Where fraud is decreasing…
Card fraud has significantly declined in countries that have rolled out EMV chip technology. Chip technology performs dynamic authentication of Card and PIN values. This is more secure than performing static authentication of card data printed on magnetic stripes, as data can be skimmed, PIN entry recorded and counterfeit cards produced without card owners knowing. Countries (e.g. USA) that haven’t adopted the EMV chip standard and continue to use static cards and signature based verification, are waking up. In late 2014, Barrack Obama signed an executive order to speed up the adoption of EMV technology via the BuySecure Initiative. By October 2015, it is expected that the US would have transitioned to Chip and PIN technology to reduce card fraud.
Where fraud is increasing…
In countries with the EMV Chip and PIN technology deployed, where fraud has declined at point-of-sales where the card needs to be present, fraud is increasing in transactions where the card is not present. Card not present transactions involve the use of card details printed on the card (account number, expiry date and CVV) to make a payment over the internet, mail or phone. These details may differ from the data stored on the magnetic stripe or chip, but can authenticate payments nevertheless. Card not present fraud actually has wider implications for businesses who process online transactions. While the cardholder’s bank (issuing bank) is liable to cover the costs of disputed payments where a card is present, businesses may be found to liable to where a card is not present and may not be able to retrieve any goods sent to the fraudster.
3D Secure, an authentication protocol developed by Arcot Systems and rolled out to Visa (Verified by Visa), MasterCard (SecureCode) and American Express (SafeKey), is a way to reduce and combat card not present fraud. 3D Secure shifts the liability of fraud back onto issuing banks, making them responsible for authenticating the customer before making a purchase. Once the issuing bank has authenticated a customer, they send an authentication code to the card company (e.g. Visa) which is then verified and sent to the business’s bank (acquiring bank) for processing.
With the many advantages of 3D Secure, it’s not perfect. There are extra steps involved for the customer and it is not always the best user experience (if implemented badly). 3D Secure can also become a target for phishers if customers are redirected to a phishing site instead of the issuer banks website for registration or authentication.