1Payment Trends: Fraud, Risk Management, & EMV Rocky Mountain AFPJan. 22, 2014Matt Davies, AAP, CTP, CPPFederal Reserve Bank of Dallas
2FRB Dallas Payments Fraud Survey FRB Dallas, collaboration w/ other FRBs, and ICBA of AmericaAddressed payments-related fraud experiences of banks and businessesHelp us better understand new or continuing challenges with payments fraud, and methods used to reduce fraud riskFive TX AFP/TMA chapters, and SWACHA, distributed to membersSurvey results:Dallas District:National:
3FRB Dallas Payments Fraud Survey Payment-related fraud remains a significant concern for financial institutions (FIs) & corporatesFor FIs, signature debit card is the payment instrument most vulnerable to attempted fraud & FI lossesOver half of FIs reported that signature debit card losses from fraud exceeded their investment in mitigation to prevent such fraudPerhaps a cost-effective opportunity to increase fraud prevention investments
4FRB Dallas Payments Fraud Survey For non-FIs, check continues to be the payment instrument most vulnerable to attempted fraud & lossesCorporate account takeover can result in significant losses, but was not identified as a commonly-occurring fraud scheme that affected a high percentage of respondents to this survey*Most FIs & others report total fraud losses that represent less than 0.3% of their annual revenuesStrategies to detect & prevent fraud effectively require the use of multiple mitigation methods & tools – i.e., a “layered” strategy
5FRB Dallas Payments Fraud Survey Two-thirds of respondents that reduced their fraud losses cited as factors:Enhanced fraud monitoring systemsEmployee education & trainingOffering risk mitigation services to customers is a growing area of opportunity for FIsCost is the main barrier that prevents FIs & others from investing more in mitigating payments fraudFIs & others are focused now on the need for alternatives to magnetic stripe authentication technology to secure card payments [=EMV]
6AFP Fraud Survey 2013 AFP Payments Fraud and Control Survey Organizations generally do not change out affected bank accounts after experiencing fraud. Instead:Rely on established controls to identify additional incidences (38%), orMake adjustments such as changing the check series or adding new controls (24%)Best practice: Daily reconciliationBest practice: Segregating accounts: 74% of organizations maintain separate accounts for different payment methods and types.
7Check/Check 21 Fraud Prevention Traditionally, organizations relied upon physical security features of a paper check (watermarks, microprint, or special ultraviolet ink).These features are rendered useless for verifying the authenticity of check images.As a result, organizations need to use acceptable alternative methods for detecting fraud, without using the original physical checkC21 Indemnity Provision - Claim can be filed if:Orig paper check had security features NOT visible after imagingFI would have physically reviewed the item
8Check/Check 21 Fraud Prevention Positive Pay/Reverse Positive Pay/Positive Pay with Payee Verification2010 check fraud case: Cincinnati Insurance Co. v. Wachovia BankMake large dollar payments electronically.Avoid using laser checks.Use a controlled stock of high security checks, with safety features such as a true watermark, thermochromatic (heat sensitive) ink and reactivity to various chemicals.FIs: Lower sight review thresholds, and re-train inspectors to look for physical security features
9Mobile RDC Risk mitigation: Risk: “Double Dipping” (or Triple, etc.) FIs that offer mobile RDC should have protections in place to block duplicate depositsDo not have to offer mobile RDC to all customers; “qualify”Typically limit the dollar amount that can be deposited (daily, monthly)Risk: “Double Dipping” (or Triple, etc.)Hacks waged against mobile will likely increase.As more FIs launch mobile RDC, those threats will grow.If users save check images they capture with their mobile-phone cameras, that creates more risk.Mobile-banking apps that transmit check images also can be compromised with malware.
10Corporate Account Takeover Account takeovers have grown more common, as fraudsters go after smaller businesses and smaller banks, where security is often weaker.Many small business owners are no more savvy about risks than the average consumer
11Corporate Account Takeover Individual Americans are protected by Reg E & are liable for a maximum $50 if a cyber-thief strikes.Companies have no such guarantees.In the US, corporate customer liability is governed by the Uniform Commercial Code (UCC).Companies are responsible for stolen funds if:they have agreed to a security procedure with the bank,the bank followed it, andthe procedure was ‘commercially reasonable.’
