EMV On-Campus Post Liability Shift Don Smith VP Payments Product Management Higher One June 6, 2016 2016 Higher One Inc. d/b/a/ CASHNet. All rights reserved.
2 Agenda What is EMV and why are we moving in this direction? EMV Market Update Impact on Card Not Present Fraud Considerations for Your Campus Questions
Q: What is EMV?
4 EMV EMV = Europay MasterCard Visa Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI) Standards overseen by EMVCo (Amex, Discover, JCB, MC, UnionPay, and Visa) Accepted on 6/7 continents U.S. slow to adopt
5 Getting Familiar with POS Changes Dip card vs. Swipe Chip and signature vs. chip and pin Card stays in machine for transaction Most machines beep when transaction is done
Dipping the Card
Q: Why?
25% Portion of the world s transactions that occurred in the U.S. in 2014.* * Business Insider's "The US EMV Migration Report" (Nov 2015)
50% Portion of the world s card fraud that occurred in the U.S. in 2014.* * Business Insider's "The US EMV Migration Report" (Nov 2015)
10 Understanding Fraud Card Present Fraudsters purchase or steal card info (or steal card) Load card info onto card s mag stripe Go to unmanned machines for small amounts to test card info Try card at merchants that have gift cards (or other things) Card Not Present (CNP) Fraudsters purchase or steal card info Test it where merchants do real time processing Typically small amounts Once card number (and associated info) is verified, larger items will be purchased
11 Making Card-Present Fraud More Difficult Stolen Card: Card holder s card is stolen and the fraudster uses card to make purchases at POS Countermeasures: Look at signature on back of card Ask for Photo ID Input zip code Counterfeit Card: Fraudster has purchased stolen card number online and loaded it onto the magstripe of a fake card Countermeasures: Look at signature on back of card Ask for Photo ID Input last four digits of card or CVV into terminal as condition of transaction
12 EMV s Main Purpose EMV makes use of dynamic info at the POS Makes it very difficult to create a counterfeit card Can make it very difficult to use a stolen card (PIN) Dynamic data (exclusive to each transaction) is sent to issuing bank through payment rails to verify authenticity of card (Cryptographic Processing) Security can be enhanced by issuing bank requiring PIN at POS rather than signature
LIABILITY SHIFT
14 Liability Shift Credit card brands encouraging adoption as a means to fight POS cardpresent fraud Stopped short of a mandate Understand costs and logistics involved Realize changing consumer behavior is hard Issued Liability Shift Date of Oct. 1, 2015 Pertains to all merchants with exception of pay at the pump gas stations (Oct. 1, 2017) Think of Liability Shift as a start line vs. a finish line
15 What Does it Mean? Merchant liable for fraud if ALL three of following occur: 1. The payer wants to use an EMV card to make a purchase 2. The campus is unable to process an EMV transaction (and therefore processes a transaction using the card s magnetic strip) 3. The transaction is fraudulent
$4.5B Estimated counterfeit card fraud in U.S. for 2016.* *Aite Group
$1B Estimated amount of counterfeit card fraud in 2020.* *Aite Group
MERCHANT ADOPTION
44% Merchants thought they were going to be EMV ready by end of 2015.* *The Strawhecker Group
37% Merchants were accepting EMV as of Feb 17.* *The Strawhecker Group
20% Estimated portion of credit card transactions that are currently chip-on-chip.* *Aite Group
Q: Why so few?
24 Biggest Barriers Solutions more complex to develop Conversations more complicated with dynamic data elements Comprises software, hardware and processor Certification is more arduous Total solution in play for certification Card brands have different standards NFC add layer of certification Long certification queues Evaluation can take months and cost up to $100K Each change to system prompts new certification Large number of solutions seeking certification Devices are expensive Javelin Strategy and Research estimates it will cost $8.65B to implement EMV in the U.S; $6.75B on POS devices alone!
