A Quick Fix for Card FraudGrocer's Card Breach Proves Payments Needs New Tech
The grocer, Modesto Save Mart Supermarkets, last week admitted card readers at self-service checkout lanes in 20 of its stores - the majority of which operate under the Lucky Supermarkets brand - had somehow been breached. [See Fraud Scheme Hits Grocer.].
FIs will begin to understand that with this empowerment comes a reduction in fraud and fraud costs, not just for the FI, but the consumer as well.
Now industry pundits are scratching their heads, asking, "What went wrong?"
Well, here's what we don't know: Were the readers and PIN pads swapped, as was the case in the Michaels point-of-sale breach, or were they just manipulated to capture card data? Were skimming devices affixed to the terminals, or was card data merely being captured and transmitted, or stored, and then retrieved by someone who had regular access to the machines?
The breach also has raised questions about PCI compliance: Were the POS systems meeting minimal requirements called for within the Payment Card Industry Data Security Standard, or is the PCI-DSS itself flawed?
The incident shows the payments chain has many gaps, and merchants, unfortunately, are often one of the weakest links.
The solution? Well, full PCI compliance would be a great place to start, but that only fixes the problem if the readers and PIN pads are not physically swapped. Another option: Drop the outdated mag-stripe, and start moving U.S. cardholders over to the Europay, MasterCard, Visa chip and PIN standard, better known as EMV. With the chip, EMV supporters argue, the card information could not be captured in the first place.
Here's my take: PCI compliance should be a given, but it doesn't address all of the risks. And a cardholder transition to EMV, even if initiated tomorrow, will take years to roll out fully. The industry needs a quick-fix solution, and determining what that might be has proven more challenging than one might assume.
But there are options. Recent discussions I've had with industry experts have revealed some surprisingly quick-fix options that financial institutions, as card issuers, really should consider more seriously than they have in the past. One calls for getting consumers more involved in the transaction process, and based on what I'm hearing more from a variety of sources, more involvement is something consumers want.
Phil Blank of Javelin Strategy & Research says the best thing bankers could do today is launch two-way text-alerting systems for payments approvals.
"If FIs [financial institutions] would encourage consumers to set alerts on their credit and or debit cards, a lot of this would be detected a whole lot sooner," Blank says. "Skimming is only effective if there is a delay between the time of the skim charge and the time the consumer notices it on their statement. Without alerts, the fraudsters will always have the upper hand."
With a two-alert, to a mobile device, presumably, before a transaction is approved, the consumer has to verify the transaction. So, the card is swiped at the merchant, the bank sends a text alert to the consumer, and then the consumer approves or declines the transaction with a text back to the bank.
The process, Blank says, is not difficult for banks to manage, and the two-way communication can occur within seconds of the card swipe. But few institutions have taken advantage of this technology.Adoption of text alerts for payments has been slow, but the FIs are coming around. "We have seen the first emergence of review and release types of implementations, which really allow the consumer to be in control," he says. "There are also a whole new class of product that will be entering the market, which should significantly speed up adoption. Over time, FIs will begin to understand that with this empowerment comes a reduction in fraud and fraud costs, not just for the FI, but the consumer as well. With increasing pressures on FIs' bottom lines, reducing fraud is a great way to reduce costs and increase margins."
Blank is right. I want to see more of this technology in 2012. As a consumer, I'd like to have it. Until then, as I've said before, I'm sticking with cash.