The migration to chip cards and chip-enabled point-of-sale terminals in the United States has helped to mitigate fraud risk for cardholders, merchants and bank issuers.
As of the end of 2021, over 82% of card-present transactions in the U.S. were conducted using chip technology vs. 73% the prior year. Demand for contactless transactions is also driving increased adoption of chip technology, with the US anticipated to see 300% growth in contactless transactions over the next five years. Visa has reported over 87% reduction in counterfeit card fraud since EMV was adopted.
However, fraud has migrated to less-protected channels. Fraudsters are aware that they can’t counterfeit physical cards and use them in a chip environment anymore. As the online environment is less protected, card-not-present fraud continues to grow.*
Creating The Balance
For banks, the most challenging aspects of fighting fraud may be constantly adjusting protections based on emerging schemes and balancing the need for a good cardholder experience with the right protection strategy.
If fraud strategies are too tight, more legitimate transactions could be declined. On the other hand, if protections are too loose, it’s less likely that fraudulent transactions will be identified and mitigated.
By focusing on diligently identifying and disputing fraud when it occurs, taking advantage of banking products that help mitigate fraud impact, and employing best practices in the management of your card program, you can reduce the occurrence of fraud, boost your security and minimize inconvenience to your company.
There are several ways PNC sees fraud occur in commercial card programs. These are external schemes. But be aware that employee fraud can also occur.
Data breaches. Although counterfeit fraud with card-present transactions has declined, data breaches at merchants still do happen. The bad guys are stealing data and then selling that card account information to other fraudsters who may then create counterfeit cards and attempt to use them at merchants’ point-of-sale terminals or online.
Fall-back situations. Counterfeit fraud can still occur when merchants don’t have chip-enabled terminals — or when a chip card is not run as a chip-on-chip transaction even if the merchant does have a chip-enabled terminal. The industry word for that is “fall-back,” meaning that the merchant might run the transaction using the magnetic stripe if there’s a perceived problem with the chip. But it could be that the chip is fake and that a fraudster has tried to create a counterfeit card.
Fall-back activity was most prevalent when EMV chip technology was first introduced in the U.S. market and is expected to decline as the U.S. market matures because merchants’ employees are more experienced with the technology and bank issuers, more likely to create strategies that flag mag stripe transactions with a chip plastic as potential fraud. The card networks now assess fall-back fees to merchants who have fallback transactions exceeding a certain level. This serves to discourage this practice so the fraud-reduction benefits of chip can be realized. The industry is moving toward the eventual elimination of magstripes from the backs of cards, which will force merchants to invest in chip-enabled terminals in order to accept cards or tokenized forms of payment.
At the same time, data thieves are having more success attempting to use stolen card data for online transactions than at the point of sale.
Lost and stolen cards represent smaller volume than the counterfeit scenarios. A chip and PIN card can help prevent lost and stolen fraud because a bad actor who obtained a lost card would not be able to use the card because they would not know the PIN. Chip and signature and chip and PIN are two varieties of EMV card. Both have the benefit of the cryptographic algorithm in the chip that is unique for each transaction and has led to the decline in card-present fraud. Many think it’s not worth the added complication for cardholders to have to remember their PIN just to obtain the benefit of preventing lost and stolen fraud.
Account takeover fraud is a form of identify theft affecting the commercial card industry as well as consumer cards. In a recent scheme, a group of fraudsters obtained a cardholder’s corporate account number on the dark web. The fraudster knew the issuing bank and the cardholder customer service number. With that information, the fraudster called the customer service number, posing as the cardholder. Depending on whether additional authentication is needed, a fraudster could take action on the account through the call center rep, such as lifting a fraud hold or changing an address.
Some fraudsters are diving even deeper, obtaining the name of the program administrator and then posing as that person. If they’re successful at guessing the administrator’s security code, they can do even more damage by, for example, changing a credit limit on an account or adding cash advance functionality.
Industry Support for Minimizing Fraud Card
Card issuers and the network brands recognize the impacts fraud can have on the industry: loss of cardholder confidence, inconvenience of declined transactions and card reissues, and financial losses. The industry invests in technology to help reduce the occurrence and inconvenience of fraud.