Small Merchant EMV Readiness 50% 40% 30% 20% 10% Small Merchants 0% Ready Plan to Upgrade No Plans to Upgrade What's EMV? *TD Bank Study 2015
For Merchants Who Don t Plan to Upgrade 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Small Merchants
27 Change in the Air? Many Non-EMV ready merchants reporting higher rate of chargebacks Higher volume with merchants who sell goods prized by fraudsters Gift cards Electronics Jewelry Many banks don t know if chargebacks are related to EMV or not Merchants don t have resources to research chargebacks B&R Supermarket Inc. and Grove Liquors LLC Oct Feb 2014: 4 Chargebacks Oct Feb 2015: 88 Chargebacks B&R and Grove Liquors filed a lawsuit against card networks Allege card networks knew merchants would be unable to comply with EMV Liability Shift Merchants unknowingly paying for more chargebacks than they should Set up banks for big payday
50% Merchants will accept EMV by end of June.* *The Strawhecker Group
90% Merchants will accept EMV by sometime in 2017.* * The Strawhecker Group
CARD NOT PRESENT
31 CNP Fraud Post EMV Experts have argued EMV causes spike in CNP fraud Fraudsters follow path of least resistance Easier to commit CNP fraud because dynamic element of chip not in play In the UK, brick and mortar fraud decreased 75% from 2004-2012 2015 report from Euro Central Bank on 2013 Data $1.44B in fraud; mostly CNP CNP fraud increased by 20.6% over previous year ATM fraud fell by 13.7% POS fraud fell by 7.9%
Canada Post EMV Implementation 133% Increase in CNP Fraud
33 Not All on EMV? Others argue not necessarily cause and effect Point to: Adoption of new technologies for payments Increase in merchant adoption of new online storefronts Increase in online payment volume over same period Improved techniques by fraudsters (more data breaches) These compound the increase of CNP fraud Argue EMV should still be implemented but also need new mitigation strategies for CNP fraud
35 In the U.S. emarketer Report 2013: $262 billion online sales 2017: $440 billion online sales (estimate) 13.8% compounded annual growth rate ACI Report Jan July 2014: 1/114 CNP transactions was fraud Jan July 2015: 1/86 CNP transactions was fraud Javelin Strategy & Research study in 2015 Account takeover and new account fraud to increase by 60% in next three years Will go from an estimated $5B in 2015 to $8B in 2018
CNP Expected to Double by 2018
Q: How can we protect ourselves from CNP fraud?
38 Pay Attention to New Developments 2016 will be an important year for the introduction and evaluation of new technologies Geolocation Biometrics Dynamic data elements (authorization) Tokenization Real time transaction analytics Behavioral analytics
39 Multi-Layered Approach EMV migration forum and Smart Card Allliance recommend a layered security approach that could include: Device authentication, such as confirming that the device used to make the payment is being used by the right consumer Multi-factor authentication, in which the credentials used to make the payment are checked against the address, phone number, and email address provided by the customer at check-out Tokenization, which replaces payment credentials with one-time codes Rigorously checking the identity of an online customer when they pick up merchandise reserved in a physical store
15% Cardholders who had a transaction declined because it looked like fraud.* *Javelin Strategy & Research. Overcoming False Positives
$118 B Lost sales from false positives. *Javelin Strategy & Research. Overcoming False Positives
$9 BB Actual ecommerce fraud in the U.S. in 2015. *Javelin Strategy & Research. Overcoming False Positives
43 Think Through Your Strategy Work with your payment software provider or processor to identify best strategy for your campus In-person Define EMV strategy and roll out plan Implement cashier security measures in the business office CNP Velocity limits CID/AVS Authentication Transaction reporting Mobile wallets Keep in mind fraud (CNP and CP) rates are low for most schools Stay abreast of new developments in technology Ensure your campus takes PCI seriously and work with a PCI certified QSA to document and test your environment
Q: Questions?
THANK YOU! Don Smith don.smith@cashnet.com www.cashnet.com/blog