Fraud detection (and protection) can be complex, but the easiest approach is to be proactive – sooner rather than later. PYMNTS recently spoke with Jonathan Hancock, Director of Fraud Management Solutions at TSYS, about the upcoming EMV deadline and the value of consumer education in the fight to protect our data.
EMV standards are coming to the U.S. in just a few months. The expectation is that while card losses may decline, that could be offset by the rise in CNP fraud. What steps should card issuers take today to prepare for this scenario?
JH: EMV standards cover a number of payments security areas on a global basis – notably, the standards for chip card issuance, tokenization and, more recently, 3D Secure. TSYS clients are well on their way to upgrading their issued cards to the EMV chip standard; about 50 percent of our clients have already completed their rollout.
Experience from other regions that have rolled out EMV chip cards has shown us that, while initially there’s been a tendency for counterfeit to surge, it’s relatively short-lived. It’s essentially the dying throes of fraudsters in their last-ditch attempts to steal what they can by way of counterfeiting cards.
While there is evidence that the older SDA (static data authentication) chip cards can be successfully counterfeited, the more commonly used DDA (dynamic data authentication) and the next-level CDA (combined data authentication) cards have not been so to date.
Previous rollouts have also taught us that indeed, as you say, fraud will migrate to the card-not-present (CNP) channel. One of the primary steps that issuers can take to prepare for this scenario is to implement a standard known as 3D Secure, which I mentioned earlier, also managed by EMVCo.
3D Secure 2.0, as it’s known, is very much a move away from the troublesome and historic static password system. It’s much more dynamic and all but completely invisible to the cardholder — who only has to enter a one-time password into the 3D Secure system, which can be done via SMS. The system works by using very sophisticated modeling in the background to assess the risk around an online transaction – 80 percent of the time just approving it without any input required from the cardholder at all.
Issuers also need to revisit their detection system rules and strategies to ensure that they are constantly tweaking them in line with the incoming fraud trends to prevent further frauds from taking place.
I think an area often overlooked is that of cardholder education programs. Cardholders really want to be involved in looking after the security of their cards, and issuers can help them do so by educating them on best practices and teaching them what to expect when they’re using their cards online and how to do so securely.
About 49 percent of fraud falls on devices (laptops, desktops, mobile phones, or terminal) with multiple cards, making fraud detection a bit more complex. Is there a way to be proactive in situations like this?
JH: Indeed, there is. I mentioned 3D Secure and how it uses very sophisticated device profiling that operates in the background, requiring no involvement on the part of the cardholder. That assesses the level of risk around an online transaction by applying the relevant data.
Essentially, what the profiling does is look at what’s known as the “device DNA”; it takes a digital fingerprint of the device to assess whether or not it’s a known device that has previously been utilized in a fraudulent transaction. It also looks at things like the device location and compares it to where the associated cardholder has previously conducted transactions from, as well as the merchant profile and propensity for fraud, transactional value, and a number of other factors.
Based on this device profile, the 3D Secure system can make an assessment of the likelihood that the transaction in question is fraudulent, and return a decision to approve or decline based on the risk. If an assessment lands somewhere in the middle, the system will send a one-time passcode to the cardholder that can be used for additional authentication.
Finally, in your opinion, what are the biggest misconceptions about card fraud and protections and how could these be corrected?
JH: That’s a great question. One of the biggest misconceptions I come across is that people expect card fraud to involve that annoying pop-up box appearing during online checkout, asking for a password they can never remember. With 3D Secure, that pop-up box is completely history. As we’ve talked about, it’s an invisible system.
Another misconception is that customers don’t want to participate in protecting themselves. I believe they do; educating consumers on best practices has shown to have a very positive effect on reducing fraud levels.
From the perspective of the general population, you read an awful lot about data compromises, about card details or identities being stolen, pretty much every day. As a consumer, that certainly raises a lot of concerns. It’s worth saying that – while fraud is a problem area – the levels of fraud that occur are relatively low. 99-plus percent of card transactions go through without any problem. Given that, I think education is very underutilized tool that issuers can play on.
Director, Fraud Product Strategy & Services at TSYS
Jonathan Hancock serves as global director of fraud management solutions at TSYS. He is responsible for both strategic integration of TSYS’ fraud management solutions within the systems of existing processing clients, as well as innovation and new product development in the area. A recognized expert in payment card fraud prevention, investigation and management, as well as in the anti-money laundering and card scheme compliance areas, Jonathan has 20 years’ diverse payments industry experience across consumer and corporate credit, debit and prepaid products spanning Europe, the Middle East, Africa and North America.
Jonathan started his career with Barclaycard International, managing fraud operations and strategy for the company’s revolving consumer credit products across Europe, the Middle East and Africa. After his time at Barclaycard, Hancock held leadership positions with Travelex, First Ondemand Ltd. and Visa Europe before joining TSYS in 2009.
In his current role at TSYS, Jonathan is responsible for setting and driving the strategic development of TSYS’ fraud management solutions to TSYS processing clients, along with solution innovation and new product development. Jonathan is based at TSYS European Head Office in York, England, but spends much of his time at TSYS’ Corporate Head office in Columbus, GA.