FRAUD: Playing your cards right
New-generation credit and debit cards should protect consumers from fraud. So why don’t they?
You probably already know that the weakest link on your credit or debit card is the black magnetic stripe on its underside. When swiped through a skimmer, the device can capture and store all the details stored in the stripe.
What you may not know is that most cards also make it possible to use the more secure chip-and-pin technology.
So why do we still need magnetic stripes?
Fraudsters are doing brisk business with counterfeit cards, having clocked transactions worth more than US$22.8bn on them in 2016.
The Nilson Report, which publishes card loss data gathered internationally, is projecting losses of up to $33bn in card fraud by 2021. It says a number of countries simply have not met deadlines to adopt the chip-and-pin standard — also known as the Europay, MasterCard and Visa (EMV) standard. Most other countries still have back doors such as the
magnetic stripe, to accommodate travellers.
"Such a dual system is also necessary to ensure operability of cards during the course of the rollout of the standard," says Kalyani Pillay, CEO of the SA Banking Risk Information Centre (Sabric).
Banks such as FNB, Absa, Standard Bank and Nedbank have issued chip-and-pin-compliant cards, but the magnetic stripe — containing unencrypted customer data — is vulnerable to cloning and has cost the industry an average of R320m in losses over the past seven years, according to data provided by Sabric.
"The risk of card data being compromised through skimming of the magnetic stripe is unfortunately still there, but without the PIN, this data has limited value," Pillay says. "Sabric encourages card holders to conceal their PIN when using their cards in order to mitigate the risk of falling victim to card fraud."
FNB says 99% of all cards are chip enabled, but it continues to issue cards with both a chip and a magnetic stripe because some local merchants have not completely migrated to accepting chipped cards. "There are also several countries that are not fully EMV-compliant and are predominantly magnetic-stripe environments," says FNB spokesman Virginia Magapatona.
These include the US, India, Japan and China.
An ability to shift liability to banks for fraudulent transactions that occur despite merchants having EMV-compliant systems in place has failed to encourage faster adoption of the standard.
In the US, delays arose partly because of the high cost of implementing the standard, a 2016 research report drafted for that country’s congress shows.
The research report says card issuers and merchants invested heavily in existing technology, but balked at the cost of further investment in technology that would support the EMV standard, which was set at between $6bn and $8bn.
In addition, minimal implementation before the US’s October 2015 deadline meant card issuers would have had to replace 2m old cards every day to fully comply by that date, as the share of EMV cards in the market was only between 7% and 15%. US card issuers had also decided to adopt the chip-and-signature model of the standard, instead of chip-and-pin, introducing a further level of complexity.
In China, few merchants support Visa or MasterCard — a legacy of UnionPay’s dominance in the market. UnionPay, backed by the Chinese central bank, does not use the EMV standard.
Nedbank says all new cards issued contain a chip but have a magnetic stripe for use in countries that do not support the EMV
"There may be a low volume of older Nedbank cards that [have only a magnetic stripe], but as those cards are renewed they will be EMV-enabled," says spokesman Sharda Naidoo. "If a transaction were to be approved by magnetic stripe for any reason, additional security protocols would be applied for the protection of our clients."
Sabric says the introduction of the EMV standard in SA has led to a plunge in counterfeit card fraud, with debit card losses declining 39.3% to R65.5m and credit card losses flat at R99m.
The side effect of this victory, observed in countries that have adopted the EMV standard as well, has been the emergence of fraud where the card is not present.
These transactions occur when retailers are unable to check the card or the identity of the cardholder, and are conducted through channels such as online shopping.
To tackle this newer threat, Sabric warns cardholders to avoid sending e-mails containing card numbers and expiry dates or disclosing this over the phone.
It also encourages cardholders to register for authentication systems such as 3D Secure for online transactions.