Refusal To Adopt Chip & Pin Has Put Target On U.S. Cards
LAS VEGAS-A glance at fraud statistics would seem to yield an obvious solution: the United States needs to catch up with the rest of the world and upgrade old-school magnetic stripe cards to modern chip and PIN models.
But the solution isn't cheap or easy. And chip and PIN cards aren't infallible.
David Mattei, VP of product management for Fifth Third Processing Solutions, noted 45% of worldwide credit card fraud is transacted on U.S.-issued cards, and 40% of the transactions are at U.S. locations.
"This is because of magnetic stripe cards," Mattei told attendees of NAFCU's Technology & Security Conference here. "The United States is one of the last holdouts in adopting chip and PIN cards."
The reason the changeover has not happened is simple, Mattei explained: it would require replacing every merchant terminal in the country, and every card would have to be reissued. Because of the costs involved in such an undertaking, he predicted it will not happen.
"A newer technology will emerge that will be the new standard here, but you won't see a switch to chip and PIN cards."
Besides, Mattei told Credit Union Journal, chip and PIN cards are not infallible. European cards are not completely safe and can be compromised in different ways, he said. "If 45% of fraud involves U.S.-issued cards, that means 55% of fraud involves other cards. You still see fraud in Europe. Chip and PIN cards are not a panacea."
Underground Criminal Network
Mattei offered two definitions and a startling revelation into the shadowy world of those who deal in stolen credit cards and personal information. "Carding" is the term for the unauthorized use of card data, and "carders" are the criminals involved in carding. There are carding forums online, he said, which are websites dedicated not only to the buying and selling of card data, but which contain tutorials, network intrusion tools and software, and message boards with "good lists" and "bad lists" of criminals.
While many consumers are familiar with user ratings on such sites as eBay, where people grade each other by how promptly payment is received at the end of auctions, they might be surprised to discover carders have their own such system.
"Carders 'rate' each other based on reliability," Mattei said. "There are posts warning, 'this guy didn't pay for the data I sold him.'"
Once criminals have stolen cards or personal information in their hands, they typically commit one of four types of fraud: carding online, also known as CNP, or Card Not Present; in-store carding with stolen or counterfeit cards, AKA CP, or Card Present; cashing, which takes place at ATMs; and, gift card vending-which as the name implies involves reselling gift cards, which may be acquired by purchasing with a stolen or counterfeit credit card.
"Cashing, when the criminals have a PIN, is the preferred method of carders," he explained. "They would rather have cash than merchandise."
No Silver Bullet
Because fraud is so prevalent and there are so many different forms of it, there is no silver bullet when it comes to best practices to fighting fraud. Mattei suggested CUs have solutions in place at each of the four stages of fraud: pre-authorization, time of authorization, post authorization and ongoing.
At the pre-authorization stage, he recommended requiring card activation before initial use, setting sensible card limits and prudent expiration dates, and working hard to educate members.
"One poor practice we see is financial institutions mailing out a credit or debit card that is live," he said. "And remember, the smarter the member, the better off the credit union is. Put information in statement stuffers and on the website."
At the time of authorization, card issuers should have in place daily card limits, as well as daily ATM limits. Post authorization, CUs should verify transactions with members and report any fraudulent incidents per Visa's and MasterCard's compliance rules.
"Visa and MasterCard develop a database of knowledge and work to spot trends and patterns," he explained.
On an ongoing basis, Mattei said CUs should review alerts from CAN/CAMS, implement a 24/7 lost and/or stolen card hotline, and partner with other credit unions in their area to share information and identify common points of compromise. In addition, he advised CUs to maximize their chargeback rights.
"The chargeback rules for Visa and MasterCard are complicated. Credit unions need to know their rights and whenever possible let the merchant pay for it, not the credit union."
Perfection is not needed, Mattei said, citing the old joke about two guys who run into a bear while hiking in the woods. As they are running away one says to the other, "Do you really think you can outrun the bear?" To which comes the reply, "I don't have to outrun the bear, I just have to outrun you."
"Just be a little bit better than other financial institutions in your area and fraudsters will move on to someplace else," he advised.