Fighting fraud with EMV
JAW-DROPPING sums are lost to card fraud every year. According to The Nilson Report, which covers global card and mobile payment industries, card fraud losses in 2015 hit $21.84 billion, up 20.6% from 2014. Card issuers, merchants and acquirers of transactions from ATMs, among others, absorbed these losses.
The humongous figure includes ATM withdrawals outside global networks but not the costs incurred by issuers, merchants and acquirers for their operations, call centers and chargeback management.
“Gross fraud losses for all card-based payment systems worldwide equaled 6.97¢ per every $100 of total volume [in 2015], up from 6.21¢ per $100 in 2014,” The Nilson Report said. “As a percentage of total volume, fraud losses were at their all-time low at 4.46¢ in 2010. They have increased ever since.”
Fraud tied to global general-purpose cards — American Express, Diners Club, Discover, JCB, Maestro, Mastercard, Visa and UnionPay — accounted for $ 19.58 billion or 89.7% of the gross fraud losses worldwide. The amount increased 21.4% from 2014.
Card issuers had to endure losses amounting to $ 15.72 billion or 72% of global fraud losses, while merchants and ATM acquirers lost the remaining $6.12 billion or 28% of the total.
Nilson identified a number of causes: counterfeit cards (at the point of sale and ATMs), fraudulent applications (including the “first party” type in which a consumer opens an account without intending to pay the charges) and lost and stolen cards. Those counterfeit cards, credit and debit, were the main source of billions of losses card issuers absorbed in 2015, Nilson noted.
Fraudsters have long been known to take advantage of the black magnetic stripe found on the back of cards. This technology stores cardholder data, which is read when the card is swiped through a device designed to read it. The information stored is static, so the same information is read in every transaction a cardholder makes. Hackers, even those who don’t have very sophisticated tools, can easily collect the unchanging data from magnetic stripe cards by hacking into ATM terminals, for instance.
A shift away from magnetic stripe technology is underway in favor of a new and more secure standard for card transactions: EMV, short for Europay, Mastercard and Visa. EMV is not exactly new; in fact, it’s been around for decades. It was developed by Europay, Mastercard and Visa, hence its name, and released in Europe in 1994. The standard is now being managed by EMVCo, a six- member consortium composed of two of EMV’s original developers ( Mastercard and Visa), plus American Express, Discover, JCB and UnionPay that aims to facilitate worldwide interoperability and acceptance of secure payment transactions.
“The industry’s best defense against counterfeit fraud are EMV cards and the terminals needed to read their chips,” The Nilson Report said. The microprocessor chip embedded in an EMV card, which stores the critical cardholder data, makes it much more difficult for criminals to carry out identity theft because it generates a unique, one-time code for every transaction.
According to EMVCo, by the end of 2016, the number of EMV payment cards in global circulation reached 6.1 billion, increasing by 1.3 billion over the previous 12 months. In addition, 52.4% of all card-present transactions conducted globally last year used the EMV chip technology, a significant jump from 35.8% in 2015. The consortium said that for a transaction to qualify as an EMV transaction, both the card and the terminal must be EMV-enabled.
Adoption of EMV chip card is also on the rise globally. Europe Zone 1, which includes all of Western Europe, had the highest regional chip card adoption rate in 2016: 84.9% (up from 84.3% in 2015). By contrast, Asia Pacific had the lowest — 38.8% — but it was an improvement from 32.7% in 2015.
In the Philippines, Bangko Sentral ng Pilipinas (BSP) has ordered financial institutions under its supervision to migrate to the chip-based card. In 2014, it gave cardissuing firms until Jan. 1, 2017 to complete the shift. But in the middle of this year, the deadline was extended to June 30, 2018.
“Full compliance constitutes completion of all EMV- related activities from upgrading/enhancement of back- end processes and systems, ATM and POS (point-of-sale) terminals to the replacement of magstripe credit and debit/ prepaid cards, including distribution of EMV-compliant cards,” a BSP memorandum released in June said. In addition, BSP has also asked lenders to encourage account holders who still possess cards with magnetic stripe to surrender the cards and have them replaced.
Failure to comply with the new hard deadline, the BSP noted in the memorandum, would be considered a “serious offense,” and incur offender monetary sanctions. According to BSP’s data, in 2015, losses amounting to some P200 billion were tied to cyber fraud-related cases, 75% of which were accounted for by credit card and ATM skimming.