MasterCard has announced that in the US and Canada, it will no longer require signatures on credit card transactions. (PINs will continue to be required on debit card transactions.) MC says that this will be more convenient for the customer and that it will rely on other (unnamed) mechanisms and processes for security. Let us look at some.
First, many issuers use computer aided mechanisms to detect fraudulent use by looking at such clues as location and other patterns of use. Most of us have had calls from our banks checking on the legitimacy of activity.
In theory, the required signature resists fraudulent use of lost or stolen cards. In practice, not so much. Even when clerks reconciled the signature on the check to the one on the card, it was an imperfect mechanism. In modern systems, where no one really reconciles the signature, the best that the mechanism can do is to permit the consumer to recognize disputed items that he really did sign. However, for the most part, issuers simply accept the word of the consumer that a transaction is fraudulent. The signature does not come into play.
The best way to resist the fraudulent use of lost or stolen cards is to check that a proffered card has not been reported lost or stolen. This works well in the US and Canada, where most transactions take place on line. In countries where many transactions take place off line, PINs are used.
American Express CEO, Kenneth Chennault told President Obama that Am Ex detects many fraudulent transactions within 60 seconds by sending a notification of use to the consumer’s mobile or e-mail in real time.
Bank of America and others resist fraudulent use by permitting the consumer to turn the card on and off using an app. Again, works well where most transactions are on line.
Android, Apple, and Samsung Pay resist fraudulent use by simply taking the card out of the transaction and substituting a digital token for the credit card number. Lost mobile phones resist fraudulent reuse with PINs for security and biometrics, e.g. facial and fingerprint recognition, for convenience.
On line merchants have never had the benefit of signatures but can resist fraud by using PayPal or other proxies instead of accepting credit cards at check out. Where the merchants cooperate and the consumer uses Ámerican Express at checkout, AmEx will prompt the user for a one-time-password sent to the users mobile. This protects the merchant, the consumer and AmEx. All of these resist “card not present” fraud.
Only the brands and issuers really know how necessary and effective signatures and PINs are: they take the risk when they are not required.
The fundamental vulnerability in the retail payment system is the credit card number in the clear on the magnetic stripe. Remains a risk to merchants and issuers but is only a nuisance to the consumer.
In short, the future is mobile, tokenized, cordless, contactless, signature and Pin less, and secure.
Showing posts with label EMV. Show all posts
Showing posts with label EMV. Show all posts
Friday, October 20, 2017
Monday, November 23, 2015
On Resisting Payment Fraud
A recent report suggested that credit card numbers captured by malware installed on point of sale devices at hospitality sites, including twenty at Starwood Property Group hotels, are being used in fraudulent transactions. The Verizon Data Breach Incident Report (DBIR) confirms that point of sale devices at hospitality sites frequently leak credit card numbers.
But there is no shortage of compromised credit card numbers; their street price is approaching a dime a dozen. It is too late to address fraud by keeping credit card numbers secret. We need a new strategy, similar to those being promoted by American Express and described by Ken Chenault at President Obama's Conference at Stanford University.
Chenault told the conference that by confirming every card transaction to the customer's mobile, they are able to detect fraudulent transactions within sixty seconds. This is just one example of how we can use the mobile to resist fraud.
American Express also confirms transactions by e-mall. In order not to overwhelm the mailbox, the customer can set thresholds. One switch is the "card not present" switch. If as expected mobile transactions and EMV cards drive fraud to CNP then the ability to detect fraud early, for example, before goods are shipped, will be key to,resisting fraud.
We need a strategy that relies not on secrecy but on feedback. The default should be that the subject of a record be notified of any change or query to that record, that the owner of every account be notified of every transaction. The digital,networks not only make this possible but cheap enough to be efficient.
Needless to say, the lobby of the credit reporting industry that is empowered by law to charge the consumer for telling him about the content of and activity to,his record will resist this strategy. Legislation will be required to change this but it is essential to to resisting application fraud.
On the other hand, American Express and its competitors are embracing it. Even bankers are embracing it. My little three branch community bank uses SMS to notify me intra-day of all large (as defined by me) transactions to my account.
Eventually competition and efficiency will force most enterprises to adopt these tactics. You can make it strategic rather than merely tactical
But there is no shortage of compromised credit card numbers; their street price is approaching a dime a dozen. It is too late to address fraud by keeping credit card numbers secret. We need a new strategy, similar to those being promoted by American Express and described by Ken Chenault at President Obama's Conference at Stanford University.
Chenault told the conference that by confirming every card transaction to the customer's mobile, they are able to detect fraudulent transactions within sixty seconds. This is just one example of how we can use the mobile to resist fraud.
American Express also confirms transactions by e-mall. In order not to overwhelm the mailbox, the customer can set thresholds. One switch is the "card not present" switch. If as expected mobile transactions and EMV cards drive fraud to CNP then the ability to detect fraud early, for example, before goods are shipped, will be key to,resisting fraud.
We need a strategy that relies not on secrecy but on feedback. The default should be that the subject of a record be notified of any change or query to that record, that the owner of every account be notified of every transaction. The digital,networks not only make this possible but cheap enough to be efficient.
Needless to say, the lobby of the credit reporting industry that is empowered by law to charge the consumer for telling him about the content of and activity to,his record will resist this strategy. Legislation will be required to change this but it is essential to to resisting application fraud.
On the other hand, American Express and its competitors are embracing it. Even bankers are embracing it. My little three branch community bank uses SMS to notify me intra-day of all large (as defined by me) transactions to my account.
Eventually competition and efficiency will force most enterprises to adopt these tactics. You can make it strategic rather than merely tactical
Subscribe to:
Posts (Atom)
Posts