12FFIEC Guidance FFIEC Supplemental Guidance on Internet Authentication Released June 2011Supplement to Authentication in an Internet Banking Environment guidance issued October 2005Lays out three broad steps banks should take to guard against malware attacks.Reaffirms the need for banks to conduct risk assessments at least once a yearEstablishes minimum requirements for educating customers about online fraud.
13FFIEC Guidance Prescribes layered security for business accounts Including the ability to detect and respond to suspicious activity when logging in and initiating transactions.Stop relying on tokens, passwords and cookiesUse “layered security,” including software that flags unusual behavior such as multiple transfers within minutes to new recipientsDirects FIs to add security for business bank accounts, including enhanced controls over admin functionsDoes not endorse any specific technology for doing soFI should make clear to business customers they are not protected by Reg E
14Corporate Account Takeover Experi-Metal - Small parts supplier for US auto industry, based in MichiganSigned up for online banking in 2000“Regularly received s from the bank with instructions”Jan. 22, 2009 – Controller received a fraudulent appearing to come from Comerica directing him to fill out a ‘Comerica Business Connect customer form,’ including his user name, password and pin from a token (7:35 a.m.)
15Comerica vs. Experi-Metal By 2:02pm, 93 payment orders had been issued in Controller’s name, sending $1.9m to accounts in Russia, Estonia and other places where Experi-Metal had never done business (acc. to court records, had sent such wire transfers only twice in the previous two years)Four hours into events, JPMC, party to 6 transfers destined for customer accounts at Alfa-Bank, Moscow, called with suspicions. Still, a further hour and ½ passed before Comerica stopped the transfersFraudulent wire transfers totaled more than $1.9m; Company lost $560,000
16Comerica vs. Experi-Metal Experi-Metal sued Comerica; case tried in Detroit in 2011.Experi-Metal and Comerica had had good relations until the incident.Case hinged on whether:Comerica’s practices were “commercially reasonable”;any reasonable practice must include forthright behavior or “fair dealing”;whether Comerica’s defenses and response on the day were so lax as to be objectively unfair.
17Comerica vs. Experi-Metal Experi-Metal’s expert witness on bank security testified that most banks could spot anomalies, a point which Comerica disputed.Comerica said it should not have been expected to do so; it had no obligation to monitor what was happening in customer accounts.“Comerica’s employees did not purposefully allow any fraudulent wires to leave the bank once the fraud was confirmed,” adding that the bank was “entitled to rely on its customer’s assurance that it would keep confidential its login ID, password and secure token number.”
18Comerica vs. Experi-Metal Judge disagreed:Though the regulatory guidance then in effect did not require better monitoring, Comerica was not acting in good faith if it merely had a “pure heart and empty head.”Citing numerous oddities about the transactions and the slow reaction when JPMC called, the judge concluded that he was “inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”Ordered Comerica to reimburse Experi-Metal $560,000; settled in August 2011 for an undisclosed amount.
19PATCO v. People’s United PATCO Construction (Maine) vs. former Ocean Bank (now Peoples United)Court delivered a different legal outcome.Case spurred by the fraudulent ACH transfer of $545,000 in May 2009Magistrate sided with the bankPATCO appealed the ruling
20PATCO v. People’s United 7/3/2012: First Circuit Court of Appeals, Boston, reversed the district court’s 2011 ruling in PATCO…; ruled in favor of PATCOFurther recommended that the two parties pursue an out-of-court settlement of the case.Ruling describes the bank’s security procedures as “commercially unreasonable”; bank should have detected and stopped the fraudulent transactions
21PATCO v. People’s United Decision demonstrates that effective data security is not just about the technology; it is equally about people.The bank’s system allowed for:Used by the bank: UID & password, customer device recognition by IP address & cookie, transaction risk profiling, challenge-response based upon shared secrets, dollar amt. threshold for invoking challenge-response, access to intelligence from the eFraud Network including IP addresses of known hostile systemsNot used by the bank: one-time-password tokens, out-of-band authentication, user-selected image for recognizing the bank, risk scoring reports
22PATCO v. People’s United Court’s decision: The heart of the problem was not with the technology, but with the decisions made by the bank.Bank triggered challenge questions for any transaction over $1.This increased the frequency with which a user was required to enter answers to challenge questions; increased the chance that authentication info could be stolen by hackers (e.g. through a keylogger or other malware).When the system triggered warnings that fraud was likely occurring, bank personnel did not monitor transactions, or provide notice to customers before allowing transactions.Bank personnel did not monitor risk-scoring reports.Bank did not conduct regular reviews of transactions that generated high risk scores.
