Credit Unions to Face Post-EMV Fraud Battle
As the clock counts down to the October EMV liability shift, experts caution that a wave of card-not-present fraud is headed for the United States – and the only question now is when it will hit.
EMV's long-standing pledge has been that it thwarts the use of fake credit cards at the point of sale. And as has been the case for other countries that have migrated to EMV, that kind of fraud has indeed declined. However, much of those declines have been countered by corresponding increases in card-not-present fraud.
Canh Tran, CEO of the Chicago-based fraud analytics firm Rippleshot, said that in Canada, card-present fraud fell by more than half after it moved to EMV, but card-not-present fraud more than doubled between 2008 and 2013, for example. In the United Kingdom, card-present fraud dropped by 50% after chip-and-PIN arrived, but big increases in card-not-present fraud actually drove the overall rate up in the years after conversion there.
He's not the only one bracing for a post-EMV fraud influx in the United States.
“We’re the last G-20 country to implement [EMV] actually, and pretty much in every instance, there has been a fairly significant increase in online fraud,” Doug Parr, chief revenue officer for the Omaha, Neb.-based Prairie Cloudware, which markets a cloud-based payments service called Digital Payments Guardian, said. “I think it would be highly unlikely that we will be the country that breaks this trend.”
There is one key difference between the United States and virtually every other EMV country, however – it's not mandating the switch. For the large number of merchants and card issuers that won't be ready in time, the idea that the feds won't be knocking on the door in October is generally a relief.
And, EMV's protracted implementation in the United States likely won't speed up the shift to card-not-present fraud – though it probably won't slow it down, either.
“I don't think it's going to be a tsunami,” CO-OP Director of Product Development Michelle Thornton said. “But what we don't know, of course, is how sophisticated the fraudsters can get and where they can find those holes quickest.”
“Criminals in the payments game, they’re no longer just hackers in a basement somewhere with personal issues,” Prairie Cloudware Chief Marketing Officer Mike Carter said. “It's just organized crime, and they understand how to find the soft spots.”
That's why, timing aside, card issuers are going to have to invest more in authentication, encryption, tokenization and anything else that locks down data to prepare for the predicted rise in card-not-present fraud.
Online payment protocols such as 3D Secure are one example, according to Anthony Genovese, associate vice president of the payment systems company Compass Plus. It allows issuers to authenticate cardholders and stands as a third party between merchants and customers, he explained. Close to three-quarters of U.S. financial institutions can support the technology, but just over a quarter of them use it, he estimated.
“In Europe, the merchants use Verified by Visa or MasterCard secure codes,” Ian Drysdale, executive vice president of sales and business development at Elavon, a card processor whose website has a giant clock counting down to the EMV deadline, added. “Long story short, they have to use a password to do a card-not-present transaction. That mitigates fraud in Europe. It's an option for issuers in the U.S., but it's largely not used. My understanding is that the brands are moving toward using their wallets in the U.S., which will be password protected, similar to how PayPal is password protected.”
Adding features that let members control card use are also options, Thornton said.
“CO-OP has a tool, and there probably are some other ones coming out on the market as well, where members can actually control how their card numbers are used online,” she explained. “So, as an example, they can turn off online transactions. They just turn it back on when they want to use it, and then turn it back off.”
Credit unions could also make their mobile apps work harder to fight card-not-present fraud.
“Consider the mobile channel as a more integral part of your strategy to combat fraud in general, but specifically card-not-present fraud,” Parr said. “Why not use the mobile as a vehicle, so text alerts go to your members when you see suspect activity? You can even do a two-way message, where you push the message to the member.”
Credit unions can also use their wallet technology, of which tokenization is a common component, to fight card-not-present fraud.
“As an issuer, if you’re tokenizing things so that those merchants really never have the card data on their system, if there is a breach, really the data that's been stolen there has limited if any use,” Genovese said.
Parr added, “Issuers really need to get on this issue of tokenization, and the mobile wallet is a golden opportunity to do that. Here we have essentially a greenfield opportunity as the payments world migrates to a mobile world to get the primary account number out of the equation by replacing it with a token.”
Many financial institutions, especially small ones, tend to be intimidated by digital wallets, Parr noted, but he said consortiums and CUSOs such as CO-OP and CU24 give him hope.
“It doesn't have to be rocket science, and I think that's a key part of our equation,” he said. “We’re trying to make this as simple as possible, make it an extension of existing mobile strategies, not some big bang event to have a digital wallet. I also happen to think credit unions have a golden opportunity. They have the ability to band together. Think about the shared branch concept. Why can't shared branch be extended to shared wallet logic?”
Carter added, “The idea that the credit union could take control of this we think is key. We really think it's a dangerous thing to let someone else handle the payment relationships you have with your member and how they use their money.”
They’re all strategies worth considering, especially because after October, card issuers surprised by card-not-present fraud likely won't get much sympathy.
“If you look at fraud today, probably half of it today is card-not-present,” Thornton warned. “So, it's not that people have been ignoring it. It's been there.”
“You have to remember, it didn't just start raining, right?” Carter added. “It's not like it's not going on now. I think [card-not-present fraud after EMV] will be more of a storm surge, but the storm's already active, and this will amplify it. I trust greed in situations like this, and I also trust that nobody, particularly fraudsters, like to work harder than they have to. And this is a soft spot.”