What you need to know:
Nearly fifty percent of all worldwide card fraud happens in the U.S. and managing consumer confidence is paramount. Merchants do not want consumers to fear breaches and fraud. Fraud prevention and data security technologies need to be developed in an open and competitive environment, which fosters better security, higher efficiency, lower cost and lower customer friction.
“The United States accounts for 50 percent of all worldwide debit and credit card fraud.”
– Nilson Report, 2015
How often are there data breaches and hacks?
Often, and more often than you think! But, banks have different Disclosure lawsFinancial laws that are put in place to protect consumers on fraud and data breaches., and thus aren’t legally required to broadcast to the public about a breach because they already know who you are.
“Banks can be more discrete about data breach disclosures because they can talk directly to the customers.”
They can be more discrete about disclosure because they can talk directly to the customers. Because of this, many banks data security incidents go unreported to the general public.
Data Breach By industry: 2014
Data Breach By industry: 2015
Is there new technology to protect transaction data?
While there is some new technology, unfortunately, there are no open and set standards that are in place with regards to the payment ecosystem. With proprietary systems – including EMV being controlled by the card networks – creating the most secure and safe payment environment is difficult.
Part of the problem in the U.S. is a lack of following open and accredited standards organization for payments. For example, the International Standards Organization (ISO) An international organization that is responsible for promoting worldwide industrial and commercial standards, including financial standards. standards for payment systems, which have been agreed upon for years internationally, have proven successful in preventing a tremendous amount of fraud on payments where customers enter a PIN. The ISO standards dictate how the PIN is encrypted and transmitted through a PIN block specification.
“There is no true way of identifying who a consumer is through a swipe, dip or tap and a signature”
Tokenization and encryption are available advanced technologies more recently applied to payments, but most of those solutions have not been developed by accredited standards groups. And, there is still no true end-to-end encryption option available.
How do we secure a transaction and identify a consumer?
Encrypting data when it is swiped, dipped, tapped or even entered into a website is an important tool for securing data as it moves between the different parties involved in a transaction. Replacing data values with a different code or value – the process of tokenization – is another important tool for protecting data. When you mask the meaning of data it becomes less valuable for thieves to steal.
Improving the security on financial products is yet another way to secure a transaction. EMV Chip A small microchip which is embedded into a credit or debit card that stores dynamic data about an account holder. It is inserted into the point of sale payment terminal and then a corresponding PIN number is entered for debit cards, or a signature for credit transactions. cards attempt to do this, but as long as the magnetic stripe is still on the card and multi-factor authentication is not supported, there is still tremendous potential for U.S. card fraud losses to remain the highest in the world. Authenticating a cardholder, also known as identifying the customer, is yet another means to secure a payment. This is can be done with a PIN, password, fingerprint or any other feature that links a consumer to their payment card or device. Some of the ways to identify a customer are safer than others.
Is the signature a customer verification method?
There is no true way of identifying who a consumer is through a swipe, dip or tap and a signature, especially if a credit card or bank account was opened online, with only an electronic – not physical – signature.
It is extremely important to identify both the cardholder and the account holder through a two-factor authentication process. Using a swipe, dip or tap and signature alone, there is no way to effectively do this. Essentially, anybody could be using that card.
Is it safe to shop online?
Yes. Card credentials aren’t any more likely to be stolen online than they are in a brick and mortar store. Different websites use different tools (i.e. IP address) to know and understand who their customer is to help prevent against fraud. Some merchants also utilize a process known as 3DSecure to authenticate the transaction, which sometimes may require a consumer to answer a security prompt.
In the e-commerce space, most fraud is conducted because a criminal was able to go in and make fraudulent purchases with your card data he or she has stolen and copied. Additionally, there is the concept of a ‘spoofing’ website, which is where fraudsters create a replica of a legitimate website to try and fool a customer into thinking it is the official webpage, and asks them to enter their payment information.
Consumers can help by being vigilant and not purchasing goods or services from a phishing website. Any website using a secure connection will display a ‘https’Secure websites begin with these letters. These sites are trusted and a safe way to transact in the e-commerce space. in the URL.
Does EMV solve data breaches?
No. The chip makes it difficult for anyone to copy or counterfeit a card, but the data can still be stolen. EMV is only safest when used in conjunction with a PIN, and even then it is not a fool-proof solution. As long as magnetic stripes continue to exist on cards, there is still ample opportunity for counterfeit fraud on those products, as well. EMV does not prevent fraud in the e-commerce environment, nor does it fully prevent hackers from developing means to decipher the dynamic data the chip contains.
“EMV is only safest when used in conjunction with a PIN, and even then it is not a fool-proof solution.”
EMV only solves Counterfeit card present fraudWhen a criminal makes copies of a credit or debit card using illegally or fraudulently obtained data., not E-commerce fraud Fraud that exists in the e-commerce space..
What is encryption versus tokenization?
Encryption A system of communication where only the two transaction parties can read the data being transmitted. Each party is privy to the keys to decrypt the data and protect it from hackers and interlopers. – Encryption is taking a 16-digit credit card number and rearranging the digits through a complicated algorithm to change it into a different number. Anyone who knows the key to the math problem can change it back to the original credit card number through the decryption key.
“The United States needs to continue to deploy much broader security technologies, such as end-to- end encryption, to better protect payment card data.”
Encryption can be used in a transact-able nature, but encryption lends itself to standardization and openness with trusted parties having keys. However, encryption keys can be transferred between parties, leaving the data somewhat vulnerable to hacks if an unauthorized user gains access to the appropriate encryption key.
TokenizationTokenization is the process of replacing one number with another unrelated number. Tokenization is purely replacing one number with another number. There is only one place where the two numbers are matched up and is stored in a very secure location. No algorithm or math equation can unlock the tokenization as they are randomly associated.
Who pays for fraud losses?
Card fraud losses are borne primarily by merchants and banks.
Fraud Liability Losses
What is a chargeback? How does it work?
According to the Kansas City Federal Reserve Bank Study, a chargeback is a form of customer protection done by issuing banks in case of fraudulent activity in CP and CNP scenarios. Once a cardholder files a dispute for fraud, the issuing bank makes an investigation into the complaint. If the transaction is proven to be indeed fraudulent, the bank will refund the original value to the cardholder.
Then, the issuer will enter into a process with the merchant to decide who is responsible for covering the fraud costs. From the merchant’s point of view, if they cannot prove the transaction to be legitimate in the banks definition, the bank will take back the entire value of the transaction from their account, along with an additional chargeback fee which can range from $0 to $100, depending on the merchant’s bank.
Chargebacks are perceived as one of the major cost components for merchants to accept card payments
Merchant fraud loss rates significantly vary between CP and CNP. In the CNP environment, chargeback rates are at least 10 times higher than those in the CP environment. For example, the travel merchants have remarkably high chargeback rates, accounting for nearly 3 percent of their CNP sales value. Merchant fraud loss rates for CP transactions are currently low, but this may change as more card issuers issue EMV cards.
It is also important to note, when a merchant incurs losses from a fraud chargeback, the merchant loses not only the transaction funds, but also the merchandise consumed by the fraudster.
Do chargebacks exist on PIN transactions?
Not typically, for a few distinct reasons. PIN debit networks typically do not have a chargeback process; rather funds of transactions are reversed as adjustments. Additionally, adjustments are quite rare.
Because PIN transactions are unique numbers, known only by the cardholder, they provide better protection against fraud than swiping a card that could have been copied or stolen.