23PATCO v. People’s United Bank employees should have been aware of the increased risk of compromised security; at the time in question, keylogging malware was a “hot topic” in the financial industry (and continues to be).Bank personnel should have understood that triggering the same challenge questions for all transactions (high- risk and ordinary) was not effective as a stand-alone backstop to password/ID entry.
24PATCO v. People’s United Bank’s decision to set dollar amount rule at $1 for all customers ignored legal requirement that security procedures take into account “the circumstances of the customer” known to the bank.Instead, bank was using OSFA approachBank did nothing with the info generated by comparing the fraudulent transactions against the customer’s profile.Other banks’ clients using the same security product employed manual reviews or some other security measure to protect against the type of fraud that occurred in this case.
25PATCO v. People’s United Takeaways:Review the items outlined above and compare for your organization; these factors could lead a court to conclude that your security procedures are not commercially reasonable.When purchasing a technology solution for info security, it must be robust & commercially reasonableHuman factors are important for properly implementing/using a system.Do not set system alerts or alarms to be overly-sensitive (“boy who cried wolf”)
26PATCO v. People’s United Continually review your system & personnel procedures to ensure they continue to meet with industry standard security measures, & are appropriate to meet continually changing risks and threats.Security is not OSFA:Should be configured to your organization; ANDProcedures/actions taken in response to security system outputs must take into account each customer’s own unique circumstancesEnsure that personnel are properly trained on info security systems, and that they monitor its outputs through manual reviews and similar procedures.SOURCE: “Appellate Court Decision Demonstrates Security Is Not Just about Technology – It’s about People,” Foley & Lardner LLP 8/16/2012
27Choice Escrow & BancorpSouth 2010: Choice Escrow & Land Title, victim of hackers who obtained its online banking details using malware and wired $440,000 to a bank in Cyprus.Later that year, Choice sued BancorpSouth for failing to provide “commercially reasonable security,” demanding damages and recovery of losses related to the attack.2012: The bank filed a counter-suit, arguing that Choice should be held responsible for losses, damages and legal costs.US district court in Missouri dismissed the counter-claim, though judge said it was a “very close call.”SOURCE: “US court dismisses bank's counter-suit against hacked customer,” Finextra, Aug. 29, 2012
28Choice Escrow & BancorpSouth March 2013: U.S. District Court for the Western District of Missouri rejected Choice’s suit against BSB.Court’s decision was based on the fact that Choice declined to use security measures BSB had encouraged it to use.When Choice adopted online banking in 2009, BSB usually required that customers use dual control.Choice declined dual control on two different occasions: it preferred convenience; the employee who handled wire transfers was often in the office by herself.Choice Escrow is appealing (as of June 2013).
29Dual ControlAlternatives for customers that are too small to have dual custody (e.g., a company only has two employees)?E.g., Wells Fargo this year introduced a feature called secure validation.When a customer submits a payment, the bank can text or call the user’s mobile device and provide a number that the customer then has to enter in a field on the site.
30Park Sterling Bank/Wallace & Pittman Park Sterling Bank, Charlotte ($2bn)Suing law firm Wallace & Pittman to recover funds the firm sent electronically to Russia after an purporting to be from an industry group lured someone at the firm to surrender user name and network passwordFraudsters hijacked W&P’s account and instructed Park Sterling to transfer roughly $336,600 through JPMC to a recipient in Moscow.W&P asked Park Sterling to stop the transfer after receiving confirmation of it, but the request allegedly came too late.Park Sterling initially refunded the sum stolen but later demanded its return.
31Park Sterling/Wallace & Pittmann Park Sterling claims W&P failed to use dual control, and that the agreement governing the firm’s account put the risk of loss on the firm.W&P claims PSB should have flagged the transfer, as it was the first international transfer W&P made, and that the bank should have warned customers about phishing attacks.
