Page 40 - GS160802
P. 40
CoverStory
To PIN or not to PIN? and stopped 112 million attacks among 5.2 billion
transactions processed, representing a 50 percent increase
While many experts agree widespread adoption of EMV over the same period in 2015.
technology combats fraud, there has been significant
disagreement on how best to implement EMV: as a chip-and- One attack plan is not enough
PIN or a chip-and-signature solution. In most countries where
EMV has taken hold PIN is the dominant authorization method; It is essential to find the right automated tools, and
not so in the U.S., where many retailers remain frustrated. combinations of tools, that can help merchants more
efficiently and effectively identify fraud. CyberSource's
Retailing giant Wal-Mart Stores Inc. has gone so far as to sue data revealed that merchants use combinations of tools
Visa over Visa's insistence that cardholders be given the option when screening customers, including card validation
of authorizing transactions with PINs or signatures. Wal-Mart and customer lists. Many also conduct manual reviews:
wants to mandate PIN authorization. 86 percent of North American businesses, on average,
perform manual reviews on 29 percent of orders, according
A new report from Aite raises questions about the value of PIN to CyberSource. The cost: 46 percent of those surveyed
authorization, however. Aite found that although the cost for said manual review staffs are the biggest line items in
merchants with PIN pads is minimal, the economic impact their fraud management budgets.
would be huge – in excess of $4 billion – because there are so
many merchants without PIN pads. Issuer costs would exceed CyberSource, which is owned by Visa Inc., is one in
$2.6 billion, and include card re-issuance, establishing and a growing army of companies that leverage data and
maintaining PIN management systems, customer education analytics to help CNP merchants accept more good orders,
and platform modification. which by extension, is intended to enhance the customer
experience. It's a tall order. "We're dealing with teams of
The end result, by Aite's estimates, would be a five-year fraud- fraudsters working in global groups," O'Neil said. "They
avoidance benefit of about $850 million. What's more, the can leverage vast amounts of computational power, and
most effective use of PINs is to counteract lost and stolen card they are gaining access to huge amounts of data."
fraud, which only accounts for about 9 percent of total card
fraud losses, Aite reported in Chip Cards in the United States: Most experts believe the best fraud-fighting strategies
The PIN, PINless, Debit, Credit Conundrum. demand a combination of solutions implemented by
merchants and issuers, alike. This also makes for good
"With very little incremental risk for merchants and significant customer service; 75 percent of consumers surveyed
expense and implementation challenges for the payments by Tender Armor and Sparks said they wanted more
ecosystem, it is difficult to justify a mandate to implement PIN protection for card data when shopping online. "It's a huge
as a credit card verification method," said Aite Senior Analyst worry for consumers," Aufseeser said.
Thad Peterson.
In 2015, Tender Armor introduced a real-time, dual-factor
"The challenge remains, how do businesses accurately tool for authenticating cardholders in CNP transactions.
identify genuine attacks from legitimate transactions?" Aufseeser described the product, CvvPlus, as a "one of
Pandey said. a kind solution" that enables issuers to stop all types of
CNP fraud (not just online, MO/TO and mobile fraud).
ThreatMetrix developed a solution it calls Digital Identity Plus there's no need for retrofitting; the solution can be
Network to help identify potential fraud resulting from deployed on any and all credit and debit cards, she said.
malware and data breaches. The company said it verifies
20 billion transactions annually for 30,000 websites CvvPlus uses two sources of data to authenticate
globally. It uses data from those transactions for regular cardholders: the card number and a unique security code
cybercrime reports. The latest of those reports, covering the cardholder retrieves from a mobile text message or
the second quarter of 2016, reveals the network detected email and provides the merchant in lieu of the payment
card's CVV2 code. The codes can be changed as often as
daily and can be used for multiple cards in a consumer's
wallet. Consumers sign up for CvvPlus through card-
issuing banks, many of which have shown interest in the
concept. "We've got a huge sales pipeline," Aufseeser said.
Unlike CvvPlus, many CNP fraud tools have been
developed for and implemented by merchants, and the
move to EMV has more merchants looking closely at
these and emerging tools. Here's a rundown of the most
commonly used CNP tools:
40
