Payment card fraud has been a major problem for retailers and financial institutions ever since cards were invented.
EMV FIGHTS FRAUD
The fight against fraud got a major boost with the introduction of the "EMV" payment standard, which mandated the use of smart cards with microchips built into them. This was a great improvement over the magnetic stripe that preceded it, since it was so easy to forge.
EMV stands for Europay, MasterCard and Visa, and was developed by them starting in 1993 to improve the security of face-to-face payment card transactions, typically called "card present". Originally, card present transactions were conducted using cards with the user's signature on the back and a magnetic stripe wtih their account information.
Back in the day, the merchant could either verify the transaction using an online terminal which would read the data contained on the magnetic stripe and verify it with the card-holder's issuing bank, or they could take a mechanical imprint of the card. The imprint machines were nick-named "knuckle-busters". In both cases the customer would sign for the transaction and the signature would be compared to the signature on the back of the card as an additional means of verification. Some of these cards had holograms on them to provide verification that they were legitimate.
This approach had problems that allowed criminals to make fraudulent purchases. The worst issue was that cheap card magneitc stripe writers could write ANY data, including stolen card data, on the magnetic stripe. Even if the card was already expired, the mag stripe data was taken as valid.
Using the card’s signature to verify the transaction account for criminals acquiring cards before they were signed by their users, criminal ability to forge signatures, or busy checkout staff who didn't spot forged signatures.
For these reasons, the levels of fraud in face-to-face payment card transactions were very high and a means to minimize them was urgently needed. As we see in the chart, by 2015, card-present fraud was almost $4 Billion a year.
Smart cards were first introduced in France and Germany in the 1980s and, by the mid-1990s, the EMV payment standard for smart cards and terminals had been developed. EMV cards incorporate a microchip on which account information, including the user’s Personal Identification Number (PIN), is recorded in an encrypted format along with applications and encryption algorithms.
Customers produce their cards when making purchases and transactions are verified on the basis of the unique code generated by the card algorithm for each transaction and by their PIN number, which are transmitted from the merchant terminal to the issuing bank. These cards are commonly known as Chip and Pin cards and have the great advantage they are almost impossible to clone. Their introduction led to a dramatic fall in the rate of face-to-face payment card fraud in all locations although the rates of card-not-present fraud did increase greatly.
Of course, the USA card brands and issuers, in spite of the overwhelming success of CHIP and PIN, a two-factor authentication, decided that they did not want to burden Americans to remember a PIN. So they diluted the protective power of the original EMV, and allowed CHIP and SIGNATURE. Since signatures cannot truly be relied upon for authentication, we are left with JUST the protection of the chip. This effectively protects against cloning cards or conterfeiting them, but does NOTHING to stop the use of stolen cards.
The effectiveness of EMV technology enabled the issuing banks to shift the liability for fraudulent transactions to the merchant in cases where they did not upgrade their payment systems and continued to verify transactions with magnetic stripe and signature.
At Curbstone Corporation, we are fully support EMV transactions and we strongly encourage all our merchants to adopt the technology. Not only does it shift the liability for fraudulent transactions back to the bank, it also helps smooth the process of achieving PCI security compliance.
In a previous post, we examined some ways of minimizing legitimate chargebacks and fraud in card-not-present transactions over the phone or online. Note in the chart above, we are seeing, as expected, a huge rise in card NOT present transactions, like e-commerce and phone orders.
Curbstone Corporation’s secure technology processes about $2.4 Billion per year for merchants on the IBM i (AS/400, iSeries) platform, for phone orders, e-commerce, and retail.