32Efficient Services Escrow Group July 2013: AP reports that the bank account of a California escrow firm, Efficient Services Escrow Group, was hacked in December 2012 and January , with three payments totaling $1.5 million wired to accounts in China and Russia.Only $432,215 was recovered, and the company was shut down.
34Prevention A wealth of info online about corporate account takeover. Basic principles a company should follow to prevent takeover: daily account recon, employee education, security, use of multifactor authentication and dedicated PC(s) for performing online banking functions.Perhaps less emphasized:Preparedness: A company’s risk profile/risk assessment should include information about corporate account takeover.How will you attempt to prevent it (operational)?How will you mitigate the risks associated with it (financial/reputational)?No one-size-fits-all solution; each organization’s plan will likely vary.
35PreventionSecurity:Use of firewalls, antivirus, anti-spyware, anti-malware, etc., is often touted for preventing corp. acct. takeover. Are you using these?More importantly, are you using products that form a “suite”? “Security programs from multiple companies sometimes do not work well together, often working against each other.” [NACHA]Minimize the number of employees user accounts with admin rights; many malware programs can infect a PC only if the user has admin rights.Restrict use of flash drives to those provided by your IT dept.NACHA, “Sound Business Practices for Companies to Mitigate Corporate Account Takeover” (Spring 2011): https://www.nacha.org/userfiles/File/Sound%20Business%20PracticesBusinessesFinal pdf
36“In Case of Emergency. . .”Employee education is crucial; employees should know whom to notify and how regarding any suspicious activity.Corporates should work with FI to ensure online access to user accounts is disabled; all online banking users will need to change online banking passwords, or open new accounts, if necessary.Review all recent transactions and authorizations on the account; if any are suspicious, cancel or reverse them as soon as (and if) possible.Beyond reviewing transactions, FI should ensure that hackers have not created any new users or payees, requested a change address/phone number/etc., changed access levels of any user, altered ACH batch or wire transfer templates, or ordered new cards, checks or other documents.
37“In Case of Emergency. . .” File a police report regarding the event. May help you in working with FIs, insurance companies or other entities that may need to be involved in subsequent investigations.Keep detailed records of what has happened and steps you have taken to resolve the situation.You may need to take additional action if your organization accepts credit cards.
38TexasTexas Bankers Electronic Crimes Task Force (Texas Banking Commissioner; U.S. Secret Service)Best Practices: Reducing the Risks of Corporate Account Takeovers (September 2011)ProtectDetectRespond
39DDoS Attacks Distributed Denial of Service May be used to distract/confuse security staff at financial institutions to initiate fraudulent wire transfersNOT like the high-volume DDoS attacks which, over the last year, have brought down many U.S. FIs’ sitesNo thefts have been associated with those attacks; politically motivated
40DDoS Attacks2/2013: Brian Krebs, security blogger, reported a 12/24/2012 event at Bank of the West, in which DDoS was used as a distraction; $900,000 loss.Once the DDoS was underway, hackers took over of the payment switch (e.g., wire application), using a privileged user account with access to it.Then, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move money from many accounts.If you are/your FI is under a DDoS attack, pay attention to wire system
41Tax Return FraudIdentity thieves file fake federal returns using taxpayers’ SSNs; taxpayer who files subsequently finds his or her return rejected because someone already received a return using that identity.641,052 taxpayers affected by ID theft in 2011, more than double the number affected in 2010IRS detected 940,000 fake returns for 2010, in which ID thieves tried to obtain $6.5 billion in refunds
42Tax Return Fraud Prevention: IRS now uses a code to identify taxpayers who have died, so their numbers cannot be used by thievesIRS has issued more than 250,000 identity protection numbers to ID theft victims to use to prove they are the legitimate taxpayers when they file returns.IRS will be implementing measures to resolve cases faster.Taxpayers should guard SSN, and file tax returns as early as possibleSOURCE: Eileen Ambrose, “Protect Your Tax Return from Identity Thieves,” The St. Louis Post-Dispatch, Sunday, May 27, 2012, p. D2
43Internal Fraud Liberty Bell Bank, New Jersey $170 million in assets In 2011, an employee stole $301,000 from the bank.The bank did not have insurance coverage, so its bottom line took a direct hit; in its 2011 annual report filed with the FDIC, the bank would have reported net income of $375k for the year, but instead reported a full-year profit of $74,000.Andy Peters, “Liberty Bell Bank [NJ] Suffers $301,000 Loss from Employee Theft,” Americanbanker.com, April 13, 2012
44Data BreachesMany FIs and corporates do not have a written plan for dealing with breaches; all should have one.Plan should identify what executives are involved and howShould be as detailed as a plan for handling a robbery, branch fire, etc.FIs need to be able to act quickly, using fraud analysis technologies.
