Accourt Payments Specialists » Chip and PIN

Chip and signature is a joke!

Vaughan Collie — Fri, 29 May 2015 11:56:01 +0000

Chip and signature is a joke!

Author: Vaughan Collie, Partner, Accourt – Payment Specialists.

“The fact that we didn’t go to PIN is such a joke,” says Mike Cook, Walmart’s assistant treasurer and a senior vice president, in reference to the USA’s current migration to EMV where chip and PIN or chip and signature are equally acceptable. “Signature is worthless as a form of authentication,” continues Cook, with Walmart preferring a Chip and PIN mandated approach similar to the UK and most of Europe. Not so says Visa Inc. vice president of risk products Stephanie Ericksen, “we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

So who is correct, Visa or Walmart?

To answer this question it is most instructive to very briefly revisit the origins of EMV.

EMV in its ‘chip and PIN’ incarnation was ultimately designed for effective use in a predominantly offline card authorisation ecosystem (e.g. the UK at that time), thereby enabling issuers to delegate significant ‘authorisation authority’ to the chip without requiring an online authorisation from the issuer’s host system. Interestingly, the UK and most other European geographies are currently in the final stages of moving to a fully online ecosystem.

Back in 2002, following a number of years of unacceptable growth rates in various fraud types, the UK card industry formally began its migration to EMV chip and PIN. Significantly elevated levels of counterfeit fraud was one of the primary drivers of this decision and EMV chip, coupled with PIN as the cardholder verification method (CVM), was seen as the most effective approach given the predominantly offline nature of the UK authorisation ecosystem and the technology and commercial landscape at the time.

A centrally managed, UK-wide migration programme not only addressed the technical considerations and decisions, but arguably more importantly, the challenges that were likely to be faced by the various sets of stakeholders (e.g. industry, merchants, consumers, etc.). These challenges included the significant societal and cultural move away from signatures as the prevalent form of cardholder verification at the point of sale to the ‘high-tech’ PIN alternative already found in ATM transactions (although not chip-based PIN at that time).

The UK chip and PIN programme was ultimately regarded as an industry success and it certainly achieved one of its objectives: reduce counterfeit and lost and stolen fraud numbers significantly. However, this was not without some fairly harsh lessons being learned at the time and since then, for example:

A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately the view was that there was enough of a case to continue and that it was the right thing for the industry to do at the time (coupled with the ‘do nothing’ option being utterly unpalatable for all).
Carefully consider the consequences – by effectively mitigating against certain fraud types (e.g. skimming/counterfeit), are you incentivising criminals to supercharge their efforts and focus on other fraud types (e.g. cardholder not present – CNP)? And will these subsequent fraudulent activities lead to a greater problem (e.g. increased CNP fraud) than the one you are solving with chip and PIN?
A card scheme liability shift mechanism (effective from October 2015 for POS transactions in the US) is critical to drive appropriate and timely actions across the card payments value chain and industry as a whole. The general EMV liability shift rule-of-thumb is that those stakeholders that implement and enable the highest level of EMV capability/technology within their environments will enjoy the lowest risk of fraud loss (e.g. if a merchant implements a fully EMV capable terminal, that merchant will benefit from the liability shift if a magstripe card is presented).
ATMs should have been one of the first channels to convert. ATMs were a primary card skimming enabler (and still suffer today notwithstanding various mitigating measures and technologies that have been developed over the years).
Upfront agreement to the phasing out/cessation of CAM (chip) fall-back to magstripe and CVM fall-back is critical to drive desired behaviours and ensure that, for example, cardholders don’t continually ‘forget’ their PINs and therefore continue to rely on signatures. This is of course an extremely difficult and fraught journey for stakeholders to embark upon, especially merchants and consumers, but it has proven time and time again to be the appropriate course of action to support achievement of desired outcomes for EMV migrations.

Surely then, being mindful of these and other learnings, EMV chip and PIN is a must in the US? As ever, it’s not as straightforward as that. There are many factors to consider, not least of which is the cost – financial, operational, customer, social and cultural – of this decision. And apart from cost, are the reasons for deciding for chip and PIN historically still the same today?

Let’s deal with cost first. It is widely established (e.g. UK, Australia, Europe) that implementing EMV chip (typically CDA) is one of the most effective mitigants to skimming/counterfeit fraud. The addition of the PIN element generally mitigates against fraud types such as lost/stolen fraud.

The diagram below provides a perspective on the 2014 card fraud loss landscape in the US. Clearly the predominant fraud types are counterfeit ($3.0bn pa) and cardholder not present ($2.9bn pa), with lost and stolen fraud a not insignificant $0.8bn pa.