Card issuers employ intelligent neural networks and a combination of tools to help detect potential fraud. Issuers constantly adjust fraud strategies to identify the truly fraudulent transactions while allowing legitimate ones to be authorized. A strict fraud strategy might more effectively mitigate risk, but may also result in legitimate transactions being declined. On the other hand, a more relaxed strategy maximizes authorization, but may let fraudulent transactions through. Issuers attempt to strike the right balance.
What to Expect From Your Bank
In addition to the processes and tools used to detect fraud, the industry continues to develop products and solutions that can help minimize the instances and impact of fraud. Your bank should also offer comprehensive fraud mitigation products and services such as these:
- Visa IntelliLink Compliance Auditor can help companies detect employee fraud or misuse. The application allows the company to set rules that mirror their own expense policy so that they can identify activity that has occurred against that policy and then manage it after the fact.
- Tokenization is an industry development that replaces the Primary Account Number (PAN) with a token value that changes with each transaction. The PAN is never stored in a merchant POS system, and the token value changes with each transaction, so compromised data doesn’t have value in trying to create a counterfeit transaction. Tokenization can be applied in digital wallets, such as Apple Pay®, contactless “tap-and-go” transactions, and other virtual card transactions.
- Single-use accounts or virtual accounts can also help reduce fraud, since they’re only valid for one transaction. They can be used when making post-invoice payments in an accounts payable card program and for travel as well. They can be a good solution for making airline purchases, booking hotel stays and other kinds of charges. The cardholder does not need to use a physical card number to settle that transaction.
- Fraud Text Alerts. Cardholders may enroll to receive text alerts when a potentially fraudulent transaction has been identified on their account. This allows the cardholder to verify the transaction as quickly as possible and to resolve the issue to prevent future transactions being declined.
In addition to the processes and tools used to detect fraud, the industry continues to develop products and solutions that can help minimize the instances and impact of fraud.
A Checklist of Considerations for Your Organization
Be sure that you are protecting your company by following proven best practices, diligently monitoring accounts for fraudulent activity, and reporting to your bank in a timely manner to increase the likelihood of recovering funds. Some of these best practices may be obvious, but they make a good checklist for your internal fraud mitigation efforts
- Take advantage of the controls available in your card technology platform. For example:
- Credit limits: Avoid making more funds available on an account than are needed to support that cardholder. Make sure that any temporary limit increases that are needed revert back to normal levels quickly and automatically.
- MCC Code and volume restrictions: Use MCC codes to restrict the kind of activity that can occur on an account and set limits on the size of the transaction or the number of daily transactions or amount that can occur on the account. This strategy can help stop a fraudster who’s gotten their hands on an account number and is trying to quickly wreak as much havoc as possible.
- Use a central travel account or a virtual travel program to minimize the credit limit on individual cardholders’ accounts. Large dollar expenses, like airfare and hotel, are billed to a central account with these solutions.
- Close accounts that aren’t being used. Store active cards securely. And avoid having the program administrator activate cards on behalf of the cardholder.
- Don’t write the PIN on the card. If you’re using chip and PIN cards, keep the PIN secure and change the PIN by calling the number on the back of the card if you think the PIN may have been compromised.
- Verify the identity of individuals who call program administrators. Fraudsters can social engineer their way into finding out administrators’ names. The fraudster might call the administrator and ask for a reminder of their security code. When processing a request by phone, administrators should verify the identity of the cardholder.
- Avoid using simplistic codes that could be easily guessed as your security code, like 1111 or sequential digits. Also avoid using personal information that is publicly available. If the fraudster knows your name and can discover your birth year, for example, or the last four digits of your SSN, they may be able to pose as you.
- Don’t use a common security code for all cardholders. Provide each cardholder with a unique code and, if possible, avoid using personal information.
- Don’t use the same card number for multiple employees. Transactions could be declined if the card numbers are used at the same time in two different locations. Even more important, if there is a fraudulent transaction, you can’t really tell who performed the transaction if multiple people are using the same account.
- Implement a usage policy and communicate that in your organization. Monitor it and update it regularly for your cardholders so that you’re able to report fraud in a timely manner.
- Enroll in your provider’s liability waiver program and follow the required protocols. If there’s internal fraud occurring on the account, having a cardholder agreement in place and terminating the offender of the fraud can be highly effective in limiting your risk.
Ready To Help
PNC focuses on helping you balance fraud reduction with the cardholder experience and often can work with you to help you develop fraud strategies for your specific situation. For more information, contact your Treasury Management Officer or visit pnc.com/treasury.