45EMV Europay, MasterCard, and Visa 1994: Founded the global standard for credit and debit payments based on chip card technology.Today, Europay is owned by MC; EMV standards are set by EMVCo, a joint venture of Visa, MC, AmEx, JCB, Discover and UnionPay.
46EMV“Chip cards,” “chip and PIN cards,” and “smart cards” are used interchangeably.Plastic cards that contain an integrated circuit, or microprocessor, that contains payment-related information protected by layers of security.
47EMVEMV cards include a microchip that sends a dynamic protected value unique to each transactionFurther security features embedded in the chip will support additional validation by PIN, based on the card issuer’s requirements.PIN is most common in other countries
48EMVEMV standards have been adopted in many other countries, but the U.S. has lagged behind.Reluctance due to the cost of changing payment terminals to accept chip payments.Some American card issuers have begun issuing cards containing EMV chips, e.g., to frequent international travelers so that they don’t have payments problems abroad), but many have yet to move in that direction.The cost of terminal and card migration may be as high as $12bn (Javelin).
49EMV Two Ways of Accepting Chip Card Payments Contact (“dipping” the card): Cardholder inserts card into POS device. Card remains in device until completion of the transaction. If a customer removes the card before the charge is approved, the transaction will fail and the customer will be required to provide the card again.Contactless (“tap-and-go”): Cardholder waves the card by the chip card-enabled POS device to provide payment information. Once the transaction has been authorized, customer might then be prompted to enter PIN or sign a receipt.
50Dynamic Authentication EMV relies on dynamic authentication: use of changing variables unique to each individual card transactionWhen traditional mag-stripe cards are swiped at POS terminal, mag-stripe data, such as primary account number (PAN) and expiration date, are transmitted to the card issuer.The data is “static data”—it remains the same for each transaction.
51Dynamic Authentication In EMV transactions that use dynamic auth., the chip generates a unique cryptogram using transaction data each time the card is inserted into the chip terminal.The cryptogram is sent to the card issuer, which uses its keys and codes to calculate a cryptogram based on the same transaction data.If the two cryptograms match, the issuer knows the data is from a valid card.Effectively, you have a different number being sent each time.Dynamic auth. makes the chip almost impossible to counterfeit.
52PIN AuthenticationIn many countries, EMV cards are also authenticated by PINs.PINs are static data, and are actually less secure, primarily used in cases where offline authorization/ authentication are used—e.g. areas where there is no or limited availability of online (real-time) authorization.Areas or countries with unreliable or under-developed phone land-lines.
53Dynamic Authentication PINs are often used in European countries with chip cards because real-time auths are either expensive or not available.The U.S. has an extensive, reliable telecomm infrastructure for processing online transactions, so dynamic auth may become the standard.Some unattended POS (kiosks, vending machines) may not have online capabilities allowing for real-time auth of the PINWill allow for faster transactions if you are just sending details online to the issuer to do the auth, instead of having the auth conducted offline between the card and the terminal first.EMV can support chip-and-signature transactions and chip- and-PIN, with both backed by dynamic authentication.
54Benefits of EMV Reduction in counterfeit card fraud (for all players) Reduce copying (“skimming”/cloning of mag-stripe cardsWorldwide deployments have shown chip cards are more secure than mag-stripe cardsAccording to Financial Fraud Action UK, after introduction of EMV cards and readers, overall credit card fraud in the UK was reduced by 32.5 % between 2004 and 2011, with fraud from lost or stolen cards decreasing %.Counterfeit magnetic stripe cards dropped 72.5 % during the same time periodAs U.S. prepares to move to EMV, other countries may accelerate their own EMV initiatives; as this would reduce mag-stripe fraud in the U.S., fraudsters would have to look to other non-EMV countries.
