Source: Michelle Trappitt, Gareth Ellis, ACI Worldwide
Banks have invested significant sums in EMV compliance, yet many are missing out on the full potential of EMV data to combat card fraud say Michelle Trappitt and Gareth Ellis, senior solutions consultants, ACI Worldwide
EMV has a profound effect upon transaction security. This is not just in terms of reducing fraud, which the latest figures from UK payments body Apacs show to be working well, but also on the effect upon the public psyche. It is fair to say that the average consumer has never been more aware of the threat of transaction fraud then they are in this post Chip and PIN environment.
However, consumers would be surprised to hear that the highly vaunted EMV smart cards within their wallets are not being fully exploited by the banks to fight fraud. Yet the fact remains that there is a wide range of available EMV data that could be used to combat fraud but which is currently being ignored.
The standard EMV smart card contains a wealth of currently hidden data. Understanding how to use this data holds the key to increased card security. In total, there are around 50 extra risk management data items which are received in EMV transactions which are currently untapped within fraud analysis. This data can be used to identify fraud patterns, credit risk situations and further enhance customer service.
Through the use of this untapped data, banks could further prevent new, advanced fraud types that have arisen since the introduction of EMV, as well as tackling existing fraud patterns that are difficult to identify. Close interrogation of the EMV data items allows analysts to build up a detailed user profile, which can help to identify fraud. It is only by using the EMV data that we can pinpoint the new attacks. For example, details in the EMV data can show how many failed PIN attempts have been made on the card in an offline environment, and if this happens repeatedly the activity should be investigated. It is also possible to detect whether a card has had its magnetic stripe modified to appear as if it doesn’t have a chip, (known as service code rewrite).
When financial institutions start passing back information about the offline transactions that have been performed on the card, they will really reap the benefits of this EMV data. Offline terminals are often favoured by criminals so it is obviously beneficial to check recent offline transactions when the card goes online. Fraud analysts will have a far better picture of the risk associated with a particular card, and this will help them in deciding whether to investigate potential fraud. In the future, issuers will also be able to configure their cards to return further information about offline transactions such as merchant type, value and how the transactions were authenticated.
Analysis of EMV transactions data can help fraud analysts understand how much risk is associated with a particular card. If they are unhappy about the amount of risk associated with a card they can do a number of things to lower the risk, for example lowering the floor limits on the card. Today’s fraud analysts need to be equipped with a toolset that allows them to investigate card risk through the EMV data, but then change risk parameters by having access to an EMV parameter management system. The closer the fraud detection tool and the EMV parameter management tool can work together, the better the risk management solution.
However, just as the EMV card can reveal more data to combat fraud, a combination of all data about a consumer’s payment transaction needs to be drawn into anti-fraud techniques. This is especially the case as measures to combat card-not-present fraud see the EMV card playing a universal role in payment transactions.
Fraud migration trends over the past year post-EMV migration have shown that no longer is lost or stolen fraud the primary mode of attack, through the theft of a card followed by the forging of a signature. Instead, the dominant method is now account takeover where fraudsters steal the identity of a victim in order to have access to his or her accounts. In fact, a recent survey by Which? magazine showed that 25% of people in the UK have had their identity stolen or knew someone who had.
The response by progressive banks has been to deploy technology that is able to analyse each and every transaction for propensity to be fraudulent. The most advanced technique is to use neural network technology that evaluates the characteristics of each transaction combined with a custom risk model built from transaction data and recorded patterns of both acceptable and fraudulent activity for accounts within that portfolio. This custom neural model allows for a scoring engine to asses and judge risk for each transaction using a variety of advanced algorithms, parameters and accumulated statistics.
Each and every transaction is also filtered against pre-defined rules that will mean that the likelihood of false-positive instances being flagged up to investigation staff are minimised. Furthermore, real-time deployment, amendment and deletion of these rules gives enormous control and flexibility to the bank.
It is important to note that such techniques need not be limited to the transactions themselves but can just as easily be applied to usage patterns. As such, potentially fraudulent activity can be detected such as cards being lost or, most significantly within the EMV environment, issued cards which are never received.
By being able to extract extra information from the EMV parameters within smart cards, banks can further reduce the amount of false positives that their anti-fraud systems will throw up. This is because the system will have a more complete picture of the user allowing a richer modelling of the transaction’s propensity to be fraudulent. Similarly this will allow the system to not only detect fraud earlier but to also identify new or emerging fraud threats.
These approaches, combined with the enhanced processing of the new data, can act as a “safety net” and cut fraudulent transactions significantly. Banks have invested significant sums in EMV compliance, yet many are missing out on the potential of EMV data. If the banks have the ability to drill down further into this data, they and their customers will reap the benefits.