Chip-and-PIN: Solving Fraud or Shifting the Blame?
As of October 2015, credit card companies offloaded responsibility for point-of-sale (POS) security to banks and retail businesses. If companies don’t support new chip-and-PIN cards, they’re on the hook to handle fraud.
Despite the benefits of the Europay Mastercard Visa (EMV) rollout, many businesses are still reluctant to make the switch, and some are worried that improved POS protection won’t solve the problem of card-not-present (CNP) fraud online, especially as online purchases ramp up during the holidays. Has chip-and-PIN solved fraud or just shifted the blame?
According to Infosecurity Magazine, while 59 percent of U.S. adults have now been issued a chip-and-PIN card, only 41 percent understand the benefits, and just 37 percent received any information from their card issuer about how exactly the technology works. Banks and consumers alike have an inherent understanding of traditional magnetic stripe technology, while chip-and-PIN can seem needlessly confusing. So why bother with a microchip when the mag stripe is already doing the job?
Chase Paymentech laid out the basics of chip-and-PIN technology: A small microchip is embedded at one end of the card, which contains user PIN data. These chips are extremely difficult to copy and would still require the associated PIN to enable purchases, making them a tough target for cybercriminals.
To use chip cards, consumers insert the microchipped end of their card into a slot in the POS machine and are then prompted for their PIN. No swipe occurs, and no signature is needed; the PIN is authenticated via encrypted communications and is never sent in plaintext to protect customer data.
Bottom line? These cards significantly reduce the risk of retail POS fraud because they’re difficult to copy, require a PIN for each use (and will lock users out if too many wrong PINs are entered) and place the onus for fraud detection on credit card companies rather than individual merchants.
Despite the benefits of chip-and-PIN cards in-store, however, some experts worry that the preferred fraud avenue will simply shift from skimming credit data to exploiting card-not-present (CNP) transactions online. Virtually all e-commerce purchases occur this way; since no physical card is present, merchants must rely on standard authentication methods such as usernames and passwords to verify consumers’ identities.
In Europe, for example, which long ago adopted EMV standards, CNP fraud is on the rise. According to a report from the European Central Bank, fraudulent CNP transactions were up 21 percent this year and accounted for 66 percent of all losses on cards. It’s no surprise, since cybercriminals go wherever security is weakest: If transactions are secure at the point of sale, they’ll move online to grab customer data.
Staying Safe With Chip-and-PIN Tech
With the holiday shopping season already in full swing, how do companies lower the chance of CNP issues? According to Multichannel Merchant, part of the problem can be addressed with a risk management product that scans your e-commerce system for strange behavior and offers proactive alerts to help limit the impact of fraud.
It’s also possible to improve security outcomes by adopting contextual authentication technology, which observes consumer behavior after usernames/passwords have been entered and even after two-factor authentication has taken place. If user browsing habits or shopping carts differ significantly from past transactions, the system reacts with a fraud warning.
Another good idea? Partnering with a managed security services (MSS) provider that supports user-managed access (UMA) using OAuth. This method allows users to verify their identity via social logins and also control the amount of data they provide to retailers. The biggest benefit of UMA is consent: By giving users power over how they log in and what data they share, it’s possible to demonstrate consent for transactions and limit total liability.
Chip-and-PIN cards offer significant security benefits for retailers but have the unintended consequence of driving fraud online. This isn’t a new problem, however, simply one brewing beneath the surface that’s been made apparent by chip-and-PIN adoption. Your best bet? Establish best practices now, both to handle the holiday rush and protect consumers over the long term.