The Persistent Payment Fraud Challenge and What Can Be Done About It

As I review the latest payments industry news, I am trying to identify if there could be some low-hanging fruit that would make sense for the payments card industry to focus on. It seems that there is a consensus out there that most consumers still prefer using their familiar plastic cards and do not show obvious signs of abandoning them for more advanced payment form factors (like mobile payments) anytime soon. Although it may sound as counterintuitive, it looks like there might still be decent room left for incremental innovation and improvements in the plain vanilla payment card space. I will try to explain why, where, and potentially how.

The Persistent Fraud Challenge

EMV cards were originally introduced to prevent the possibility of fraud by counterfeiting mag stripe cards. The EMV technology is indeed very effective and successful in curbing that type of fraudulent activity. Unfortunately, EMV payment cards are not protecting (although they easily could) sensitive payment credentials (like PAN) when transacting with POS terminals, since EMV designers probably wanted to preserve backward compatibility with the way mag stripe transactions were processed by merchants and acquirers. It means that if fraudsters eventually hack into vulnerable merchant’s systems, they could obtain vast amounts of PAN data, which they can either try to sell on the dark web or attempt to use for online purchases themselves.

The fact that a majority of online merchants do not even ask for CVV (three-digit number on the back of the card), makes it relatively easy for this type of fraud to ‘migrate’ from in-store to online payment channels. 3D Secure (known as “Verified By Visa” or “Mastercard Secure Code”) was another attempt by payment networks and issuers to address online fraud, by ensuring that the consumer is authenticated by their financial institution during online transactions. But in a similar way, it is almost abandoned due to significant checkout flow friction that it introduced. CVV and 3D Secure usage today is very sporadic and inconsistent. EMVCo is in the process of completing 3D Secure V2.0 spec and time will tell if it may be more successful than its predecessor.

Consumers are fully protected by ‘zero liability’ clauses in their cardholder agreements if their card credentials are stolen from merchant’s systems and misused in online transactions. However, in these cases, it is usually the issuer’s bottom line that gets affected since they incur most of the costs for: a) refunding the account of the affected cardholder, b) canceling old and reissuing a new card, packaging and shipping them, etc. Although cardholders may not be affected financially in these cases, they still may have to go through a fairly frustrating process of updating new card number for all of their existing recurring card payments with various billers.

Many consumers, out of frustration, will quickly choose to replace compromised card in recurring biller’s system with the other valid card they may have, resulting in loss of future interchange revenue to the issuer of the stolen PAN. What’s even worse, many cardholders may never activate reissued cards that they receive, resulting in complete loss of future interchange revenue for the issuer.

The Global Size of Online Fraud?

The challenges described above could be ignored in the early days of online commerce when it was in its infancy. Today, it is a very different story. According to the Kaspersky’s estimate, online fraud is already costing the global economy “many times more” than the initial 2011 estimate of $100 billion (£62bn) a year. McAfee’s estimate from 2014 states that a conservative estimate would be around $375 billion, with the maximum as high as even $575 billion

The industry had high hopes that mobile payments (powered by tokenization) would appeal so much to the consumers, and rapidly replace plastic form factor. If that had happened as planned, most of the in-store and online payment transactions would be tokenized, where the sensitive payment card data would be protected. But unfortunately, for several years already, mobile payments seem to be struggling to gain consumer adoption, so the current contribution of payment tokenization on reducing online fraud levels is in the domain of rounding errors at best.

How Does One Address This Cost Effectively?

Online fraud may be caught potentially by sophisticated (and expensive) fraud detection and prevention systems. With advances in geolocation, AI and machine learning, the scoring ability of these solutions will definitely keep improving over time. But experience teaches us that it may not be nearly enough to eliminate fraud. Would it not be nice if we could be proactive and eliminate the opportunity for fraud to migrate from brick-and-mortar to online channel in the first place?

Some of the fairly cost effective ‘quick win’ recommendations, that may help achieve that goal, are:

1. Start issuing fully tokenized plastic EMV cards: There is no reason why plastic EMV cards can’t be issued as tokenized so that they never reveal sensitive card data at POS. Tokenization technology is already in place to support Apple Pay, Android Pay and Samsung Pay mobile wallets with almost all major card issuers on board. Since the struggle with mobile wallet adoption may continue for a while, issuers should take advantage of already available tokenization technology now, and extend it to ubiquitous plastic cards as well. The issuer’s personalization bureaus should be Token Requestors during chip card personalization, and for each card, obtain two PAN tokens from TSP (TSP will map the real card’s PAN to these two PAN tokens in its Token Vault). The first PAN token should be loaded into the card chip and second PAN token should be recorded on the mag stripe. The real PAN can still be embossed on the card but should be restricted to online transactions only. PAN tokens inside the card’s chip and on the mag stripe will be restricted to in-store POS transactions only and will never reveal the real PAN to any merchant. This complete decoupling of payment credentials between the chip, mag stripe and card embossing, is in fact fully transparent to the consumer, and effectively prevents leakage of card credentials between various channels.
2. Provide consumers with real-time control of their card’s usage in mag stripe swipe mode: TSPs intercept every transaction authorization request which was initiated with a PAN Token for it to be de-tokenized and sent to the issuer for final authorization processing. As part of the TSP processing, various usage restrictions and state of the PAN token are checked. All TSPs already provide standard APIs to suspend and resume PAN token usage; and since mag stripe of tokenized card will now contain a PAN token, the issuer should offer consumers a mobile app to control directly when their card can be used in ‘swipe mode’. For example, when I arrive in the US, where EMV-compliant POS terminals are still not yet widespread, I would use the mobile app to temporarily enable magnetic stripe transactions by resuming mag-stripe PAN token usage. As soon as I return to my home country, I will easily suspend mag-stripe PAN token usage (or the app can do it automatically based on my detected domestic geolocation for example). This way, even if my mag-stripe PAN token got ‘skimmed’ while I was using my card in US, I am safe since the tokenized card’s usage could now be granularly controlled per channel, without the need for card to be reissued. Even when the mag-stripe mode usage is suspended, I can still continue to use my card normally on any EMV-compliant POS terminal (as chip PAN tToken is not suspended) or even for online transactions (embossed PAN usage is not suspended). 
3. Consider issuing EMV cards with dynamic CVV capability, for secure online transactions: Recently, the Gemalto and Oberthur released chip cards with a dynamic CVV (dCVV) value that changes every 20 minutes or so. Issuers should consider adopting these cards and enforcing dCVV usage in online transactions. The dCVV could also be used as a very secure login mechanism for online banking sites, completely eliminating the need for the online banking passwords.

With these relatively simple and cost-effective recommendations for improvements combined, issuers can dramatically reduce and maybe even completely eliminate opportunities for fraud migration from card present channel toward card not present channel and elegantly enable very convenient and secure online banking logins for their customers.

Now, isn’t that worth doing?