Having said that, there are a few facts that are disconcerting
- Some of the card data was stolen from POS infrastructure: Payments at POS terminals should be secure. The best practice is for:
- End-to-end encryption of card data, i.e., card data is encrypted from the point it is swiped to the point it is processed (your bank)
- It is best for the merchant / acquirers to not store card data
- It is necessary for acquirers to continue to upgrade POS terminals provided to merchants to ensure that weak points in the chain get strengthened. It is only natural for fraud to migrate to the weakest elements.
- Talking about fraud migrating to the weakest link in electronic payments, it is inevitable that electronic commerce / online stores will show up in most fraud cases. This is because the de-facto method of payment at online stores is via 'Card-Not-Present' mode. Card-Not-Present is when the merchant cannot verify whether the customer is in possession of the card being used for the transaction.
- When card data is fraudulently harvested, the easiest place to use stolen card data is at online stores
- While online stores take a lot of effort to detect such fraud (thru' two-factor authentication, intelligence in back-end systems...), there are always some countries whose laws are not as stringent as others. Again, fraud migrates to countries with lax authentication laws.
- While it is easy to parade Chip-n-PIN / smart cards as the silver bullet to prevent such fraud, Card-Not-Present payment mode at online retailers will continue to be the backdoor that fraudsters will exploit.
- Magstripe is not the only bad boy, Card-Not-Present mode of payment deserves some of the blame as well.
Ending on a positive note, one (among many) thing that the industry can do is to work towards supporting Card-Present (or some variant thereof) payment mode at online stores. Technology leaders have been working on such solutions and can roll them out if the industry commits to it. Emerging markets who have traditionally leaped-frog technology due to lack of legacy can play a leadership role here. India can set the tone by issuing contactless cards to support Card-Present payments online.
Another initiative would be have a deadline for retiring all POS terminals that do not support end-to-end encryption. Payment Networks, such as Visa and MasterCard, can take a lead on this.
Would love to hear your thoughts on this.