Security

Transaction Security Today

Everyone plays a role in ensuring the security of transactions.

• Financial institutions are not required to embed EMV chips in both the debit and credit cards they issue, but a majority are implementing the technology to reduce liability risks.
• Merchants utilize POS systems integrated with security software that enable them to comply with the Payment Card Industry Data Security Standards (PCI DSS.)
• While consumers don’t have to protect their data, FIs recommend not sharing sensitive personal information, as well as reporting lost/stolen cards and suspicious activity promptly. Due to an excessive amount of data breaches and the press associated with them, many consumers should also actively monitor their credit reports.

The Impact of EMV ChipsTo enhance the security of card payments, Europay, Mastercard and Visa (EMV) joined forces to introduce EMV technology in 2004.¹ They later combined with other card networks to form EMVCo, which now oversees EMV compliance.

The benefit of EMV chips is that they store customer data on integrated circuits which generate a unique code for each transaction that is never stored or used again. Before EMV, card data was only stored on the magnetic strip on the back of the card, which made it easy for fraudsters to counterfeit cards.

The Importance of Card Verification Values (CVVs)

• Card Verification Values (CVV, CID, CVD, CVC2, etc.) are 3 or 4-digit codes imprinted on the backs (or front of American Express) of credit and debit cards, but not recorded on their magnetic strips.
• It was introduced in 1997 when fraudsters began taking advantage of the popularity of TV shopping networks and online stores, which created an opportunity to make remote purchases.²
• CVVs combat CNP fraud by requiring cardholders to provide the code when making a payment online, over the phone or via a mobile app. Unless a fraudster has access to the physical card, they don’t have the CVV and most often the payment will be declined.

Understanding the Chargeback

• When a consumer disputes a payment or “charge” made on their debit or credit card, the issuing bank will sometimes issue a chargeback to the merchant who completed the payment.
• In most cases, the issuing bank returns the disputed funds to the consumer immediately, then alerts the merchant and gives them time to file an appeal.
• The merchant can enlist their acquiring bank or payment processor to help them appeal the chargeback. However, the majority of chargebacks are due to the merchant accepting a fraudulent payment online or in-store.
• If the merchant is in PCI-DDS compliance, their appeal will usually be accepted and the issuing bank becomes responsible for the loss.
• While chargebacks are designed to protect consumers from identity theft and merchant mistakes, they’ve given rise to a fraud scheme known as “friendly fraud.” This occurs when a consumer makes an online purchase with a card, and after receiving the product(s) calls their bank to dispute the transaction. As a result, their payment is refunded and they get to keep the product(s).

Fraud Prevention Through PCI Compliance

• The PCI Payment Card Industry Data Security Standards (PCI DSS) were created in 2004 to establish a benchmark for data security.³
• They set the operational and technical requirements for merchants transmitting or storing consumer payment data.
• Once a year, merchants must submit proof of compliance to the Security Standards Council.
• Merchants who are not in compliance increase their risk for potential fraud losses and chargebacks should a data breach occur.
• The merchant is more susceptible to data breaches, which can lead to lawsuits filed against them by customers, financial institutions, regulators and major card brands.
• Noncompliant merchants are fined and can lose their right to accept card payments if they don’t take steps to become compliant