Chip and signature is a joke!

Author:  Vaughan Collie, Partner, Accourt – Payment Specialists.

“The fact that we didn’t go to PIN is such a joke,” says Mike Cook, Walmart’s assistant treasurer and a senior vice president, in reference to the USA’s current migration to EMV where chip and PIN or chip and signature are equally acceptable. “Signature is worthless as a form of authentication,” continues Cook, with Walmart preferring a Chip and PIN mandated approach similar to the UK and most of Europe. Not so says Visa Inc. vice president of risk products Stephanie Ericksen, “we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

So who is correct, Visa or Walmart?

To answer this question it is most instructive to very briefly revisit the origins of EMV.

EMV in its ‘chip and PIN’ incarnation was ultimately designed for effective use in a predominantly offline card authorisation ecosystem (e.g. the UK at that time), thereby enabling issuers to delegate significant ‘authorisation authority’ to the chip without requiring an online authorisation from the issuer’s host system. Interestingly, the UK and most other European geographies are currently in the final stages of moving to a fully online ecosystem.

Back in 2002, following a number of years of unacceptable growth rates in various fraud types, the UK card industry formally began its migration to EMV chip and PIN. Significantly elevated levels of counterfeit fraud was one of the primary drivers of this decision and EMV chip, coupled with PIN as the cardholder verification method (CVM), was seen as the most effective approach given the predominantly offline nature of the UK authorisation ecosystem and the technology and commercial landscape at the time.

A centrally managed, UK-wide migration programme not only addressed the technical considerations and decisions, but arguably more importantly, the challenges that were likely to be faced by the various sets of stakeholders (e.g. industry, merchants, consumers, etc.). These challenges included the significant societal and cultural move away from signatures as the prevalent form of cardholder verification at the point of sale to the ‘high-tech’ PIN alternative already found in ATM transactions (although not chip-based PIN at that time).

The UK chip and PIN programme was ultimately regarded as an industry success and it certainly achieved one of its objectives: reduce counterfeit and lost and stolen fraud numbers significantly. However, this was not without some fairly harsh lessons being learned at the time and since then, for example:

• A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately the view was that there was enough of a case to continue and that it was the right thing for the industry to do at the time (coupled with the ‘do nothing’ option being utterly unpalatable for all).
• Carefully consider the consequences – by effectively mitigating against certain fraud types (e.g. skimming/counterfeit), are you incentivising criminals to supercharge their efforts and focus on other fraud types (e.g. cardholder not present – CNP)? And will these subsequent fraudulent activities lead to a greater problem (e.g. increased CNP fraud) than the one you are solving with chip and PIN?
• A card scheme liability shift mechanism (effective from October 2015 for POS transactions in the US) is critical to drive appropriate and timely actions across the card payments value chain and industry as a whole. The general EMV liability shift rule-of-thumb is that those stakeholders that implement and enable the highest level of EMV capability/technology within their environments will enjoy the lowest risk of fraud loss (e.g. if a merchant implements a fully EMV capable terminal, that merchant will benefit from the liability shift if a magstripe card is presented).
• ATMs should have been one of the first channels to convert. ATMs were a primary card skimming enabler (and still suffer today notwithstanding various mitigating measures and technologies that have been developed over the years).
• Upfront agreement to the phasing out/cessation of CAM (chip) fall-back to magstripe and CVM fall-back is critical to drive desired behaviours and ensure that, for example, cardholders don’t continually ‘forget’ their PINs and therefore continue to rely on signatures. This is of course an extremely difficult and fraught journey for stakeholders to embark upon, especially merchants and consumers, but it has proven time and time again to be the appropriate course of action to support achievement of desired outcomes for EMV migrations.

Surely then, being mindful of these and other learnings, EMV chip and PIN is a must in the US? As ever, it’s not as straightforward as that. There are many factors to consider, not least of which is the cost – financial, operational, customer, social and cultural – of this decision. And apart from cost, are the reasons for deciding for chip and PIN historically still the same today?

Let’s deal with cost first. It is widely established (e.g. UK, Australia, Europe) that implementing EMV chip (typically CDA) is one of the most effective mitigants to skimming/counterfeit fraud. The addition of the PIN element generally mitigates against fraud types such as lost/stolen fraud.

The diagram below provides a perspective on the 2014 card fraud loss landscape in the US. Clearly the predominant fraud types are counterfeit ($3.0bn pa) and cardholder not present ($2.9bn pa), with lost and stolen fraud a not insignificant $0.8bn pa.

