Consumer card transactions will overtake cash transactions for the first time in 2016, according to global research firm Euromonitor International.
Cash is expensive to manage and is extensively used in the underworld. “A less-cash society would be a fairer and safer place,” Kenneth Rogoff, a professor of economics at Harvard, wrote earlier this month. But card use is fraught with problems as well, particularly in the U.S., which owns half the world’s card fraud.
“The average card will pass through three data breaches,” said Canh Tran, CEO of fraud detection service Rippleshot. “The problem for issuers is that 20% of customers don’t reactivate cards.” Reactivating cards after breaches is also expensive, particularly in the case of EMV cards.
A hot new area in card fraud is gift cards, where cards can increasingly be digitally issued and used without much friction.
Breaches can happen at the point of sale and online. Shopping online, unless a form of tokenization as with Apple Pay is present, robs the consumer of the benefits of EMV, and reduces all transactions to magstripe level, with fixed and therefore hackable information. Rippleshot’s technology identifies trouble spots — hacked merchants — and identifies cards likely to be used in future fraud attempts. The company does this by identifying the velocity of breaches,” Tran said, and analyzing client spending patterns.
Rippleshot makes fraud patterns visible and forms rules about whether or not a certain card should be reissued. “It’s about looking st cost versus estimated loss,” Tran said. In other words, fraud or no fraud, sometimes it doesn’t make financial sense to do the more secure thing.
The ROI argument certainly does not seem to have convinced credit unions, the majority of whom are yet to even adopt EMV cards. Around 30% to 40% of credit unions have issued EMV cards, according to Caroline Willard, EVP of Markets and Strategy at CO-OP Financial Services, which supports 3,500 credit unions and their 60 million members. Many merchants have yet to switch as well– new point of sale devices can be expensive, particularly for smaller businesses.
Israel, for all its security acumen in the startup world, is one of the few countries where card payments still using magstripe cards are common, but its deadline (3-1/2 years, set in 2013) is fast approaching, and the country, and its issuers, are making rapid progress and the deadline should be met, according to Ohad Maimon, EVP of business development and strategy at Leumi Card, one of the largest providers of payments cards in Israel.
Card fraud leading to identity theft was the subject of an entertaining/infuriating tweetstrom by Stripe engineer Patrick McKenzie last week:
You say “identity theft”, I say “a strangely socially acceptable discourse by which financial institutions shift fraud risk to consumers.”
— Patrick McKenzie (@patio11) September 18, 2016
McKenzie, who works on one of the web’s most widely used payment systems, was making the point that consumers should not be responsible when their identity is compromised by merchants’ insecure systems or banks’ outdated cards.
In the case of card fraud, even if merchants are at fault, it is generally the banks who pay, and they will continue to pay until all the cards are updated and payments systems take fraud seriously, rather than as an acceptable cost of doing business.
To learn more about payments, please join us in Tel Aviv this November 1-3 for Bank Innovation Israel. Register here.