Security Lessons from the Cartes America Conference
Cartes Secure Connexions America took place in May in Washington DC. This conference, which attracts global professionals in the payments, identity and mobility industries, was largely focused on security trends, with a great emphasis on the US migration to chip-based cards and security as it relates to future mobile payments scenarios.
US playing catch-up to the rest of the world
The US is the last developed market to still predominately use magnetic strip cards instead of the chip-based cards, which are so commonplace in every other corner of the world. Of course, that is changing as the US is in the midst of a transition to become compliant with EMV, short for Europay-MasterCard-Visa standards.
EMV is a global standard for the acceptance and interoperability of chip-based smart cards. All four of the payment networks in the US — American Express Co, Discover Financial Services Inc, MasterCard International Inc and Visa Inc — have announced plans for the transition. The next major deadline coming this October will shift the fraud liability to any party — either the issuer or merchant — which does not support EMV. The liability shift does not apply to petrol stations with the automated fuel dispenser key pads until October 2017.
Angel Grant, who is the senior manager for fraud and risk intelligence at RSA Security, spoke of the thriving cybercrime underground where fraudsters pawn credit card, identification and even loyalty card membership details gathered from its unsuspecting consumers. She said cybercriminals are even offering one-stop services to setup a phishing attack, which assists hackers in redirecting websites to fraudulent ones and even helps them determine what information to collect from its victims. Grant added that fraudsters target the weakest link with any type of system and today in the payments world that is the US.
“Criminals know the strengths and weaknesses of each market,” she said. “EMV will narrow that window of opportunity in the US and even lower the fraud risk in other markets, which will no longer have to support mag stripe.”
Once a majority of the US market has made the transition, EMV undoubtedly will lower the fraud that occurred as a result of mag stripe cards and also expand upon the number of international acceptance points for jet-setting US consumers. Lastly, the EMV migration also has the potential to move the industry one step closer toward dynamic authentication and ultimately pave the way to mobile payments.
Of course, the importance of fraud prevention will be not fade as commerce shifts toward digital devices. “As the world goes mobile so does fraud,” Grant said, noting that already almost a third of all fraudulent transactions already come from mobile devices.
New payment methods, same old battles against fraud
Fraud is a moving target and the end-goal for fraudsters is the cardholder’s main account number. If a new security system is created, fraudsters will become that much more aggressive. If consumer payments shift toward a new form of payment, fraudsters will seek out the most vulnerable element, even if it is a mobile device. That being said, mobile devices have unique characteristics, including the ability to enlist biometrics and geolocation, which could both assist in this fight against fraud.
“To combat different types of fraud, a multi-layered approach is needed,” Mansour Karimzadeh, the CEO of security firm SCIL, said during a presentation at Cartes America. “The mobile device is the one tool with the ability to deliver a multi-layer approach to fraud prevention.”
For example, the geolocation abilities of mobile devices could be leveraged to send consumers fraud detection and customer notifications that may be able to recognize when the phone is in one place and transaction occurs in another. Biometric technologies are already being leveraged in mobile payment platforms, such as Apple Pay, which requires consumers to confirm the payment via a fingerprint at the point of sale.
Lastly, the mobile device can work as a conduit for deploying tokenization, which substitutes the primary account number with a different single-use number. If the substitute account number were stolen, the account number would have limited use by the fraudsters since it is essentially a temporary code. This relatively new security concept has also taken the fraud risk out of the hands of merchants, which can track consumer behavior and provide customer support without the risk associated with storing a customer’s primary account number.
“All of these have to be done in conjunction with one another,” David Keenan, senior vice-president of network solutions of Fiserv, said during his keynote presentation at Cartes America. “It does no good to build a 100-foot wall, if you have a two-foot wall on the other side.”
Besides attending the conference, Evans chaired the mobile payments track and delivered a standalone presentation, which was entitled, “The Five Trends Shaping Mobile Payments Today.” Evans also served as a member of the conference’s first-ever advisory council, whose primary purpose is to guide the development of the show, and lastly was a jury member for the 2015 American Sesames Awards.