Despite the warnings, many financial institution leaders were hopeful EMV chip cards would be the magic bullet for what has become a rampant card fraud problem in the United States. Although the country is far from mass adoption of the updated chip-based payment authentication standard, we are close enough for the hopefuls to experience a little disappointment.
Why, after all the complexities, the configurations and the investments in chip technology, is the United States still dealing with payment card fraud? While the answers are not exactly simple, they can be categorized in three buckets:
1. Counterfeit cards swiped at non-compliant merchants.
Fraudsters always take the path of least resistance. Counterfeit cards are one of the easiest and most lucrative schemes available to bad guys – whether they are lone wolves or belong to an international crime ring. Why reinvent the wheel when so many merchants continue to insist their customers swipe instead of insert? Visa recently reported less than half of the company’s in-store payment volume comes from chip-enabled merchants.
Fraudsters seek out these merchants and swipe away. It’s true credit union issuers are not financially liable for the losses related to this type of fraud, so long as the member who was victimized has been issued a chip card. However, credit unions and their processing partners devote thousands of (uncompensated) man hours to detecting, investigating and mitigating mag-stripe fraud.
As long as U.S. chip cards still have a mag stripe and U.S. merchants continue to delay implementation of EMV terminals, counterfeit card fraud will continue. Savvy fraudsters, aware of the ticking clock, may up their game to get in as much swiping as possible before merchants finally close ranks.
2. Merchants fall back on old methods.
Even merchants that have upgraded their systems find a swipe is necessary every now and then. Sometimes this is due to legitimate reasons, such as a terminal error or a funky chip. Other times, fraudsters are behind those errors. Crafty crooks have gotten really good at physically manipulating both the terminal and the chip. When the terminal rejects the transaction, frustrated and time-crunched clerks often tell the fraudster, posing as a wide-eyed, innocent customer, “Go ahead and swipe.” Bingo, the transaction goes through, as does the fraud.
Fortunately for credit union issuers, there are ways to prevent this kind of “fallback fraud.” But keep in mind that some EMV transactions fail legitimately. So you want to make sure your strategy does not decline all fallbacks. Work with your processor to analyze transaction data within your portfolio. This will help you set fallback rules (things like geolocation, dollar amount and number of incidents within a certain timeframe) that make the most sense for your cardholder base.
3. Data breaches expose massive amounts of member information.
Not all card fraud happens at the point of sale. A significant–and growing–number of incidents happen in digital environments. Last year, we experienced a record number of data breaches in the United States. More than 1,090 incidents exposed more than 7 million consumer records.
Not every one of these breaches exposed payment credentials directly, but each contributed to what is a growing database of personally identifiable information accessible to the lowest of the low on the Dark Web. One breach exposes your username and password, which are entered into the mega pool of dark data. A second breach exposes your social security number. Pile on a couple of social engineering scams that grab your mother’s maiden name and the name of your high school mascot, and a nearly complete profile is created. Fraudsters can then use that profile to apply for credit in your name, call up your credit union and put your card in “travel mode” or manipulate your rewards program, cashing in on all you hard-earned points.
Payment card fraud is a moving target, and EMV—while incredibly important to our collective goal of making it harder for criminals to steal from our members—will not hit the mark every time. Layering other fraud prevention technologies on top of EMV and taking an iterative approach to fraud detection is critical for everyone in the payments ecosystem. New strategies from machine learning, speech analytics—and, of course, human analysts passionate about stopping card fraud—are emerging and will continue to help us fight the good fight.
Ashley McAlpine works as a fraud prevention manager for CUES Supplier member CO-OP Financial Services, Rancho Cucamonga, Calif. She is responsible for staying current with new fraud trends that may impact the financial lives of consumers. She then ensures credit union clients are in the best possible position to mitigate exposure to fraud.