55Additional Benefits of EMV MerchantsVisa TIP program (end mandate for validation of PCI compliance)Potential reduction in interchange rates due to reduced fraudAcquirersLeverage platforms and technologies deployed in other EMV marketsU.S. Card IssuersConsumers can use cards issued (avoid difficulty using mag-stripe cards abroad)ConsumersMore secure transactionsGlobal use of smart cards (U.S. consumers have had difficulty using mag-stripe cards abroad)
56Costs of EMV Merchants Acquirers U.S. Issuers Consumers Capital and resource investments AcquirersMigrate merchants, processes and technology to EMVReduced revenue from fewer chargebacks and non-PCI compliance feesU.S. IssuersIssue new, more expensive cardsTrain consumers to use new cardsConsumersPossibly learning to enter PIN for credit (and remembering a perhaps infrequently-used PIN that is different from the customer’s PIN debit/ATM card)
57Card Associations & EMV Visa roadmap to EMV (August 2011)Expand TIP: Visa will expand its Technology Innovation Program (TIP) to merchants in the U.S.TIP ends the mandate for merchants to validate compliance with the PCI Data Security Standard (PCI DSS) for any year in which 75% of the merchant’s Visa transactions stem from chip-based terminals.To accommodate the Visa mandate, merchants must use terminals that support both contact and contactless chip technology.“Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.”
58Card Associations & EMV Build Infrastructure: Visa required U.S. acquirer processors and sub-processors to support merchant acceptance of chip transactions by April 1, 2013.Chip acceptance requires service providers to be able to carry and process additional data included in chip transactions, including the cryptographic message that makes each transaction unique
59Card Associations & EMV Liability Shift: Visa will institute a U.S. liability shift for domestic and cross-border counterfeit card-present POS transactions, eff. Oct. 1, 2015.Fuel-selling merchants have until Oct. 1, 2017, for transactions at automated fuel dispensers, due to the added expense of updating.Encourages EMV adoption:Currently, POS counterfeit fraud is largely absorbed by card issuers.With liability shift, if a contact chip card is presented to a merchant that has not adopted contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer.The acquirer will likely shift that liability down to the merchant.
60Card Associations & EMV Visa’s plan is somewhat controversial; it downplays PIN in favor of dynamic authentication, despite the PIN’s popularity with merchants and EFT networks.Some of the early EMV chip cards from U.S. issuers use signature rather than PIN authentication.Differs from Visa’s approach elsewhere (e.g. Australia)
61Card Associations & EMV MasterCard & ATMsAs of April 19, 2013, all ATMs that accept MasterCard’s Maestro international card must be made compatible with EMV cardsIn Oct. 2016, a liability shift hierarchy will be introduced for ATM transactions in the U.S.All ATMs that accept any MasterCard card need to be EMV compliantAfter October 2016, FIs can hold ATM operators liable for fraudulent withdrawals and cash advances from debit and credit cards.It costs approximately $2,000 to upgrade an ATM to be EMV-capable (Aite).
62Card Associations & EMV Visa & ATMs (January 2013)Oct. 1, 2017 deadline to shift liability for counterfeit-card fraud to owners of machines not equipped to accept EMV cards.One year later than the deadline set by MC.Visa will also require ATM processors to be capable of handling EMV transactions by April 1, 2015.Many ISOs that drive ATMs are not ready to support EMV at this time
63Card Associations & EMV MasterCard and Card-Not-Present (CNP) TransactionsAdoption of EMV at POS can divert criminals to online card fraud instead.MC will announce an EMV-related liability shift for online and other CNP transactions.Merchants that haven’t adopted acceptance technology that supports chip cards will assume from issuers the liability for counterfeit-related fraud.
64Card Associations & EMV MasterCard and CNP Transactions (cont’d):Possible technologies consumers might use for online EMV transactions include:a chip-equipped “display card”a special fob that can read chip cards.In either case, consumers could generate a unique code they could enter to secure an online transaction
65Card Associations & EMV Discover EMV plan (March 2012):Discover calls its EMV payment specification “D- Payment Application Specification” (“D-PAS”)The mandate applies not only in U.S., but also Canada, Mexico.Oct. 1, 2015: Liability shift for Discover and Pulse (debit/ATM network)Jan. 2012: Discover processed its first U.S. EMV transactions at some locations of Wal-Mart, which is D-PAS certified in the U.S. and Canada.
