As introduction of new payments technology tries to overcome the security challenges of older methods, fraudsters continue to get smarter and come up with new methods to scam businesses and people off their money. European countries started adopting the EMV chip based smart cards starting 2004.
In 2014, Card issuers imposed a liability shift on the merchants in US whereby, businesses would be officially responsible for fraud cases where EMV cards were used with non – EMV compliant readers. EMVCo the organisation that manages the EMV standard, has published the global deployment statistics for EMV in this report
Smart cards definitely provide an advantage over the older magnetic stripe cards in terms of security. Payment smart cards have an embedded computer chipwhich generates an unique encrypted code called a token for every transaction, thus making it difficult to read or copy account holders data from the card. This combined with pin based authentication provides added security against fraud. However there are still scenarios where fraud does take place. We look at some such possible fraud scenarios and how to safeguard oneself against them
Fraud Scenarios and Prevention
Smart card transactions may be classified into two distinct categories based on usage.
- Card Present Transactions: These are the payments made at brick and mortar stores where you present your card at the Point of Sale (POS) terminal to pay for your purchases. Introduction of smart cards has helped to reduce fraud in these scenarios due to the inbuilt encryption provided by these cards. These cards are however backward compliant and work with the old magnetic stripe readers. Merchants who do not configure their systems correctly to read EMV cards, make smart card transactions vulnerable to attack. As per this report published on Fortune, “criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information”. Skimmer devices help to read data from cards with magnetic stripes. This 2018 report, states that “90% of the CP compromised US payment cards were EMV enabled.”
Thus insufficient merchant compliance is the main reason for smart card fraud related to card present transactions. The only way of preventing such fraud is for merchants to ensure that they take the EMV guidelines seriously and install appropriate systems to read smart cards and adequately train the personnel handling payments. This is especially true for small and medium sized businesses who are usually targeted by fraudsters as they are more likely to have vulnerable systems.
- Card Not Present Transactions: These are the transactions where the card holder and card are not physically present at the time of transaction. It typically applies to online/ecommerce transactions. Due to the increased security after implementation of EMV, fraudsters now find it easier to exploit online systems for credit card information. Since merchants usually work with multiple partners like ecommerce providers, online hosting environments and third party payment gateways, there are as many points which need to be secured against hacker attacks. Each of these parties have a shared responsibility to protect the end-users data.
Ecommerce providers need to have a dedicated fraud prevention team to protect its implementation. Merchants need to ensure that they do the necessary due-diligence for all partners engaged and for their own systems. It is usually advised that merchants do not store any customer card data on their own systems. Card issuers such as VISA have also published guidelines for merchants to protect themselves against both card present and card not present fraud scenarios. This includes guidelines to verify billing address and CVV2 for card absent transactions.
While the previously discussed scenarios apply to merchants, card holders can also protect themselves against fraud by being vigilant and aware of their surroundings when conducting financial transactions. Following are some simple steps that can help in this.
- Ensure that you sign the card as soon as you receive it.
- Memorise the PIN, do not copy it or share it with anyone or transfer it via SMS/email/text messages.
- Activate SMS alerts for all transactions.
- Activity OTP services if provided by the bank.
- Track statements regularly to check that all the transactions reported are valid and accountable.
- Keep the customer service hotline number readily available especially when travelling.
- Try to avoid swiping your card at non-EMV compliant terminals.
- Keep yourself updated about the latest phishing techniques used by fraudsters in your location.
- Use known and reliable sites for online transactions.
Card issuers and payment technologists have done their best by providing Smart Cards for conducting secure and convenient transactions. The only way to prevent smart card fraud seems to be for merchants and card holders to become as smart as the smart cards that they use and definitely smarter than the fraudsters who target them.
Tagged under Payments, Customers, Branch Technology/ATMs, Security, Checks/Remote Deposit Capture, Cards, Online, Mobile, Cyberfraud/ID Theft, Compliance/Regulatory, Risk Management, Compliance Management, Operational Risk, Feature3, Feature,