US EMV roll-up will see migration of fraud to other channels
The growing use of chip cards – EMV for the cognoscenti – will spur criminals to try new directions in fraud, Al Pascual, practice leader at Javelin Strategy, told delegates at the Nacha Payments 2015 conference in New Orleans. But it will take a little time because criminals have established modus operandi and it takes them time to move from one practice to another.
Pascual expects to see growth in mobile payment fraud, which he says will hit $18 billion by 2018. “We have seen some fraud with Apple Pay. By 2018 criminals are going to be cranking – imagine a world where you can apply for a card on a mobile device and have it provisioned in 30 seconds. Just buy a burner phone and go shopping.”
Point-of-sale fraud actually dropped last year, despite the breach at Target, where the company estimated a maximum of 98 million customers were affected. It replaced 95% of its cards.
“That’s completely unheard of,” said Pascual. “Most public breaches replace 5 to 8%. On top of that, companies tighten their controls.” In 2014, despite all the card data lost, fraud dropped from 30% to 13.7%. in part because so many cards were replaced. Stores probably turned down charges by legitimate customers in their effort to reduce fraud.
Rejecting customers’ charges is called “the insult rate”, he added, and it has a sharp impact on a card issuer’s profits. Nine out of 10 customers who have had a charge rejected contact the issuer, he said. Nearly half of them call the call centre, which costs about $5 per interaction. A third go into, or call, a branch, which is even more expensive. One in three stop using the card and one in four use the card less.
The spread of EMV is predicted to cause a spike in Card Not Present fraud but Pascual said that has been over-hyped. When the UK introduced chip cards, CNP fraud rose, but as a percentage age of legitimate transactions, it declined. “We don’t expect CNP fraud to spike overnight,” he said.
Chip card adoption in the US makes merchants, rather than card issuers, responsible for preventable losses by October of this year, but the shift in responsibility doesn’t hit unattended purchase points, like petrol stations, until 2017.“I have been looking hard at gas stations – it will be a while before they get EMV card readers,” said Pascual.
Big data breaches at health care companies, like those at Anthem, the second largest health insurance company in the US, and Community Health, were the result of attacks by the Chinese National State Services. China is building its own health care system and looking for useful information, he said. The data the Chinese government steals is not placed on Web sites for sale.
The rollout of EMV has attracted some controversies. The National Retail Federation said the cost will be $30 billion – it will be about $6 billion, said Pascual. Some people have criticised the move to introduce EMV with signatures rather than PINs because signatures will be less secure. “There’s not much difference between signature and PIN,” Pascual said. “The problem at POS is counterfeit cards, not lost/stolen. Once EMV is out there, 80 to 85% of POS fraud will drop because the big issue is counterfeiting.”