Monday , July 15, 2019

Falling Short on EMV

Every U.S. EMV chip card will have a backup magnetic stripe. That ensures widespread acceptance but can present risks.

As EMV chip card payments finally take hold in the United States, an issue certain to show up on the payment industry’s radar is fallback. That’s when the customer inserts an EMV card into a working EMV point-of-sale terminal, but for any number of reasons the transaction uses the card’s backup magnetic stripe instead of the chip.

Fallback is nothing new in card payments. Today, if a mag stripe isn’t working, the clerk typically keys the card’s account number into the terminal. If that doesn’t work, her manager can submit a paper draft to the acquirer.

But peel back each layer of fallback, and you add more risk and expense to the transaction.

Nearly every EMV card issued worldwide has a backup mag stripe so that the card can be used where EMV terminals aren’t installed or are not working. Fallback can arise at improperly configured or defective EMV terminals or ATMs, or from fraud attempts. Or, the problem could be with the card’s chip.

Some fallback is inevitable, but too much of it is a sign of problems, and it presents customer-service issues, not to mention fraud risk.

‘A Brave Issuer’

Under the payment networks’ U.S. liability shifts coming up in October, issuers will bear responsibility for any resulting fallback fraud if the merchant had a working EMV terminal, according to Tony Walsh, payments solutions specialist at Duluth, Ga.-based ATM manufacturer and point-of-sale software provider NCR Corp.

Issuers can refuse to allow fallback, but then they risk rejecting legitimate transactions.

“It’s a brave issuer that says unless it’s EMV, I’m going to decline everything else,” says Martin Warwick, London-based fraud chief for the Europe-Middle East-Africa region of Fair Isaac Corp. San Jose, Calif.-based Fair Isaac developed the FICO score for assessing consumer creditworthiness and is a provider of fraud-detection services for card issuers and processors.

That has happened, however. After the United Kingdom converted to EMV payments about a decade ago, fallback fraud got so bad at ATMs that, beginning in February of 2006, issuers banned fallback at the machines.

Fraudsters had quickly learned that it was easier to use cards without chips or otherwise try to generate a fallback transaction at an ATM than it was in a store, where a clerk would be watching, says payments-security analyst Julie Conroy, research director at Boston-based Aite Group LLC.

“Fallback fraud was certainly an issue, and particularly at the ATM,” Conroy says.

Warwick says fraudsters would grab readily available loyalty cards in stores and re-code their magnetic stripes with stolen general-purpose payment card data. He had a bird’s-eye view of the problem because at the time he was the top payment card fraud-control executive at Barclays Bank, a leading British credit and debit card issuer. He fully supported the fallback freeze.

“I was still at Barclays and I turned it off,” he says.

For a while, Canadian issuers blocked fallback at ATMs and the point of sale after Canada implemented EMV payments, according to Stephanie Ericksen, vice president of risk products at Visa Inc. Canada had its major EMV liability shift in April 2011.

The ban didn’t last, however. “They realized they were declining a high amount of cardholder transactions,” says Ericksen.

Instead, Canadian issuers revised their fallback rules and came up with a more nuanced approach, permitting it in cases where transaction velocity and other risk indicators signaled that authorization approval probably was safe.

Fallback bans have not been banished entirely from Canada, however. At the end of this year, Canada’s Interac debit network no longer will permit fallback at the point of sale, according to Deanna Karhuniemi, vice president of EMV strategy for Chase Commerce Solutions, a unit of JPMorgan Chase & Co. that has a big merchant-acquiring business in Canada.

Given Interac’s high popularity with Canadians, the move is expected to push those remaining merchants who still use mag-stripe-only POS terminals to finally get EMV card readers.

“I would suspect any merchant that wants to accept Interac … is going to get a chip terminal,” Karhuniemi says.

The current level of fallback fraud “is not very high,” says Visa’s Ericksen. She estimates that perhaps 10% of EMV fallback transactions at most are actually fraudulent.

Fallback Fines

The U.S. liability shifts taking effect Oct. 1 will assign financial responsibility for counterfeit point-of-sale fraud to the party that doesn’t support EMV. Similar liability shifts for ATMs and fuel pumps will follow in 2016 and 2017, respectively.

“Other regions consistently experienced high fallback rates when they first rolled out EMV,” Deborah Spidle, director of EMV solutions at Holly Springs, N.C.-based payments-technology provider Paragon Application Systems, says by email. “Fallback was caused by a number of factors.”

Those factors included incorrect terminal configurations and the failure of terminals to support application identifiers (AIDs) that the card supported. On the issuer side, incorrect card personalization sometimes resulted in settings that caused the terminal to order up a mag-stripe transaction.

