How Mobile Can Curb FraudQ&A with Randy Vanderhoof of the Smart Card Alliance
Payment card fraud remains a top concern for banks and credit unions. And Randy Vanderhoof, executive director of the Smart Card Alliance, says mobility can help address fraud incidents and losses.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
One positive step: The movement toward more near-field communications. Mobile is the channel most banking institutions and retailers are riding as they coast along the NFC rails. In fact, Vanderhoof says support from Visa, MasterCard and Discover for card issuers and acquirers to rely on and accept more NFC and less magnetic-stripe will be a catalyst for mobile, which is increasingly being viewed as a more secure payments method.
"We still have to live with the legacy security challenges that exist in the U.S. payments market for another few years, while we move the market forward with more security-enabled chip technology," Vanderhoof says. "It's not going to happen overnight, but the use of mobile is going to speed the process."
During an exclusive interview with BankInfoSecurity, Vanderhoof says NFC provides more dynamic data than the stagnant information currently provided by mag-stripe transactions. That dynamic data will improve security, and supports compliance with the Europay, MasterCard, Visa standard, which is increasingly being pushed within the U.S.
The movement to NFC will be swift, and issuers and acquirers that don't take steps now to get NFC plans in place will soon face financial consequences for shifting fraud liability and fines when penalties for non-conformance take effect.
"Get educated as quickly as possible, I think is the best advice that I can give," Vanderhoof says.
Vanderhoof is the executive director of the Smart Card Alliance, a not-for-profit, multi-industry association of more than 180 member firms working to accelerate the widespread acceptance of smart card technology in North America and Latin America. Before joining the Smart Card Alliance, he was employed with IBM Global Smart Card Solutions; an international product group supporting IBM's smart card services to its global banking, healthcare, and government industry vertical teams. Previously, he served on the Executive Board for the Alliance as a corporate member from 1998 to 2001.Following is an edited transcript of Tracy Kitten's conversation with Vanderhoof.
The Changing Payments Landscape
TRACY KITTEN: How are financial institutions addressing their greatest payments security concerns?
RANDY VANDERHOOF: That question covers a couple of different areas. I would begin by saying first that we still have to live with the legacy security challenges that exist in the U.S. payments market for another few years while we move the market forward with more security enabled chip cards in the form of contact and contactless chip cards. But it's not going to happen overnight. The other area that I think is still a concern is e-commerce and card-not-present fraud.
Because until we can really address those areas of weakness in terms of security, we have to fix the card present problem first. That's going to take some time to do. But I think the technology shift and the opportunity for merchants, issuers and processors to all start to look at their overall infrastructure and implement changes will enable a faster transition than it would be if we were taking those on one at a time.
KITTEN: When we last spoke in July, we touched on the connection between anti-fraud investments and lost revenue in debit interchange. Eight months later, what's changed?
VANDERHOOF: I think over time people have settled into the ideas of what impact the Durbin amendment was going to have on their revenue models and their investment planning for the future. Where eight months ago there was a lot of uncertainty, there was a lot of concern about how this was going to impact the bottom-line of issuers. I think a lot of that has played out since then, and I think today the brands and the issuers have absorbed that change into their business strategies and they're now looking forward to some of the other things that are on their plates, like increasing options for consumers to expand the payments marketplace, as well as incorporating some of the new technologies like EMV and mobile payments into their product offerings.
The Evolution of NFC
KITTEN: How will NFC payments evolve?
VANDERHOOF: NFC payments is payments is going to the accelerator for this overall movement to chip technology in the U.S. market. So, all of the major card brands have already announced EMV migration strategies that includes mobile NFC as an important component for that. As the acceptance infrastructure changes to incorporate EMV at the point of sale, those changes will also incorporate the acceptance of contactless payments, which will then speed the adoption of NFC mobile payments. One of the things that most concerns people looking at NFC is when would people be able to interact with an NFC-acceptable payments terminal. Without EMV, we'd be limited to a fairly populations of merchants that have already adopted contactless payments cards. But now with EMV, that terminal infrastructure is moving faster and changing quicker, and now we see that contactless payments and EMV will help each other to increase the turnover in acceptance at the point of sale.
KITTEN: How will banks and credit unions be impacted by the EMV compliance deadlines announced by Visa, MasterCard and Discover?
