BROOKFIELD, Wis. — The Target data breach has financial institutions focused on payments and considering their options to fight cyber crime.
Credit union execs and analysts weighed in on some of the tools financial institutions can use to combat payments crooks, technology that is coming — like EMV — and what may not be working.
1. EMV Not The Single Answer.
Mike Urban, director of fraud and risk strategies for Fiserv here, agrees with many fraud analysts that criminals now, exemplified by the Target breach, are trying to get as much out of U.S. mag-stripe cards as they can before EMV becomes a payment standard here.
But he reminds that once EMV takes hold stateside, it's not time for credit unions to take a breather. "Card-not-present fraud will escalate," said Urban, noting that while chip cards make counterfeiting plastic very difficult, they do not stop e-commerce crime. "We have seen fraud migrate to card not present in countries right after they migrate to EMV."
Urban said that even though credit unions are not liable for card-not-present fraud, members will be inconvenienced. "Credit unions should begin preparing for this eventual fraud shift and develop strong card-not-present fraud strategies now."
2. EMV Only As Good As Merchant Participation.
Converting the CU's card base soon to EMV isn't the answer to more breaches that are likely coming, insists Arthur Kremer, CEO at $315 million Sharefax CU in Cincinnati.
"The heightened security from the EMV chip is only as good as the number of merchants able to read the chip," he said. "If the software and equipment are not installed by merchants, there is no benefit to having the chip in your card. Until Visa and MasterCard transfer the liability to the merchants, there is no incentive for the merchants to endure the software and equipment expense. When MasterCard and Visa finally mandate the chip technology, card corruption will diminish."
3. U.S. Paying Price For Lagging Behind In EMV.
Thomas O'Shea, CEO at the $180 million Aspire FCU in Clark, N.J., says the U.S. is paying the price now for not converting to EMV, as have all other G-20 countries.
"The U.S. didn't adopt EMV standards due to financial reasons — it was cheaper to manage and pay for the fraud than to upgrade terminals and reissue cards. "We will continue to see greater threats and stolen cards until the U.S. is fully EMV-enabled."
Aspire plans to convert its card base to EMV this year. "I expect we'll be issuing two cards to each member, one will be the old mag-stripe style card and the second as a separate EMV card. We will then phase out the mag-stripe cards once the liability shifts in late 2015."
4. EMV Quickly Outdated.
SAFE CU is not sold on EMV as a solution to rising fraud, explains Henry Wirz.
"We will look carefully at the cost benefit of EMV. Our current thinking is that EMV will quickly be outdated and investing in the chip cards may not be warranted," said the CEO at the $2 billion CU in North Highlands, Calif. "We may selectively issue cards for members who travel overseas, and we think that the (October 2015 liability shift) deadline for EMV card issue will be extended."
SAFE today is taking a wait-and-see attitude, said Wirz, and looking at other fraud-fighting options.
"There may be better fraud protection with a smartphone application that allows members to use their phone to make debit and credit purchases," he said. "We think that the card as a purchase device may be at the end of its life and that the smartphone will be the next innovation for purchases. We have been pleasantly surprised to see how quickly members are adapting to mobile banking — all mobile activity is growing at a rapid pace."
5. Human Element Key To Fraud Fighting.
While new and existing fraud fighting technology certainly reduces cybercrime, it's human resources that often make the biggest difference.
Stephen Boyer, co-founder of the Cambridge, Mass.-based BitSight, a tech firm that rates companies on security breaches, emphasized that large financial institutions are doing a much better job of detecting and preventing fraud than the big box retailers because they commit the right people to the effort.
"The large FIs rely on policies and procedures that are executed by trained people, along with good technology. You have skilled people doing their jobs well, and they are overseen by chief risk officers. It takes a mix of technology and people to fight cyber crooks."
