The Fraud Blog with Tracy Kitten

Fraud, EMV and the U.S.

If the U.S. Goes EMV, Who Will Lead the Charge?
Fraud, EMV and the U.S.

According to our recent Faces of Fraud Survey, credit and debit card fraud ranks No. 1 among the types of fraud financial institutions continue to battle. Of our survey's 230-plus respondents, which comprise a mix of financial leaders and security officers from a cross-section of the industry, 81 percent say they have been impacted by payment-card incidents over the last year.

Winning the battle against card fraud is a priority for U.S. banks and credit unions in 2011, says Avivah Litan, Gartner Research vice president and distinguished analyst. But they're fighting a battle they can't win, especially where card skimming is concerned. The emergence of so-called "flash attacks," which rely on coordinated, often international, efforts to simultaneously withdraw funds from multiple ATMs using "white" cards created from copied mag-stripe details, are just the beginning.

It's not just about fraud at this point. It's about supporting a global payments infrastructure. 

"These attacks are problematic, because they evade most of the controls banks have put in place to detect fraud," Litan says. And now fraudsters are improving the techniques they use to skim the data, relying on Bluetooth to transmit card details that they now even encrypt, preventing law enforcement from seeing what is transmitted.

And so enters EMV -- a card technology proven to be more secure than the mag-stripe, but one that has been met with resistance in the U.S. The U.S. payments market is so fragmented, the cost of a massive shift to the infrastructure would be daunting. Think just about the fact that the U.S. has 18,000 financial institutions, not to mention myriad processors, networks and merchants, and it's easier to just put the lid back on the conversation. But we're now at a tipping point, and capping the convo won't do anymore.

It's not just about fraud at this point. It's about supporting a global payments infrastructure. And if the financial space does not get out in front of the move to EMV, the consequences could be dire.

Here are a few of my takes, based on evolving EMV conversations I've had with industry leaders over the last seven or so years.

First, if escalating card fraud is not enough, let's take a look at where the chip is in the U.S. The reality is that chip-based card technology, which often is built to EMV specs, is already gaining acceptance in the U.S. Chip-based identification cards are being issued to government personnel, and New York-based Travelex Currency Services Inc., which provides foreign-exchange services, announced last month that it's issuing MasterCard-branded chip and PIN cards to American travelers for use when visiting EMV-compliant countries. Over the summer, New York-based United Nations Federal Credit Union, $3.1 billion in assets, announced similar plans, saying it would be issuing EMV Visa-branded credit cards to its members who travel and/or live overseas. And big-box retailer Wal-Mart made its opinion known this past summer, when a company spokesman was quoted at a retail trade show as saying: "It's time for chip and PIN in the U.S."

According to the Smart Card Alliance, referencing stats from The Nilson Report, most top U.S. cards issuers were expected to have EMV-compliant chip cards available to select customers, such as international travelers, by the end of 2010. Those "upscale" cardholders could be catalysts for change in and of themselves -- their spending is typically six times more than the average cardholder. And as Canada and Latin America complete their EMV rollouts, the number of international U.S. travelers who need EMV-compliant cards will grow.

Second, the lingering mag-stripe is creating fraud problems for EMV-compliant nations. Despite those countries' migration from stripe to PIN, they're seeing incidents of skimmed data increase, since fraudsters have learned it's easy to copy a stripe in Europe and create a fake that can be used in the U.S. Some countries, such as Belgium, have already announced plans to stop accepting mag-stripe cards. Once that happens, and if it spreads to other countries, U.S. issuers will be backed into an ever-shrinking corner.

But now the problems come in. On a third note, in the U.S.'s defense, we have no overarching payments body tasked with overseeing and coordinating a move to EMV. It's been suggested that the Federal Reserve should spearhead the charge, given its growing oversight of payments, thanks to regulatory reform. Others have suggested MasterCard and Visa. But I don't see that happening anytime soon.

Some have said the Financial Services Roundtable might be a good fit, or the PCI Security Standards Council, if the scope of its mission statement were altered a bit.

I've even heard it suggested that Reg. E, if amended, could require a move to EMV.

Now, bring in the topic of regulatory reform, and the fourth issue comes into view -- debit interchange. If we were to move to a chip and PIN standard -- meaning all transactions would be conducted as debit, as they require the entry of a PIN -- interchange rates would be impacted. Taking signature out of the transaction equation would cut into issuing banks' and credit unions' interchange revenue. But the reduction in fraud expenses would likely offset those revenue losses. Besides, the Durbin amendment to Dodd-Frank is going to cut into that revenue anyway. But that's another blog entirely.

So, here we are. A lot of pressure and few escape routes. We have to make a move, one way or the other. I just hope we start moving in one direction sooner rather than later.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.