Just in case you haven’t heard, Interac, the payment association that governs debit cards in Canada, has an initiative in place that most certainly will affect debit card fraud in the United States.
• • •
Interac has implemented a requirement that all issuing financial institutions implement the EMV smart card for debit cards by 2012. Further, all merchants in the country must have EMV terminals installed not later than 2015. Here’s the link for the Interac Canada initiative: http://www.emvcanada.com/
EMV stands for EuroPay-MasterCard-Visa and it is a secure, chip-based card standard that was established by, yes, you guessed it, the EuroPay, MasterCard and Visa organizations to strengthen card systems against fraud. EMV card initiative replaces the signature debit program by requiring a special EMV card reader that also requires the use of a PIN. A PIN-based transaction is the most secure card transaction, short of multifactor authentication. The benefits of the EMV smart card do not stop at the reader. Another important aspect of the EMV card has to do with encryption of the information contained on the card, such as account number, PIN, cardholder name, expiration date, and available balance. The EMV card is far more secure than the traditional mag-stripe card debit and credit cards used in the U.S. today because of the fact that the information on the mag-stripe is not encrypted.
What does this mean for the United States? Well, it is my opinion fraudsters will target us south of the border. Why? Our card systems, in contrast to the EMV system, are not as secure and not encrypted. The domestic card industry has been very slow to adopt stronger security methods pertaining to cards and as an industry lacks consensus even though the card companies have arrived at a standard outside of the country.
Also, an important fact about the Interac rules that you need to be aware of: if merchants use anything other than the EMV chip feature to complete the sales transaction, they will assume 100% of the fraud risk. This rule alone will force merchants to rely exclusively on the EMV chip system.
The result in both cases is that fraud will go down in Canada and other countries where the EMV chip is used and it will go up in countries where it is not, such as the United States. Currently 65% of the cards issued and 85% of the card readers installed in Europe are EMV compliant. In Canada, 26% of the cards and 56% percent of the terminals are EMV compliant. Similar statistics can be reported for Eastern Europe, Asia and Africa, but not the United States as reported by EMV (October 2010 www.emvco.com). Consequently, it is inevitable that fraudsters will move to the U.S. if they have not already done so, to take advantage of our weak card security model and perpetrate their crimes. So the question needs to be asked: if this EMV standard has been accepted globally, why hasn’t MasterCard and Visa implemented a rules change in the U.S. to require a standard they help develop? Why haven’t the card companies required end-to-end encryption? One criticism has been the cost of the card readers, but even if the card reader costs $250, and there were ten POS terminals at a store, it doesn’t take a math major to figure out that one or two fraud events avoided could quickly pay for this upgrade.
Finally, what does it take for the industry to become more focused on card security? With the growth of e-commerce and the internet, security should be top of mind not a second thought. If we don’t take action now, we will have another card crisis to deal with. It’s possible the Federal Reserve could require EMV cards as a function of its new authority under the Durbin Amendment of the Dodd-Frank Act. That would get the industry’s attention!
EMV stands for EuroPay-MasterCard-Visa and it is a secure, chip-based card standard that was established by, yes, you guessed it, the EuroPay, MasterCard and Visa organizations to strengthen card systems against fraud. EMV card initiative replaces the signature debit program by requiring a special EMV card reader that also requires the use of a PIN. A PIN-based transaction is the most secure card transaction, short of multifactor authentication. The benefits of the EMV smart card do not stop at the reader. Another important aspect of the EMV card has to do with encryption of the information contained on the card, such as account number, PIN, cardholder name, expiration date, and available balance. The EMV card is far more secure than the traditional mag-stripe card debit and credit cards used in the U.S. today because of the fact that the information on the mag-stripe is not encrypted.
What does this mean for the United States? Well, it is my opinion fraudsters will target us south of the border. Why? Our card systems, in contrast to the EMV system, are not as secure and not encrypted. The domestic card industry has been very slow to adopt stronger security methods pertaining to cards and as an industry lacks consensus even though the card companies have arrived at a standard outside of the country.
Also, an important fact about the Interac rules that you need to be aware of: if merchants use anything other than the EMV chip feature to complete the sales transaction, they will assume 100% of the fraud risk. This rule alone will force merchants to rely exclusively on the EMV chip system.
The result in both cases is that fraud will go down in Canada and other countries where the EMV chip is used and it will go up in countries where it is not, such as the United States. Currently 65% of the cards issued and 85% of the card readers installed in Europe are EMV compliant. In Canada, 26% of the cards and 56% percent of the terminals are EMV compliant. Similar statistics can be reported for Eastern Europe, Asia and Africa, but not the United States as reported by EMV (October 2010 www.emvco.com). Consequently, it is inevitable that fraudsters will move to the U.S. if they have not already done so, to take advantage of our weak card security model and perpetrate their crimes. So the question needs to be asked: if this EMV standard has been accepted globally, why hasn’t MasterCard and Visa implemented a rules change in the U.S. to require a standard they help develop? Why haven’t the card companies required end-to-end encryption? One criticism has been the cost of the card readers, but even if the card reader costs $250, and there were ten POS terminals at a store, it doesn’t take a math major to figure out that one or two fraud events avoided could quickly pay for this upgrade.
Finally, what does it take for the industry to become more focused on card security? With the growth of e-commerce and the internet, security should be top of mind not a second thought. If we don’t take action now, we will have another card crisis to deal with. It’s possible the Federal Reserve could require EMV cards as a function of its new authority under the Durbin Amendment of the Dodd-Frank Act. That would get the industry’s attention!
— The Wombat!
[Editor’s Note: Some U.S. banks will begin issuing emv cards, but not predominantly for domestic use. Wells Fargo announced April 13 that it will pilot the Visa Smart Card, which includes the traditional magnetic stripe along with EMV chip technology, to 15,000 Wells Fargo customers who travel internationally. JP Morgan Chase announced today that it will issue emv cards to customers who travel overseas.
About the Author
Dan Fisher is president and CEO of The Copper River Group, a consulting firm headquartered in Fargo, N. D., that focuses on technology and payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He was CIO of Community First Bankshares (now part of BancWest), has served as a director of the Federal Reserve Board of Minneapolis, the chairman of the American Bankers Association Payment Systems Committee, and was a member of the Independent Community Bankers of America Payments Committee. Fisher has written numerous articles on banking technology and the payments system. He has authored or co-authored six books and recently published a book titled, "Capturing Your Customer! The New Technology of Remote Deposit." You can contact Fisher at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
.
P.S. To understand Dan's nickname, check out "About the Wombat" on his website, www.copperwombat.com
Dan Fisher is president and CEO of The Copper River Group, a consulting firm headquartered in Fargo, N. D., that focuses on technology and payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He was CIO of Community First Bankshares (now part of BancWest), has served as a director of the Federal Reserve Board of Minneapolis, the chairman of the American Bankers Association Payment Systems Committee, and was a member of the Independent Community Bankers of America Payments Committee. Fisher has written numerous articles on banking technology and the payments system. He has authored or co-authored six books and recently published a book titled, "Capturing Your Customer! The New Technology of Remote Deposit." You can contact Fisher at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
.P.S. To understand Dan's nickname, check out "About the Wombat" on his website, www.copperwombat.com
Set as favorite
Bookmark
Email This
Trackback(0)
TrackBack URI for this entryComments (0)
Subscribe to this comment's feedWrite comment
