Wednesday, February 6, 2013

Emerging Markets can lead in reducing Credit Card Fraud

It is only natural for us to get concerned when the media is full of reports of credit card fraud (Fraud ring busted, Indian credit card industry hit with INR30Cr fraud), especially when so much effort is made by the industry to convince us that electronic payments are safe.  I agree that card payments are basically secure, with fraud at less than 50 basis points (0.5%).

Having said that, there are a few facts that are disconcerting
  • Some of the card data was stolen from POS infrastructure: Payments at POS terminals should be secure.  The best practice is for:
    • End-to-end encryption of card data, i.e., card data is encrypted from the point it is swiped to the point it is processed (your bank)
    • It is best for the merchant / acquirers to not store card data
  • It is necessary for acquirers to continue to upgrade POS terminals provided to merchants to ensure that weak points in the chain get strengthened.  It is only natural for fraud to migrate to the weakest elements.
  • Talking about fraud migrating to the weakest link in electronic payments, it is inevitable that electronic commerce / online stores will show up in most fraud cases.  This is because the de-facto method of payment at online stores is via 'Card-Not-Present' mode.  Card-Not-Present is when the merchant cannot verify whether the customer is in possession of the card being used for the transaction.
    • When card data is fraudulently harvested, the easiest place to use stolen card data is at online stores
    • While online stores take a lot of effort to detect such fraud (thru' two-factor authentication, intelligence in back-end systems...), there are always some countries whose laws are not as stringent as others.  Again, fraud migrates to countries with lax authentication laws.
  • While it is easy to parade Chip-n-PIN / smart cards as the silver bullet to prevent such fraud, Card-Not-Present payment mode at online retailers will continue to be the backdoor that fraudsters will exploit.
  • Magstripe is not the only bad boy, Card-Not-Present mode of payment deserves some of the blame as well.
Link to a related article by Doug King, Atlanta Fed

Ending on a positive note, one (among many) thing that the industry can do is to work towards supporting Card-Present (or some variant thereof) payment mode at online stores.  Technology leaders have been working on such solutions and can roll them out if the industry commits to  it.  Emerging markets who have traditionally leaped-frog technology due to lack of legacy can play a leadership role here.  India can set the tone by issuing contactless cards to support Card-Present payments online.

Another initiative would be have a deadline for retiring all POS terminals that do not support end-to-end encryption.  Payment Networks, such as Visa and MasterCard, can take a lead on this.

Would love to hear your thoughts on this.