Card-not-present & EMV § Ryan W. Barnes § Associate Director, Consumer Product § TSYS
eCommerce Trends Growth Estimates General Purpose Card TXN $500 $434 $450 $385 Prepaid 0.4 2.7 $400 $339 $350 $297 $300 $259 $226 $250 Credit 5.7 41.3 $200 $150 $100 Debit 5.8 18 $50 $0 2012 2013 2014 2015 2016 2017 0% 20% 40% 60% 80% 100% eCommerce CNP Card-present Source: eMarketer, April 2013, Figure 154501, Federal Reserve Payments Study
Fraud Rates CNP vs. Card-present Volume/Value Transactions 0 0 GP PIN debit and ATM GP PIN debit and ATM 0.87 2.84 9.48 10.91 GP signature debit GP signature debit 2.83 11.32 11.82 11.38 GP credit GP credit 3.72 9.16 0.00 2.00 4.00 6.00 8.00 10.00 12.00 14.00 0.00 2.00 4.00 6.00 8.00 10.00 12.00 CNP (TXN) Card-present (TXN) CNP (value) Card-Present (value) Sources: 2013 Federal Reserve Payments Study
Fraud Composition Select examples from past EMV implementations UK France 100% 100% 80% 80% 60% 60% 40% 40% 20% 20% 0% 0% 2007 2008 2009 2010 2011 2012 2007 2011 CNP (%) Card-present (%) Card-present CNP Australia 100% 80% 60% 40% 20% 0% 2006 2007 2008 2009 2010 CNP Counterfeit Sources: UK Card Association; Annual Report of the Observatory for Payment Card Security, 2011; Australia Payments Clearing Association
3D Secure UK Case: Card-not-present fraud 350 328.4 300 290.5 266.4 250 226.9 220.9 £ Millions 200 212.7 183.2 150 150.8 122.1 100 110.1 95.7 50 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Sources: Financial Fraud Action
The Basic Problem Strong EMV authentication measures do not translate in CNP environment Must authenticate via alternative means Factors of Authentication: The “Has”-”Knows”-”Is/Does” convention § Ownership factors § Knowledge factors § Inherence factors
The Building Blocks Ownership Knowledge Inherence 1) Signature Card Present Mag Stripe Signature 2) EMV Card Present Chip PIN 3) Pizza over the phone Static Code Account # 4) Internet purchase – Fleece UN/PW/Security IP Address Jacket Questions UN/PW/Security 5) Remote Login at work Dynamic Token Questions Application IP Address Cookies Biometrics Landline Phone IMEI, MEID IMSI, CSIM P.O. Box Account History Number (device) (subscriber) UN/PW/Security Static Token PII (ex. SS#) Dynamic Token Questions Chip Mag Stripe PIN Signature Account #
Hard vs. Soft Considerations Issuer Merchant Hard Hard • Fraud reduction • Fraud reduction Soft Soft • Ease of purchase • Ease of purchase • Business intelligence Advantages Hard Hard • Required investment • Required investment • Maintenance/compliance • Maintenance/compliance • Reissuance due to data breach Soft Soft Disadvantages • Interchange loss à TXN • Transaction abandonment Abandonment • Consumer reluctance/fear to conduct • Interchange loss à consumer eCommerce reluctance to conduct eCommerce
Merchant Logic Customer Account Yes Portable Account High Scope-setting No “Card-based “checkout Small Customer Account Yes Authenticate Each Small or Large Portable Account CNP High or Low Traffic? Low Transaction? Business? Scope-setting No “Card-based “checkout CNP Customer Account Yes Portable Account High Scope-setting No “Card-based “checkout Large Customer Account Yes Portable Account Low Scope-setting No “Card-based “checkout
Categories of Approach Ø Customer Account – A merchant-specific site or mobile application that requires login authentication and houses payment card information (ex. Amazon) Ø Portable Account – An account established for use at multiple e-merchants that houses payment card information (exs. PayPal, V.Me) Ø Scope Setting – Using data to determine level of authentication required (ex. “Device fingerprinting”) Ø “Card-based” checkout – Standard checkout procedure of entering card-based information (exs. Card#, address on file, static three-digit code)
Summary Industry Implications Ø eCommerce is growing fast, stealing share from brick-and-mortar Ø Past experience suggests heightened risk of CNP fraud as a result of EMV implementation Ø There likely is no “silver bullet” to address CNP fraud Ø Myriad of solutions reliant on similar building blocks Ø Business considerations for merchants Ø Use cases Ø Prognosticators: account for eCommerce concentration
Speaker Contact Information ryanbarnes@tsys.com § Smart Card Alliance § 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 § www.smartcardalliance.org
Recommend
More recommend