Embed Size (px)
Citation preview
June 6, 2016
© 2016 Higher One Inc. d/b/a/ CASHNet. All rights reserved.
EMV On-Campus
Post Liability Shift Don Smith
VP Payments Product Management
Higher One
− 2 − − 2 −
• What is EMV and why are we moving in this direction?
• EMV Market Update
• Impact on Card Not Present Fraud
• Considerations for Your Campus
• Questions
Agenda
Q: Q:
What is EMV?
− 4 − − 4 −
• EMV = Europay MasterCard Visa
• Technical standards for a card with a smart chip and POS terminals and
ATMs (different than PCI)
• Standards overseen by EMVCo (Amex, Discover, JCB, MC, UnionPay, and
Visa)
• Accepted on 6/7 continents
• U.S. slow to adopt
EMV
− 5 − − 5 −
• “Dip” card vs. “Swipe”
• Chip and signature vs. chip and pin
• Card stays in machine for transaction
• Most machines beep when transaction is done
Getting Familiar with POS Changes
Dipping the Card
Q: Q:
Why?
25% Portion of the world’s
transactions that occurred in
the U.S. in 2014.* * Business Insider's "The US EMV Migration Report" (Nov 2015)
50% Portion of the world’s card
fraud that occurred in the U.S.
in 2014.* * Business Insider's "The US EMV Migration Report" (Nov 2015)
− 10 − − 10 −
Card Present
• Fraudsters purchase or steal
card info (or steal card)
• Load card info onto card’s mag
stripe
• Go to unmanned machines for
small amounts to test card info
• Try card at merchants that
have gift cards (or other things)
Card Not Present (CNP)
• Fraudsters purchase or steal
card info
• Test it where merchants do real
time processing
• Typically small amounts
• Once card number (and
associated info) is verified,
larger items will be purchased
Understanding Fraud
− 11 − − 11 −
• Stolen Card: Card holder’s card is stolen and the fraudster uses card to make purchases at POS
Countermeasures:
– Look at signature on back of card
– Ask for Photo ID
– Input zip code
• Counterfeit Card: Fraudster has purchased stolen card number online and loaded it onto the magstripe of a fake card
Countermeasures:
– Look at signature on back of card
– Ask for Photo ID
– Input last four digits of card or CVV into terminal as condition of transaction
Making Card-Present Fraud More Difficult
− 12 − − 12 −
• EMV makes use of dynamic info at the POS
• Makes it very difficult to create a counterfeit card
• Can make it very difficult to use a stolen card (PIN)
• Dynamic data (exclusive to each transaction) is sent to issuing bank through
payment rails to verify authenticity of card (Cryptographic Processing)
• Security can be enhanced by issuing bank requiring PIN at POS rather than
signature
EMV’s Main Purpose
LIABILITY SHIFT
− 14 − − 14 −
• Credit card brands encouraging adoption as a means to fight POS card-
present fraud
• Stopped short of a mandate
• Understand costs and logistics involved
• Realize changing consumer behavior is hard
• Issued “Liability Shift Date” of Oct. 1, 2015
• Pertains to all merchants with exception of pay at the pump gas stations
(Oct. 1, 2017)
• Think of Liability Shift as a start line vs. a finish line
Liability Shift
− 15 − − 15 −
Merchant liable for fraud if ALL three of following occur:
1. The payer wants to use an EMV card to make a purchase
2. The campus is unable to process an EMV transaction (and therefore
processes a transaction using the card’s magnetic strip)
3. The transaction is fraudulent
What Does it Mean?
$4.5B Estimated counterfeit card
fraud in U.S. for 2016.* *Aite Group
$1B Estimated amount of
counterfeit card fraud in
2020.* *Aite Group
MERCHANT ADOPTION
44% Merchants thought they were
going to be EMV ready by end
of 2015.* *The Strawhecker Group
37% Merchants were accepting
EMV as of Feb 17.* *The Strawhecker Group
20% Estimated portion of credit
card transactions that are
currently chip-on-chip.* *Aite Group
Q: Q:
Why so few?
− 24 − − 24 −
• Solutions more complex to develop • Conversations more complicated with dynamic data elements
• Comprises software, hardware and processor
• Certification is more arduous • Total solution in play for certification
• Card brands have different standards
• NFC add layer of certification
• Long certification queues • Evaluation can take months and cost up to $100K
• Each change to system prompts new certification
• Large number of solutions seeking certification
• Devices are expensive • Javelin Strategy and Research estimates it will cost $8.65B to implement EMV in the U.S; $6.75B on
POS devices alone!