Bearing in mind that the US is almost entirely an online authorisation ecosystem and EMV chip and PIN was designed for a predominantly offline ecosystem – does it make sense to invest significantly in infrastructure to support offline PIN?

From purely a financial cost perspective, given significant current economic pressure from all quarters to reduce and manage costs, surely it makes sense to prioritise and focus limited resources on the areas of greatest exposure and impact? In the case of the US, this appears to be counterfeit and CNP fraud losses with lost/stolen appearing as the third priority. Therefore, based on current experience and relatively predictable outcomes, it appears most likely that chip and signature would be the most balanced, cost-effective immediate solution to the skimming/counterfeit fraud issue.

Furthermore, in a world where high-profile data breaches are too common for comfort, this would be a significant step towards rendering card data obtained from these breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment type. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that, without the application of additional mitigating measures by value chain stakeholders, this data can still potentially be used to commit fraud in online environments (as can EMV cards without additional risk management controls in the online environment – EMV in and of itself does not reduce/remove CNP fraud risk).

One of the next questions is whether the payments ecosystem has changed to the extent that chip and PIN is no longer valid. Clearly the ecosystem has changed dramatically in many respects since the early days of EMV, not least of which is the phenomenal pace of technology advancement in the fraud and risk management space. Much has been written about a multi-layered approach to fraud management (this article will not seek to replicate that discussion) – at this time, EMV should be one component of that multi-layered approach. There are numerous other components such as advanced KYC, real-time behavioural analytics and transaction scoring (with the new breed of self-learning Bayesian modelling beginning to threaten the incumbent neural network based solutions), geographically aware location-based solutions, etc. Many of these solutions did not exist at the time that EMV PIN versus signature decisions were being made in the non-US EMV migrations – needless to say, their existence today significantly influences the considerations that underpin such decisions.

A further, oft-cited justification for ‘ignoring’ PIN is the argument that a large proportion of the general American population is likely to be unable to remember and use their PINs as required. This article cannot support that argument – Americans have been successfully using PIN-based debit card products for many years. For consumers, the EMV PIN experience is identical.

Perhaps a less obvious, but potentially important consideration is how chip and signature cards will be treated outside of the US. Most non-US implementations of EMV have been chip and PIN. US chip and signature cards being presented for payment in geographies that expect chip and PIN are likely to cause significant confusion and friction at the POS.

It is therefore valid to argue that, given the nature of the face-to-face payments ecosystem today and, in the absence of anything else (e.g. removing payment card data from the ecosystem entirely), perhaps chip and PIN is relatively the most appropriate solution. However, when implemented in a predominantly online authorisation ecosystem and in conjunction with a multi-layered fraud and risk management approach, compromising with chip and signature is unlikely to pose the same level of risk it may have done in the past. To Visa’s point, there are other innovations being driven into the market in this space and, while it will take some considerable time for some of these to gain the global ubiquity that is essential to their success, it probably makes sense to balance limited resources, i.e. industry investment, across these innovations in parallel with investment in today’s toolbox for fraud and risk management – of which EMV is definitely a part.

The Walmart position is both valid and unsurprising for a number of reasons – for example, having your till-based check-out staff carrying the burden of authentication, i.e. deciding whether a signature matches the version on the back of the payment card, is entirely unrealistic and has been proven to fail as an effective risk management measure time and again (e.g. there are many examples of ‘Mickey Mouse’ signatures being successfully used in face-to-face transactions…). PIN helps to address this issue, although effective online authorisation screening (e.g. context-aware, dynamic authentication) can be an even more powerful tool in both the face-to-face and online transaction ecosystems. Walmart is also in the position of having already made the investment in a PIN-based strategy – something a number of their competitors are not keen to do.

So, back to our original question, is Visa or Walmart correct. Both actually. There can be no doubt that signature has long been a very poor form of authentication, however, given the US context, implementing PIN where there are more advanced and effective methods of authentication available probably makes less sense today than historically. Value chain stakeholders with potentially significant exposure to fraud risk must consider investing in a sophisticated, multi-layered approach to fraud and risk management. With or without PIN, EMV is not and was never designed to be a standalone silver bullet solution to all payment fraud.

The post Chip and signature is a joke! appeared first on Accourt Payments Specialists.

Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on,” comments Tim Lansdale, Head of Payment Security at Worldpay.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Causes of card data breaches

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Industries affected by card data breaches

Download the report here

Advice to businesses: How to avoid being a victim:

Card data breaches:

1. Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
2. Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
3. Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

Fraud:

1. Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
2. Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
3. Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.