VANDERHOOF: It means that they're all now moving in the same direction, which we didn't have before the recent Visa, MasterCard and Discover announcements. Also, the timelines that merchants and acquirers were looking at, in terms of planning their upgrade strategies, have also been aligned. So, we have a clear technology roadmap that all of the major brands, with the exception of American Express, so far, have announced. And we now have a clear direction for merchants and acquirers in terms of knowing what they have to invest in, in terms of their terminals and how they're going to process and manage data, so that over the next three years, as we move from the incentive side of the roadmap to the areas of liability shifts and costs if they don't move, they can build in this, changes of their technology and acceptance infrastructure in a more orderly fashion and plan it accordingly.
The Mobile Migration
KITTEN: How will migration to EMV impact mobile?
VANDERHOOF: It's going to help the adoption of mobile, because, as I mentioned earlier, the EMV roadmap incorporates both contact and contactless card technology, so one infrastructure will be implemented for EMV and that same infrastructure will then be available to leverage the NFC-enabled mobile payments, which use the same contactless interface as do contactless cards and EMV cards. So this is really an advantage for accelerating NFC adoption in the U.S., because again, one integrated roadmap for both EMV cards and EMV-enabled mobile phones provides for a much faster conversion rate for the very large and complicated U.S. acceptance infrastructure.
KITTEN: How will mobile payments affect credit and debit?
VANDERHOOF: It seems to me that the credit infrastructure is an easier infrastructure to move from mag-stripe to EMV, and then on to mobile NFC. But with debit, we have other complicating factors, in term of the number of debit networks that also have to upgrade and change simultaneously, as well as the challenges associated with routing those transactions and the use of PIN in those environments and how that's all going to be incorporated into the EMV card and the NFC mobile payments world. So, I think debit is certainly going to be moving at the same time as credit cards, but I think the challenges facing the industry to get debit fully integrated into EMV and NFC are going to take a little longer to mature.
KITTEN: Are U.S. card issuers seeing reductions in fraud because of NFC, or is too early to gauge?
VANDERHOOF: For U.S. issuers, it's fairly early to gauge, because the transaction volume on dynamic cards, which also provide transaction data, hasn't been that great. There's such a large number of mag-stripe transactions that are still going through the system, they're probably not going to see a significant change that information that dynamic data is going to impact on. But as the U.S. issuers begin to migrate their portfolios from a mag-stripe environment to an EMV environment, and more merchants start to offer EMV-capable terminals, then the amount of dynamic data entering the system is going to slowly replace existing static data on mag-stripe transactions, and then we fully expect that there's going to be an impact on the fraud rate; because we know that with dynamic data, the transaction data that's in the system can't be used to create fraudulent transactions.
KITTEN: What do you see coming up next for mobile?
VANDERHOOF: EMV on a mobile device is a fairly short step forward from EMV on a card, because the EMV card-issuance model, utilizing the additional EMV data and the encryption of the information, is going to be replicated on the mobile phone. The only thing that really changes is on the mobile phone, in terms of EMV payments, is how the mobile device gets provisioned and there's been two or three years worth of development work with trusted service managers in the mobile networks in developing the infrastructure to communicate with the mobile phones and to provision those mobile phones securely to accept the payment application that's going to reside on them. Once that payment application is on the mobile phone, then if the terminal is capable of processing an EMV transaction, it'll automatically default to that EMV format. So it will basically be controlled by the application that's in the terminal and the application that's on the phone; it won't be something that users will have to select.
KITTEN: What recommendations would you offer?
VANDERHOOF: Get educated as quickly as possible, I think is the best advice that I can give. The Smart Card Alliance has been doing a lot of work in the last few years in publishing information, doing webinars, providing conference opportunities for the industry to learn about what's happening in the market's movement from mag-stripe to contactless cards to EMV and then, ultimately, to NFC mobile. So there is a lot of that information already out there. But getting that information out to the individual issuer's hands and the people who are responsible for changing their issuance infrastructure and acceptance is going to take some time. So I would say for issuers, they should be joining organizations, like the Smart Card Alliance, and paying attention to the information that's out there and available to them, and engaging with their partners, whether it's their card suppliers, the brands that support them, or even their merchant relationships and understand just what impact it's going to have on their basic infrastructure and be prepared sooner rather than waiting until the liability shift, and then everyone is in a rush.