Recent statistics disclose that two-thirds of all non-cash payments are being made by a combination of credit cards and debit cards. With 775 million general-purpose credit and debit cards issued and activated, cyber criminals are deploying ever increasingly sophisticated skimming devices to steal vital credit and debit card information.
At ATMs and gas pumps, across open wireless networks, by intercepting online transactions and Web traffic and by hacker-generated mass data breaches, fraudsters have become creative in collecting card content. Restaurant servers and retail store clerks use less complex methods by simply copying customer card information.
In 2012, these fraudulent intercepts caused 13.7 million fraudulent credit card transactions equaling $2.3 billion and 14.9 million fraudulent debit card transactions totaling $1.5 billion.
Fraud More Likely to Occur When Card is Physically Produced
The fraud involving these cards was twice as likely to occur when the card was physically produced at the point of sale, commonly referred to as a “card-present” transaction. Regardless of the fraudulent means or method, ultimately it all boils down to who bears the risk of loss: the card issuer (MasterCard, VISA, etc.), the bank or the cardholder. The answer to this question depends on whether or not the transaction was “authorized”.
Federal laws protect credit cardholders from liability resulting from unauthorized transactions. Under the federal Truth in Lending Act (TILA), a cardholder’s liability for unauthorized charges is limited to $50 even if the card is lost or stolen and the cardholder never reports the loss. If the credit cardholder takes the initiative to notify the card issuer (VISA, MasterCard, Discover, American Express) of a lost or stolen card, even the $50 liability may be reduced. Furthermore, MasterCard and VISA have voluntarily agreed that their cardholders will bear no liability for any unauthorized charges, regardless of when the charges were made or whether the card was stolen or fraudulently used, either online or offline, as long as they promptly report a lost card or fraudulent card activity.
Card Issuer Liability
Who, then, does bear the risk of loss for unauthorized credit card charges? Network rules developed by the card issuer networks (e.g., MasterCard and VISA) place the risk of loss for unauthorized card-present transactions on the card issuer (provided the merchant followed requisite verification procedures) and in card-not-present transactions (e.g., telephone or Internet transactions), the rules place the risk of loss on the merchant.
To further combat credit card fraud, card issuers are adopting the use of EMV (Europay, MasterCard and Visa) credit cards enabled with a microchip that stores customer data and will replace the traditional magnetic stripe on the back of the card. The chips generate a unique code for every transaction that cannot be used for other purchases. If a hacker steals the chip information from one specific point of sale, the traditional method of card duplication will not work because the stolen transaction number created would not be usable again. This new technology will not prevent data breaches from happening, especially in the case of card-not-present transactions, but it will make it much harder for fraudsters to counterfeit cards and steal information.
EMV cards are prevalent worldwide. Card issuers in the U.S. are jumping on the bandwagon. Visa, MasterCard, American Express and Discover have been aggressively replacing existing cards and want the U.S. converted to chip-enabled cards by October 2015. In the meantime, banks are producing cards with both the new microchip technology as well as the magnetic stripe while retailers get on board with the transition and change out their card reading machines. After the 2015 deadline, fraud losses will shift to the retailer if they don’t have the proper point-of-sale payment terminals to read the new cards.
Cyber-Security Essential as E-Commerce Continues to Grow
Although there is approximately $1.36 trillion dollars of U.S. currency and billions of checks in circulation, e-commerce is still growing around 15.4% per year and generating $304.9 billion in retail sales. At this rate, we should expect protection against, and prevention of, data security breaches and cyber threats to continue to command our attention. A safe, secure and reliable electronic payment system is only as good as the effectiveness of its cyber security. This means that it is incumbent on both the public and private sectors to coordinate defenses and develop standards and protocols to keep pace with the ever-evolving threat of cybercrime.