Biggest Barriers
0%
10%
20%
30%
40%
50%
Ready Plan toUpgrade
No Plansto
Upgrade
What'sEMV?
Small Merchants
Small Merchant EMV Readiness
*TD Bank Study 2015
0%5%
10%15%20%25%30%35%40%45%
Small Merchants
For Merchants Who Don’t Plan to Upgrade
− 27 − − 27 −
• Many Non-EMV ready merchants reporting higher rate of chargebacks
• Higher volume with merchants who sell goods prized by fraudsters • Gift cards
• Electronics
• Jewelry
• Many banks don’t know if chargebacks are related to EMV or not
• Merchants don’t have resources to research chargebacks
• B&R Supermarket Inc. and Grove Liquors LLC • Oct – Feb 2014: 4 Chargebacks
• Oct – Feb 2015: 88 Chargebacks
• B&R and Grove Liquors filed a lawsuit against card networks • Allege card networks knew merchants would be unable to comply with EMV Liability Shift
• Merchants unknowingly paying for more chargebacks than they should
• Set up banks for big payday
Change in the Air?
50% Merchants will accept EMV by
end of June.* *The Strawhecker Group
90% Merchants will accept EMV by
sometime in 2017.* * The Strawhecker Group
CARD NOT PRESENT
− 31 − − 31 −
• Experts have argued EMV causes spike in CNP fraud
• Fraudsters follow path of least resistance
• Easier to commit CNP fraud because dynamic element of chip not in play
• In the UK, brick and mortar fraud decreased 75% from 2004-2012
• 2015 report from Euro Central Bank on 2013 Data
• $1.44B in fraud; mostly CNP
• CNP fraud increased by 20.6% over previous year
• ATM fraud fell by 13.7%
• POS fraud fell by 7.9%
CNP Fraud Post EMV
Canada Post EMV Implementation – 133% Increase in CNP Fraud
− 33 − − 33 −
• Others argue not necessarily cause and effect
• Point to:
• Adoption of new technologies for payments
• Increase in merchant adoption of new online storefronts
• Increase in online payment volume over same period
• Improved techniques by fraudsters (more data breaches)
• These compound the increase of CNP fraud
• Argue EMV should still be implemented but also need new mitigation
strategies for CNP fraud
Not All on EMV?
− 35 − − 35 −
• eMarketer Report
• 2013: $262 billion online sales
• 2017: $440 billion online sales (estimate)
• 13.8% compounded annual growth rate
• ACI Report
• Jan – July 2014: 1/114 CNP transactions was fraud
• Jan – July 2015: 1/86 CNP transactions was fraud
• Javelin Strategy & Research study in 2015
• Account takeover and new account fraud to increase by 60% in next three years
• Will go from an estimated $5B in 2015 to $8B in 2018
In the U.S.
CNP Expected to Double by 2018
Q: Q:
How can we protect
ourselves from CNP fraud?
− 38 − − 38 −
• 2016 will be an important year for the introduction and evaluation of new
technologies
• Geolocation
• Biometrics
• Dynamic data elements (authorization)
• Tokenization
• Real time transaction analytics
• Behavioral analytics
Pay Attention to New Developments
− 39 − − 39 −
• EMV migration forum and Smart Card Allliance recommend a layered security
approach that could include:
• Device authentication, such as confirming that the device used to make the payment
is being used by the right consumer
• Multi-factor authentication, in which the credentials used to make the payment are
checked against the address, phone number, and email address provided by the
customer at check-out
• Tokenization, which replaces payment credentials with one-time codes
• Rigorously checking the identity of an online customer when they pick up
merchandise reserved in a physical store
Multi-Layered Approach
15% Cardholders who had a
transaction declined because
it looked like fraud.* *Javelin Strategy & Research. “Overcoming False Positives”
$118 B Lost sales from false
positives. *Javelin Strategy & Research. “Overcoming False Positives”
$9 BB Actual ecommerce fraud in the
U.S. in 2015. *Javelin Strategy & Research. “Overcoming False Positives”
− 43 − − 43 −
• Work with your payment software provider or processor to identify best strategy for your campus • In-person
• Define EMV strategy and roll out plan
• Implement cashier security measures in the business office
• CNP • Velocity limits
• CID/AVS
• Authentication
• Transaction reporting
• Mobile wallets
• Keep in mind fraud (CNP and CP) rates are low for most schools
• Stay abreast of new developments in technology
• Ensure your campus takes PCI seriously and work with a PCI certified QSA to document and test your environment
Think Through Your Strategy
Q: Q:
Questions?