66Card Issuers & EMV BofA – Chip and PIN Citi – Chip and PIN Cards available to commercial customers JanFirst EMV card application - T&E cards; eventually will add EMV capabilities for purchasing cardsBofA feels that with chip and signature, a user may still have problems using an EMV card at unattended terminals and train ticket kiosks [in Europe].Citi – Chip and PINJPMC – Chip and SignatureU.S. Bancorp – Chip and SignatureWells Fargo – Pilot enabled both Signature and PIN-based cardholder verification.Commerce Bank (Kansas City; $22bn)
67Merchants & EMVMerchants ultimately will bear the cost of new POS hardware, software, and changes in their payment-processing operations to accept chip cards.Only 3% of the POS terminals in the U.S. are EMV ready (Aite, April 2012)Wal-Mart has been pushing for EMV adoption for years.Oct. 2011: Wal-Mart turned on EMV acceptance at fewer than 100 stores (of approx. 3,600 in U.S.)Most in areas that draw foreign visitors, such as Orlando, FL.Payment cards in EMV countries typically still come with a mag-stripe. When a foreign visitor in a Wal-Mart store equipped with EMV terminals tries to swipe a chip card at a terminal, which would activate the mag-stripe, the terminal prompts the cardholder to “dip” the card into the device so that it reads the chip.Wal-Mart, Home Depot and AMC Theaters all prefer PIN in U.S. EMV scheme
68Issues (ASC X9) EMV’s age EMV is a proprietary standard Governments and other entities around the world are looking for open, non-proprietary standardsAbility of eventual U.S. implementations to interoperate with deployments overseasIssuers, merchants, or processors to have a say in how the standard worksAccording to ASC X9. . .
69Outstanding IssueUnlike mag-stripe cards, the global EMV standard doesn’t allow for the Durbin Amendment’s requirement that debit cards must offer merchants a choice of at least 2 unaffiliated networks on which to route transactions.Each EMV application is proprietary to a card brand, so while multiple payment methods may be available on the app, it supports only one network.In the EMV specification, the application identifier (AID) is a string of characters that identifies both the network brand and the specific type of card (e.g. credit or debit).Applications run under the AID and control such functions as online and offline authorization and security.
70Outstanding Issue3/19/2013: SRPc announced it would adopt a common U.S. debit AID by licensing Discover’s D-Payment Application Specification (D-PAS).Discover solution has been in the market for 4 years and has millions of EMV cards from international issuers using itCoalition members include 10 of the largest EFT networks: AFFN, ATH, Co-Op Financial Services, Jeanie, NETS, NYCE, Presto!, Pulse, Shazam, and Star.Account more than half of U.S. PIN-debit transactionsAdditional networks expected to join in the futureThe largest PIN-debit network missing: Visa’s InterlinkAlso missing: MasterCard’s Maestro; Fiserv Inc.’s Accel
71Outstanding IssueVisa and MC have agreed to share their technology, while independent debit networks have said that Visa and MC applications are welcome on their Discover- based common AID.The common AID tries to “preserve what happens today” in debit routing, because if all networks had their own application, it would call for “a lot of intelligence in the terminal” to route the transactions to the proper network.
72Solution – SRPc/Discover Under Durbin, it is up to merchants to decide how a transaction made on an EMV debit card will be routed.If the merchant chooses an EFT network associated with the SRPc, the Discover technology will allow the transaction to be routed “just like a mag-stripe transaction.”
