While the new cashless, mobile economy gives consumers more opportunities to shop and pay, it also creates more channels for fraudsters to attack. While EMV chip technology has successfully decreased in-store fraud, it has driven fraudsters to shift focus. Today, most fraud is committed online and via mobile apps where thousands of transactions can be made quickly, and criminals can hide behind computers.
In the past, the typical fraudster was an individual working alone. Today, fraud is big business. Cybercriminals wear business suits, work in real offices, keep regular hours, and openly market their products and services.
While there are still criminals stealing purses on the street and using stolen cards, the real problem is the organized groups who collaborate and use technology to commit fraud on a large scale. As a result, a single act of fraud can have a devastating impact.
The Business of Cybercrime
Cybercriminals acquire sensitive data and card information by finding vulnerabilities in computer programs. They launch attacks on both individual computers and large systems, gathering information and linking personal data to card numbers.
Then, they bundle the offerings for sale on the dark web. Since these operations are often headquartered overseas, out of the reach of U.S. authorities, they’re difficult to shut down.
Everyone plays a role in ensuring the security of transactions.
- Financial institutions are not required to embed EMV chips in both the debit and credit cards they issue, but a majority are implementing the technology to reduce liability risks.
- Merchants utilize POS systems integrated with security software that enable them to comply with the Payment Card Industry Data Security Standards (PCI DSS.)
- While consumers don’t have to protect their data, FIs recommend not sharing sensitive personal information, as well as reporting lost/stolen cards and suspicious activity promptly. Due to an excessive amount of data breaches and the press associated with them, many consumers should also actively monitor their credit reports.
The Impact of EMV ChipsTo enhance the security of card payments, Europay, Mastercard and Visa (EMV) joined forces to introduce EMV technology in 2004.1 They later combined with other card networks to form EMVCo, which now oversees EMV compliance.
The benefit of EMV chips is that they store customer data on integrated circuits which generate a unique code for each transaction that is never stored or used again. Before EMV, card data was only stored on the magnetic strip on the back of the card, which made it easy for fraudsters to counterfeit cards.
- Card Verification Values (CVV, CID, CVD, CVC2, etc.) are 3 or 4-digit codes imprinted on the backs (or front of American Express) of credit and debit cards, but not recorded on their magnetic strips.
- It was introduced in 1997 when fraudsters began taking advantage of the popularity of TV shopping networks and online stores, which created an opportunity to make remote purchases.2
- CVVs combat CNP fraud by requiring cardholders to provide the code when making a payment online, over the phone or via a mobile app. Unless a fraudster has access to the physical card, they don’t have the CVV and most often the payment will be declined.
- When a consumer disputes a payment or “charge” made on their debit or credit card, the issuing bank will sometimes issue a chargeback to the merchant who completed the payment.
- In most cases, the issuing bank returns the disputed funds to the consumer immediately, then alerts the merchant and gives them time to file an appeal.
- The merchant can enlist their acquiring bank or payment processor to help them appeal the chargeback. However, the majority of chargebacks are due to the merchant accepting a fraudulent payment online or in-store.
- If the merchant is in PCI-DDS compliance, their appeal will usually be accepted and the issuing bank becomes responsible for the loss.
- While chargebacks are designed to protect consumers from identity theft and merchant mistakes, they’ve given rise to a fraud scheme known as “friendly fraud.” This occurs when a consumer makes an online purchase with a card, and after receiving the product(s) calls their bank to dispute the transaction. As a result, their payment is refunded and they get to keep the product(s).
- The PCI Payment Card Industry Data Security Standards (PCI DSS) were created in 2004 to establish a benchmark for data security.3
- They set the operational and technical requirements for merchants transmitting or storing consumer payment data.
- Once a year, merchants must submit proof of compliance to the Security Standards Council.
- Merchants who are not in compliance increase their risk for potential fraud losses and chargebacks should a data breach occur.
- The merchant is more susceptible to data breaches, which can lead to lawsuits filed against them by customers, financial institutions, regulators and major card brands.
- Noncompliant merchants are fined and can lose their right to accept card payments if they don’t take steps to become compliant