Bearing in mind that the US is almost entirely an online authorisation ecosystem and EMV chip and PIN was designed for a predominantly offline ecosystem – does it make sense to invest significantly in infrastructure to support offline PIN?

From purely a financial cost perspective, given significant current economic pressure from all quarters to reduce and manage costs, surely it makes sense to prioritise and focus limited resources on the areas of greatest exposure and impact? In the case of the US, this appears to be counterfeit and CNP fraud losses with lost/stolen appearing as the third priority. Therefore, based on current experience and relatively predictable outcomes, it appears most likely that chip and signature would be the most balanced, cost-effective immediate solution to the skimming/counterfeit fraud issue.

Furthermore, in a world where high-profile data breaches are too common for comfort, this would be a significant step towards rendering card data obtained from these breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment type. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that, without the application of additional mitigating measures by value chain stakeholders, this data can still potentially be used to commit fraud in online environments (as can EMV cards without additional risk management controls in the online environment – EMV in and of itself does not reduce/remove CNP fraud risk).

One of the next questions is whether the payments ecosystem has changed to the extent that chip and PIN is no longer valid. Clearly the ecosystem has changed dramatically in many respects since the early days of EMV, not least of which is the phenomenal pace of technology advancement in the fraud and risk management space. Much has been written about a multi-layered approach to fraud management (this article will not seek to replicate that discussion) – at this time, EMV should be one component of that multi-layered approach. There are numerous other components such as advanced KYC, real-time behavioural analytics and transaction scoring (with the new breed of self-learning Bayesian modelling beginning to threaten the incumbent neural network based solutions), geographically aware location-based solutions, etc. Many of these solutions did not exist at the time that EMV PIN versus signature decisions were being made in the non-US EMV migrations – needless to say, their existence today significantly influences the considerations that underpin such decisions.

A further, oft-cited justification for ‘ignoring’ PIN is the argument that a large proportion of the general American population is likely to be unable to remember and use their PINs as required. This article cannot support that argument – Americans have been successfully using PIN-based debit card products for many years. For consumers, the EMV PIN experience is identical.

Perhaps a less obvious, but potentially important consideration is how chip and signature cards will be treated outside of the US. Most non-US implementations of EMV have been chip and PIN. US chip and signature cards being presented for payment in geographies that expect chip and PIN are likely to cause significant confusion and friction at the POS.

It is therefore valid to argue that, given the nature of the face-to-face payments ecosystem today and, in the absence of anything else (e.g. removing payment card data from the ecosystem entirely), perhaps chip and PIN is relatively the most appropriate solution. However, when implemented in a predominantly online authorisation ecosystem and in conjunction with a multi-layered fraud and risk management approach, compromising with chip and signature is unlikely to pose the same level of risk it may have done in the past. To Visa’s point, there are other innovations being driven into the market in this space and, while it will take some considerable time for some of these to gain the global ubiquity that is essential to their success, it probably makes sense to balance limited resources, i.e. industry investment, across these innovations in parallel with investment in today’s toolbox for fraud and risk management – of which EMV is definitely a part.

The Walmart position is both valid and unsurprising for a number of reasons – for example, having your till-based check-out staff carrying the burden of authentication, i.e. deciding whether a signature matches the version on the back of the payment card, is entirely unrealistic and has been proven to fail as an effective risk management measure time and again (e.g. there are many examples of ‘Mickey Mouse’ signatures being successfully used in face-to-face transactions…). PIN helps to address this issue, although effective online authorisation screening (e.g. context-aware, dynamic authentication) can be an even more powerful tool in both the face-to-face and online transaction ecosystems. Walmart is also in the position of having already made the investment in a PIN-based strategy – something a number of their competitors are not keen to do.

So, back to our original question, is Visa or Walmart correct. Both actually. There can be no doubt that signature has long been a very poor form of authentication, however, given the US context, implementing PIN where there are more advanced and effective methods of authentication available probably makes less sense today than historically. Value chain stakeholders with potentially significant exposure to fraud risk must consider investing in a sophisticated, multi-layered approach to fraud and risk management. With or without PIN, EMV is not and was never designed to be a standalone silver bullet solution to all payment fraud.

The post Chip and signature is a joke! appeared first on Accourt Payments Specialists.

Card fraud increases as stolen cards used once every 20 seconds

Alex Rolfe — Wed, 15 Apr 2015 12:00:50 +0000

British businesses were hit by card fraud once every 20 seconds in March, with Worldpay warning that small businesses are likely to have been hackers’ biggest targets.

Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on,” comments Tim Lansdale, Head of Payment Security at Worldpay.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Causes of card data breaches

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Industries affected by card data breaches

Download the report here

Advice to businesses: How to avoid being a victim:

Card data breaches:

Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

Fraud:

Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.