“In the U.S., I would expect similar challenges,” Spidle says.

Outright defective chips in cards, which would cause fallback, are quite uncommon, according to Aite’s Conroy.

“Chip failure is rare because of the rigor with which these things are tested,” she says, adding that it’s pretty much the same case with terminals.

Wherever fallback occurs in an EMV environment, however, acquirers, networks, and issuers want to know why it’s happening.

Visa puts acquirers into its Global Fallback Monitoring Program when fallback exceeds 2.5% of monthly transaction volume, according to Ericksen. The network started the program some years ago as EMV spread throughout the world.

“We analyze the data to see which merchant locations are contributing to the figure,” says Ericksen.

The acquirer has 30 days to fix the problem after being notified by Visa. If high fallback rates continue, Visa reserves the right to fine the acquirer.

“We have actually levied several fines for fallback,” says Ericksen. She would not identify the acquirers involved or reveal specific fines, but says fines generally are in the range of $25,000 per bank identification number (BIN).

“They’re not small fines, but they’re not egregious fines,” she says. “They’re certainly something that gets attention.”

Fallback Pitfalls

In addition to being on the lookout for cardholders with fraudulent intent, there are many things acquirers and issuers can do to prevent fallback EMV transactions, according to Paragon’s Spidle.

For acquirers and independent sales organizations, preventative measures include correctly configuring the terminal. A related issue is making sure the terminal has the proper AIDs.

“The terminal did not support certain AIDs that the card supported, so a magnetic-stripe transaction was created,” says Spidle.

Such identifiers are particularly important for U.S. EMV debit cards, because the Dodd-Frank Act’s Durbin Amendment requires each debit card to offer the merchant at least two network routing options with each transaction. The law’s intent is to promote network competition and potentially lower merchants’ debit card acceptance costs.

Implementing such AIDs is no easy operational task with EMV chips, which appeared on the scene long before the 5-year-old Dodd-Frank Act, though Visa, MasterCard, and the major PIN-debit networks have come up with procedures to make it happen.

Another fallback-prevention technique for acquirers is “to not flip the switch for EMV in a terminal until you have completed all of the certifications required by all of the card brands for that terminal,” says Spidle.

She explains that a terminal that is certified for MasterCard acceptance but doesn’t yet have the required Visa AIDs will trigger a fallback magnetic-stripe transaction if a Visa chip card is inserted into it.

Issuers, meanwhile, face their own fallback pitfalls as they pump out tens of millions of EMV cards this year and next. A notable one, according to Spidle, is “incorrect card personalization, usually caused by the issuer attempting to figure out all of the settings themselves, rather than using a pre-defined profile from one of the payment networks.”

She adds that “even though cards have to undergo their own levels of certification, it is possible to set something in a way that is not in violation [of] payment-network rules, but doesn’t work exactly as the issuer intended.”

Result: another fallback transaction.

Chase has experienced in Canada many of the problems Spidle outlines.

“Based on the fallbacks we have seen, it’s either been configuration errors, interoperability issues, or user error,” says Karhuniemi.

‘A Huge Impact’

Apart from EMV-specific operations, prevention of POS fraud with chip cards in many ways will be no different from what issuers already do, or should be doing: watching transaction charges, average sales, where the card is used, and all manner of related data points.

“If a transaction is coming through which sets off the usual alarm bells, that would be declined by the issuer,” says a spokesperson for the London-based UK Cards Association Ltd., a group that counts most of Britain’s card issuers as members.

The spokesperson says he does not have specific figures about fallback fraud in the United Kingdom, but he says face-to-face card fraud totaled £218 million in 2004, just before the nation began converting to chip-based card payments augmented by PIN entry. Last year face-to-face fraud was £49.2 million (about $77 million), down 78% in a decade.

“There’s been a huge impact in terms of chip-and-PIN on High Street,” the spokesperson says.

Improved mag stripes also will play a role in preventing fraud in the coming EMV environment. Track 2 on the mag stripes of EMV cards will include new data elements, NCR’s Walsh says by email. “One such data element encoded on the mag stripe is called a service code that alerts retailers that the card being swiped is EMV-enabled,” he says.

No matter how stringent the controls, however, some chip card transactions will rely on the backup mag stripe for years to come—at least 10, predicts Fair Isaac’s Warwick.

“Fallback, I can’t see it going away,” he says. “Fallback will still be with us, because what they [issuers] want is acceptance of the card.”

Check Also

How Ready Are Deployers for the Next Big Operating-System Conversion for ATMs?

Microsoft Corp. will stop supporting its Windows 7 operating system next January, and that’s set …

Leave a Reply

Do NOT follow this link or you will be banned from the site!