with certain payment system security standards.  Accounting professionals and Trusted Advisors – here’s one of those things you should be helping your clients with.  Help them get informed, trained, and prepared.  Help them to understand the risk and decide on a course of action.  This is part of what makes a trusted advisor: they got your back.

The way things generally work in the US today, a fraudulent charge on a credit card is likely to end up being covered by the credit card company (the issuer). Starting in October, retailers are supposed to be able to accept payment cards with EMV chips (named for the founders of the standard: Europay, MasterCard and Visa), and must process those cards using the compliant technology that takes advantage of what the chip processing and security offers.  If these conditions aren’t met – like having a POS or payment terminal not capable of reading the EMV chip – the merchant is on the hook for the fraudulent transaction.  Given the volume of credit card and payments fraud in the country you’d think that most merchants would already be ready for this, but replacing all the POS and terminal equipment could be pretty costly.  It may take a bit of analysis to understand the real risk and compare that to the cost of compliance.  Certainly it makes sense to always be in compliance, but there are always factors which influence how quickly (or how completely) compliance may be met.

The liability shift is part of the influence being leveraged to get businesses to adopt newer and more secure models of electronic payment acceptance and processing.  It is simply the case that the magnetic strip on a credit card isn’t good enough any longer.  The new EMV Chip reading payment terminals require that the card be inserted and processed by the terminal rather than simply swiping the magstrip across a reader.  Over 40 years of using the magstrip approach has helped to earn the United States a top spot on the leaderboard for credit card and financial fraud, and we seem to be lagging behind in adoption and implementation of the EMV technology even though it has been shown to seriously curtail fraud even as payment card usage increases.  The EMV chip process, which encrypts information about the card so that even the local POS system doesn’t get access to it, is far more secure and is being widely adopted and used in Europe, Canada, Latin America and the Asia/Pacific regions.  Now the clock is ticking for US businesses to get ready to either update their systems or accept the liability for not doing so.

The shift in how payment cards are made and processed is simply one of many changes which will continue to occur as technology and human ingenuity continue to be applied in both good and not-so-good ways.  Recognizing that the pace of change is increasing, businesses must find ways to remain informed and prepare for those changes which will impact the business operation and sustainability.  This is among the essential roles the trusted advisor plays, and the current imperative simply underscores the growing need for such advisors by business large and small.

jmbunnyfeetMake Sense?

J