EMV and risk-based authentication

Companions for staying ahead of card-present and card-not-present fraud

The financial services industry and consumers in the United States (U.S.) are finally seeing the arrival of EMV chip cards with the upcoming October 1, 2015, liability shift. This transition provides a foundation for the next generation of payments because it helps reduce counterfeit card fraud, improves international card acceptance, and is expected to help establish the acceptance infrastructure needed to support other emerging chip technology for payments.

While payments have never been safer as the U.S. payments industry adopts EMV chip card technology, criminals have never been smarter.  Increasing counterfeit card fraud in the U.S. has been the primary reason the industry business case works for the marketplace now along with increasing difficulty experienced with overseas acceptance of magnetic stripe cards. The payment infrastructure necessary for the adoption of dual-interface EMV chip technology also helps prepare for acceptance and processing of NFC-based mobile payments.

The layer of safety added to card present payment transactions from EMV chip technology is through the use of dynamic authentication between chip-activated terminals and chip cards that work together to protect in-store payments. While there is some confusion that EMV means “chip and PIN”, U.S. cardholders can still use their cards as they always have over-the-phone, on the Internet, and in stores that support either signature or PIN at the point of sale.

The genesis of chip and PIN was to support the need for offline authentication in markets without a reliable telecommunications system. Many countries, such as the U.S., have very fast reliable online processing with transactions transmitted to banks in real-time and analyzed with fraud scoring systems prior to approval. By adding the EMV chip dynamic cryptogram, transaction safety is increased without the complex capabilities needed to support processing offline transaction authorizations required in some countries. An EMV chip card used in a store at a chip-activated terminal generates a unique one-time code behind-the-scenes provides an additional layer of security and is used to approve the transaction—this feature is practically impossible to replicate with counterfeit cards.

Safer but not foolproof

The level of security provided by EMV chip cards for card present transactions does not change the need to implement a sophisticated authentication technology and risk-analytics modeling since fraud is likely to continue to grow unless appropriate measures are adopted. This is particularly important as it relates to CNP fraud.

Along with reaping the benefits of reduced counterfeit card fraud, being the last major market to convert to EMV has the upside of learning from other markets for U.S. issuers, acquirers, merchants, and networks.  The learning from impacts of EMV migrations around the world can be extended for the card-not-present (CNP) payments environment as well.  In the European Central Banks July 2015 report on card fraud, CNP fraud remains the most frequent type of fraud accounting for 75% of total fraud in the Single Euro Payments Area (SEPA) marketplace.  A CNP fraud rate of 40% from 2009 to 2013 was the main driver for an overall increase in fraud of 4%. Over the same five-year period a decline in fraud was observed for both POS and ATM channels corresponding with the rate of EMV migrations.

The use of authentication data together with organization-centric fraud models represents the pinnacle of user authentication and creates a stable long-term strategy that enables broader coverage and uniformity for fraud prevention – making risk-based authentication methods highly effective for CNP fraud. The U.S. migration to EMV chip cards will address rising counterfeit card fraud, but the industry still needs to invest in technologies such as risk-based authentication and bolster CNP controls. To remain competitive and manage the cost of fraud, banks must invest in technologies such as risk-based authentication, 3D Secure strong authentication protocols, and/or tokenization for CNP transactions.

CA Technologies is uniquely qualified to assist banks make informed decisions in their EMV conversion planning and address authentication needs with a powerful, dynamic, and flexible set of payment security solutions. By applying our valuable learning related to cyber security and user behavior over time, we continue to deliver secure, reliable, interoperable, and easy to use authentication solutions to support our customers success.

Join the conversation: Visit the CA Payment Security Community

CA Payment Security community members help one another solve problems. Participate in discussions, ask questions, post content, attend webcasts, and more. Experience the power of community by joining us now!


Carol Alexander (@carolalexander) is head of Product Marketing for Digital Payments Security at CA Technologies.

Comments

rewrite

Insights from the app driven world
Subscribe Now >
RECOMMENDED
Managing a DevOps Transition >A Meeting of (Artificial) Minds >Corporate Finance Gets API Makeover >