BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

October Fraud Surprise for Retailers?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 22 May 2015 14:50:02 -0600
http://www.bankinfosecurity.com/blogs/october-fraud-surprise-for-retailers-p-1861

U.S. merchants that aren't prepared to accept EMV chip cards by October
should be bracing for significant upticks in card fraud expenses.

That was the message from MasterCard this week at Information Security
Media Group's Fraud Summit Chicago.

When the EMV liability shift date for fraud takes effect in October,
merchants that are not EMV-compliant can expect to immediately get pounded
with card-fraud expenses that card issuers, up to now, have been absorbing,
warns Krista Tedder, vice president of risk, fraud and identity
verification at MasterCard. She was a featured speaker at the summit's
closing panel.

The card brands' October liability shift date is an incentive, not a
mandate. So, missing the liability shift date won't result in fines or an
inability to conduct transactions. It simply means that as of October, a
card issuer or merchant that does not support EMV assumes liability for
fraud that results from compromised magnetic-stripe card transactions.
While most card issuers are scrambling to issue EMV cards, many retailers
are lagging in efforts to install updated point-of-sale equipment to
accommodate chip cards.

Most merchants don't have a good handle on just how much card fraud is
occurring as a result of POS breaches, said David Pollino, senior vice
president and enterprise fraud prevention officer at Bank of the West,
another panelist at the summit. Nor do they have a good feel for how often
fraudulent magnetic-stripe cards are being used for purchases at their
stores.

In fact, Pollino said merchants tell him they're basing their assessment of
fraud losses solely on the chargebacks they receive, which account for only
a tiny fraction of fraud. A chargeback is a demand made by a credit card
issuer, such as a bank, for a retailer to refund a fraudulent or disputed
transaction.

Pollino pointed out that Bank of the West had to absorb substantial card
fraud losses linked to the Target and Home Depot breaches. And how many
transactions linked to cards compromised in those attacks did Bank of West
submit to retailers as chargebacks? "Zero," Pollino said.

So when the liability shift kicks in, "I don't think the merchants have any
idea how much fraud is going to be shifted back to them," he said.

Beyond U.S.-Based Fraud

Pollino and Tedder also pointed out that many banks in Europe have been
absorbing significant amounts of fraud because of lingering mag-stripe
technology.

While European countries are already EMV chip compliant, their cards must
retain mag-stripes to ensure global payments interoperability. That means
cards issued in Europe can still be cloned and used as mag-stripe cards in
countries, such as the U.S., where mag-stripes are still accepted.

In fact, Tedder said about 25 percent of all card fraud that affects
European cardholders occurs in the U.S. with counterfeit cards. That
represents "billions in card fraud" that U.S. merchants that are not
EMV-compliant may have to pay for once the liability shift is in effect,
she points out.

The October Shift

It's clear that not all merchants, or even all card issuers, are going to
be EMV-ready by October.Liz Garner, vice president of the Merchant Advisory
Group, who sat on the panel with Tedder and Pollino, pointed out that,
unfortunately, many merchants that are ready to roll out EMV-compliant POS
terminals are on waiting lists, because the POS vendors are backlogged.

Still, the card brands are not going to delay the liability shift date,
MasterCard's Tedder stressed.

So banking institutions that work with merchants as acquirers really need
to step up their game to get the word out. Acquirers need to ensure that
their merchant customers know just how much fraud loss could be shifted
back to them if they're not EMV compliant by October.

Based on what panelists said this week, the amount of these losses could
potentially put some smaller merchants out of business. And nobody wants
that to happen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: