Published on Bank Info Security on June 16, 2010
Wednesday, June 16, 2010
As eyes are now focused on South Africa for one of the world's largest sporting events, so are fraudsters - taking aim at tourists' credit and debit cards.
Events such as the 2010 FIFA World Cup offer interesting opportunities for card attacks, since nothing is normal. And issuers often categorize any transaction that falls outside "normal" as fraudulent.
Institutions in these circumstances have two options: They can block transactions in markets ripe for card fraud, such as Africa; or they can set parameters that gauge what could be normal under abnormal circumstances.
Issuers usually opt for the former, sacrificing consumer convenience. In fact, nine out of 10 cross-border card transactions are flagged as being fraudulent, according to Actimize, a NICE Systems company and provider of financial crime, risk and compliance software for the financial industry.
The problem: Authenticating cross-border transactions has become increasingly difficult, especially when magnetic-stripe debit and credit cards come into play. Since much of the world has moved away from the mag-stripe in favor of the chip and PIN - which complies with the Europay, MasterCard, Visa EMV standard - the United States' continued use of the mag-stripe places financial institutions in a precarious situation. European banks are often the first to get scammed when they accept mag-stripe transactions. So rather than deal, they just deny those transactions when they come across the point of sale.
"The industry lacks the expertise to know exactly how to handle exceptions on transactions that use the mag-stripe in an EMV/chip and PIN market," says David Nussenbaum, vice president of global risk products for ACI Worldwide, a global payments solution provider. "We're living in an unknown world."
How can card issuers balance consumer convenience and security, especially internationally? Setting aside (at least for now) the mag-stripe/EMV debate, Nussenbaum offers these five tips to U.S. financial institutions:
• Product Assurance - Build products and layered security at the same time. "The fraud side is something many product managers neglect to think about."
• Application Screening - When issuing cards to new clients, institutions must ensure that decisioning and controls are in place. Be sure to verify identity.
• Transaction Abnormality Surveillance - Understand customer behavior and recognize what is abnormal for an individual user. "There are many transactions going on in South Africa as we speak, including transactions that use the mobile phone or the web. ... And when you add the cross-border context, especially on card-not-present [transactions], that's where fraud occurs."
• Enterprise Fraud Management and Real-Time Analytics - Defining a fraudulent transaction in real-time is key, but requires sophisticated analytics. It's something all institutions should be working toward. It also helps to communicate with the consumer in real-time, via SMS/text to a mobile device, to confirm the validity of a suspicious transaction. Visa also recommends this second line of transaction authentication.
• Advanced Analytics - Go beyond the basic rule-writing and define what is normal for individual users and accounts. Customer relationship management systems can help with this and allow a financial institution to figure out true anomalies through applied mathematics.
I suspect that cards will be breached throughout the World Cup games in South Africa. But it's not all doom and gloom for U.S. travelers. Hey, they get to check out an incredible sporting event -- and they could likely be catalysts for some positive payments shifts back home.