UK shuns cash as cards dominate payment market

Alex Rolfe — Thu, 12 Mar 2015 12:31:46 +0000

The way we pay for everything is changing, with more digital transactions than ever before. But how close are we to the tipping point?

This weekend saw the end of cash as Britain’s dominant method of payment, and you probably didn’t even notice.Supposedly March 8 was the date on which transactions made be via credit, debit and other cashless methods would finally outstrip those made by cash – according to an article in The Telegraph.

In fact, there’s no way to tell when this exact point happened: it could have been Sunday, or it could have been at the end of last year. But for years the Payments Council has been predicting it by the end of 2015 at the latest.

The number of cash transactions will drop to just under 13 billion by 2023, while the number of cashless transactions – including cheques, credit cards, debit cards, contactless cards, direct debits, and standing orders – will rise to over 27 billion.

If you strip out large companies and focus only on individual consumers, it will take a little longer – happening in 2017 rather than 2015 – but the winds of change are only blowing in one direction.

Of course, it’s important to understand that these figures are in terms of volume,i.e. the raw number of individual transactions carried out. The value of cashless payments was already far larger than that of cash, because they’re used for much bigger transactions.

One reason the difference is so huge is because these numbers include payments made via CHAPS – the system used by big companies and even the Bank of England to shift around their vast sums of money.

Yet even if you restrict the figures only to retail – high street shops, online merchants, and all of that – the tipping point in terms of value was passed long ago.

According to the UK Cards Association, credit cards and debit cards surpassed cash in terms of value more than a decade ago, in December 2003. They now account for more than 75% of the retail sales.

Still, measuring by value isn’t actually very useful. I might make fifty small purchases with cash – say, bottles of milk at £1 each – and one large purchase with a cheque. That wouldn’t mean I did most of my shopping with cheques or that cheques were my dominant method of payment.

Change – for two reasons

The first is the rise of alternate payment methods. Paypal’s users exchangedmore than £30bn in 2014, up from £18bn the previous year, and this week Barclays will start allowing people to send money to each other using only their Twitter handles.

The most significant rival for cash’s crown is contactless payment, which is starting to sweep up some of the low-value transactions which would previously have been done with cash.

These are a small part of the picture for now, but they’re growing fast; the UKCA thinks that in two years’ time they’ll make up 6% of all card transactions.

That red line on the chart is the average value of a cash transaction last year –but it’s falling, from £11.43 in 2009 to £9.47 in 2014. And as you can see on the chart, the average contactless transaction is creeping up to meet it. Cash is being relegated to smaller and smaller sums.

Not everybody is happy with that. A study in the USA suggests that contactless cards make people more likely to buy things in the first place, because beeping it on a pad is so much easier than reaching into your pocket and counting out the change.

Another study found that contactless card transactions can be intercepted using off-the-shelf technology from as much as 60 centimeters away.

But the other factor is that we’re also using our old-fashioned credit and debit cards to pay for smaller things.

Over the last few years, the average value of a card transaction has been slowly dropping, as these statistics from the UKCA make clear:

Why? According to Richard Koch, the UKCA’s policy director, it’s a mixture of card technology getting cheaper and shops’ technology getting better.

Firstly, there has been a general fall in the price of card readers and card transactions – meaning local corner shops which formerly only took cash are now more likely to offer chip and PIN services too.

Then there’s the advent of self-checkout terminals. “There’s a very high proportion of card usage at them,” says Mr Koch, “and some terminals are designed not to take cash at all.” Not taking cash makes them easier to maintain, and cheaper for their owners.

Obviously, the internet shopping revolution plays its part. The UKCA says e-commerce is rising by 13% every year because people are buying online what they might previously buy with cash.

Finally, people are now lumping what would once have been multiple cash payments together as one digital payment. Mr Koch gives the example of his children, who pay for their school lunches with a card that he tops up in batches of £20 or £30 every week.

Another example would be Netflix – which replaces rented videos with a single subscription charge – and, of course, Transport For London’s Oyster card, which replaces daily paper tickets with longer-term top-up fees. Mr Koch actuallly predicts two million fewer transactions in 2017 than there were in 2014 because of payments being amalgamated in this way.

All of this creates a kind of spiral effect, because once people become more used to using their cards, they’re less likely to carry cash. And once they stop carrying cash, retailers have to invest in card readers if they want to sell what they’ve got.

In twenty years’ time, cash could be a minority system, used regularly only by a small hardcore of people, and infrequently by everyone else. Some new technology will emerge to handle low-value transactions.

Until then, cherish the feeling of copper and zinc in your palm while you can.

The post UK shuns cash as cards dominate payment market appeared first on Accourt Payments Specialists.