73Solution – All?July SRPC has agreed to allow EMV applications other than its own to work on chip cards in the US.Opens the door for chip applications from Visa and MC, which the SRPc had previously barred.SRPc continues to insist that ownership of the common AID must be held equally by all networks, with each network having an equal share in governance.As of August 2013, with the ruling against the Fed's debit interchange regulations, issuing banks aren’t sure what the ruling will mean for the work that has been completed on establishing a common AID.John Stewart, “Debit Networks Offer EMV Compromise That Would Allow Visa, MC Apps,” Digital Transactions News, July 24, 2013SRPc has agreed to allow EMV applications other than its own to work on chip cards in the US. The new position taken by the SRPC represents what the group calls a “major compromise” and opens the door for chip applications from Visa and MC, which the SRPc had previously barred.SRPc presented its compromise at a meeting of the EMV Migration Forum in July 2013“Pulls back” on a requirement that the common AID…used with chip card transactions operate only with Discover’s D-PAS.This means the debit networks, which had previously opposed chip applications from MC and Visa, have now greenlighted them.“No issuer will be restricted from using an app as long as it’s approved by EMVCo.,” says Terry Dooley, SVP/CIO, Shazam.The proposal maintains the SRPc’s longstanding insistence that ownership of the common AID must be held equally by all networks, with each network having an equal share in governance.This latest proposal from SRPc comes on the heels of a breakthrough announced earlier this month in which the networks, including Visa and MC, agreed to allow competing EMV solutions so long as only one resided on any given card for U.S. usage (technically, each card will carry two applications, since an extra one is necessary for overseas usage).NYCE’s Woodbury credits that development with stimulating the SRPC’s willingness to allow applications like the Visa Smart Debit/Credit (VSDC) and M/Chip applications from Visa and MC, respectively.Still, the SRPc’s proposed compromise remains only a proposal for now. Debit network officials say they have little indication of how Visa and MC will react.Neither of the two major payments networks had comment after the meeting specific to the debit networks’ proposal.Visa & Mastercard support common solutions to enable US chip debit routing 7/30 MCMC & Visa announced an agreement to license their respective common US debit solutions to each other to meet the industry need for a streamlined approach to route US chip debit transactions over multiple, unaffiliated networks.Visa & MC have made certain proprietary EMV chip technologies available to each other & other networks, enabling a debit chip transaction originating from a single chip application to be routed by the merchant to Visa, MC or any other US PIN debit network that elects to participate in these same solutions…[S]aid Chris McWilton, MC: ‘By providing every US debit network with an efficient, market-ready answer, we are delivering a proven solution that not only preserves merchant routing choice, but ensures seamless interoperability with all other EMV programs across the globe.’In opening their investments & technologies to the industry, the 2 brands will further accelerate the US market to a more secure chip-enabled market. ‘This approach offers issuers, acquirers & merchants a streamlined solution for debit chip card routing, helps ensure a cost-effective migration, & enables even broader adoption of secure, convenient chip debit programs in the US,’ said Elizabeth Buse, Visa. ‘Importantly, this solution allows merchants & acquirers to deploy payment terminals using existing chip technologies that are widely integrated into existing chip card acceptance solutions.’Issuers will be able to load their global brand’s application onto their cards—either Visa or MC—& flexibly enable transactions to route over any participating PIN debit network within the US. This approach is consistent with the EMV Migration Forum’s recommendations resulting from the aligned merchant & issuing communities’ needs for a single common debit application identifier (AID) & single application on each card. The solutions offered by Visa & Mastercard will significantly reduce the complexities of the US EMV implementation.
74Business Case?“Fraud is a small, albeit growing, expense on an issuers' income statement.”—Douglas King, Payments Risk Expert, FRB AtlantaE.g., Discover reported $93 million in fraud losses for 2012; (about $8 million more than it spent on postage).Net charge-offs from credit card debt cost: Over $1.2bn in ; as much as $3.7 billion in 2010.CNP fraud continues to rise; EMV does not effectively prevent it in today’s online environment.
75Will EMV Work?Karen Webster, “PYMNTS Prophecies: Our Take On Eight Predictions” Jan. 1, 2013“EMV as a technology standard won’t make it in the U.S…I know that there is a liability shift expected in 2015, but that date will shift since there is no way that merchants in the US will be able to comply—and there’s precedent everywhere in the world for that to happen. Once it does…Merchants will make the point that the problem that EMV was intended to solve a decade or two ago in Europe doesn’t exist in the U.S. today, and a smart alternative will emerge to leapfrog the EMV deployments as they are currently envisioned. It is hard to imagine the U.S., on a wholesale basis, spending tens of billions of dollars to implement an ‘old’ technology. Rather, this smart alternative will pave the way for a global standard that will enable the global compatibility that it is argued EMV would provide. This also means the future of NFC in the US will remain uncertain, since there won’t be a critical mass of terminals at merchants for some time to come.”