Who should be responsible for financial fraud?

Improvements in payment protections are shifting the liability for fraud to the least-secure party

1 2 Page 2
Page 2 of 2

As card-present payment systems get more secure due to the growing acceptance of EMV payment cards, the concern now is that more fraud will focus on card-not-present transactions such as online orders, says Jeremy Grant, senior executive adviser for the National Strategy for Trusted Identities in Cyberspace (NSTIC).

[Mobile shopping remains stifled by security, ease of use]

Already, this shift appears to be happening. FICO reported in 2012 that fraud losses in card-not-present environments (Internet, phone and mail order) increased at twice the rate of counterfeit card fraud.

This means that, in addition to fraud-pattern matching, the industry needs to standardize on stronger identity and authentication methods, at least for online transactions, Grant says.

"Our area of concern is about the user signing on to conduct the transaction," Grant says. "If you look at the Verizon Data Breach Investigations report, most breaches start with the exploitation of a username and password."

[Rise in data breaches drives interest in cyber insurance]

Operating out of the Commerce Department, NSTIC's mission is to enable more online transactions through a common identity framework that can be leveraged by business and consumers. In this framework, consumers and their places of business can chose from a variety of authentication credentials that will function across an "ecosystem" to supplement passwords.

"We feel this would help address the risk in card-not-present fraud, but also it would be more convenient for consumers, who won't have to remember dozens of different passwords and keep updating and changing them," Grant explains.

NSTIC is working with privacy organizations and private-sector groups to develop standards and overcome issues of user privacy and interoperability and encryption key management, for example.

Widespread Access to Multi-Factor Authentication

In this identity ecosystem, could the chip on the smart payment cards support multi-factor authentication that criminals couldn't meddle with? Possibly, says Grant.

Consumers will have the choice of using whatever kind of multi-factor authentication they find most convenient, as several types will be supported by payment processors in the ecosystem.

According to the Smart Card Alliance, MasterCard has enacted a Chip Authentication Program and Visa has set up a Dynamic Passcode Authentication system to allow EMV smart cards to be used to authenticate users during online transactions.

Under these programs, the user would insert a card into a handheld reader attached to their phone or computer and enter a PIN. Then the reader displays a one-time password that the user enters to complete the transaction.

Bob Russo, general manager of PCI SSC New York, thinks it will be some time before we see EMV chips becoming a dominant form of online authentication because most people don't want to have to attach readers to their computers and phones.

However, 30 million Europeans already use EMV cards and readers for Internet transactions, according to the Smart Card Alliance. And millions of small business owners are using attachable smart card readers on their smartphones to conduct business.

Regardless of what forms of authentication are used, the improvements made to protect all forms of payment fraud, including those changes to the PCI DSS rules for protecting cardholder data all along the transaction chain, are reducing fraud. In 2012, payment fraud was 12 percent lower than in 2009, according to the 2013 AFP Payments Fraud and Control Survey conducted by JP Morgan.

[Little sympathy for merchants in disputes over PCI violations]

"EMV and PCI standards make for a powerful combination," Russo says. "Financial organizations are seeing fewer large-scale breaches today, and that's proof our efforts are working."

Deb Radcliff is a freelance writer based in California and is also chief of the SANS Analyst Program.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
What is security's role in digital transformation?