Advertisement
10/06/2014

There Is No Silver Bullet in Preventing Fraud Attacks

There has been a significant amount of press coverage in recent months regarding Chip-and-PIN, which incorporates EMV (Europay, MasterCard and Visa), as the fraud-beating technology that would have prevented breaches that occurred at a handful of major U.S. retailers in 2013 and 2014.
 
Driven by this viewpoint and subsequent constituent concern, politicians are being pushed to act based on blanket statistics. The California Senate has already tried to pass a bill mandating microchip payment technology by April 2016. The bill, SB 1351, cited the United Kingdom Cards Association in that "adoption of microchip technology in Britain has helped reduce fraud from counterfeit cards by 70% between 2007 and 2012." This statistic substantiates Chip-and-PIN as an effective fraud reduction technology.
 
However, it is critical to understand that Chip-and-PIN helps fight against certain types of fraud, namely card present fraud, in which a counterfeit or stolen credit card is used at checkout. The breaches that occurred in the U.S. were sophisticated malware attacks – very different from a fraudster trying to use cards stolen from a wallet or skimming cards off a POS reader in order to make counterfeit cards.  A misconception exists about what Chip-and-PIN is and, most importantly, the types of fraud it helps remediate.
 
How Chip-and-PIN Helps Prevent Card Present Fraud
Chip-and-PIN is a brand name given to the method of using an EMV smartcard – a card with a chip with specifications designed by Europay, Mastercard, and Visa – in conjunction with a PIN, similar to what a U.S. consumer might use during a debit transaction.
 
The chip in the Chip-and-PIN card helps reduce in-person fraud by making it very challenging for a fraudster to make a counterfeit card. The challenge is two-fold: authentication and uniqueness. First, a transaction initiated by a chip card is authenticated by the information on the chip. A duplicate or counterfeit card would have a difficult time faking this. Second, the individual transaction data contains unique information that would be unusable in a subsequent transaction. Chip-and-PIN thus makes it very challenging for a fraudster to create a duplicate chip card and fake a unique transaction.
 
The PIN in the Chip-and-PIN payment method helps prevent the use of a lost or stolen card. Similar to a debit card, a PIN is used to verify that the person who owns the card is actually initiating the transaction. Only the cardholder knows the PIN, and another person would be hard pressed to guess the PIN among the thousands of possible four-digit combinations. When the PIN is entered into the POS terminal, the card issuer authorizes or declines the transaction.
 
In these ways, Chip-and-PIN is an effective, preventive technology against card present fraud, which is a key reason it has helped reduce counterfeit card fraud by such an impressive percentage between 2007 and 2012.
 
No Single Cure-All
When it comes to sophisticated malware attacks, the breach methods and entry points must be closely examined in each case to understand where weaknesses exist in the system and address those. Government and industry must come together to focus on malware fraud prevention in addition to card present fraud prevention. Just as importantly, both groups must educate consumers about the difference between the two kinds of fraud to prevent a false sense of security.
 
Specifically, security of a payment ecosystem is multilayered, and each component of the ecosystem should be analyzed for security. Certain technologies, such as Chip-and-PIN, may reduce the risk of some types of breaches, but no single technology is a cure-all against every possible attack.
 
Jennifer Brown is director of integration and secure services for Infinite Peripherals, a mobile scanner and portable printer provider.