As Adoption of EMV Gains Momentum in U.S., Thoughts Turn to Addressing CNP Fraud

 

shutterstock_115174897_24 Mar 2015

We have said before that credit and debit card-issuing financial institutions and merchants have already begun rolling out stronger identity-authentication technology known as EMV (or “chip and pin”) to comply with an adoption deadline in the U.S. of Oct. 1, 2015.

EMV relies on two-factor authentication – a microchip embedded in the card and either a user’s PIN number or signature — to curtail fraudulent purchases with cards in retail transactions. EMV is already widely used in other parts of the world, especially Europe and Canada…and now it’s coming to the U.S.

But bolstering face to face card-present transactions against fraudulent uses through EMV is expected to cause a sharp rise in the incidence of card-not-present (CNP) fraud attempts where transactions are performed online.  After all, that’s what fraudsters did in the U.K. and Canada after EMV was implemented.

At Finsphere, we have a simple, safe and secure solution that can help thwart CNP fraud similar to the way Visa’s Mobile Location Confirmation (MLC) enhances card issuers’ mobile-banking apps to combat card present fraud. Our patented Mobile Proximity Correlation uses the proximity of a user’s mobile phone to where a CNP transaction originates – such as the IP address of the user’s browser or other location-identifying attributes — as a key factor toward authenticating a legitimate activity.

Again, it’s using one of our strong points – a combination of technologies and analytic capabilities – to authenticate identities and separate attempted fraudulent transactions from those that are on the up and up.  CNP fraud is often attempted using stolen credit or debit card data.  Given the continuing rash of high-profile computer system hacks of retailers such as Target, Staples, Home Depot and others, Finsphere’s technology is well positioned to help out the cardholder to make online transactions simpler, safer and securer, whether in the pre- or post-EMV world.

We’ll have more to say as the EMV-adoption deadline draws near.  In the meantime, we invite your thoughts here or on  TwitterFacebook, or LinkedIn.

Robert Boxberger,

President, Finsphere

Finsphere – The Importance of Privacy

It wasn’t easy.Privacy

I was looking forward to attending the International Association of Privacy Professional’s (IAPP) Global Privacy Summit 2015 in Washington DC this week. Since joining Finsphere in 2009, I have attended several IAPP conferences in Europe and the United States. The meetings have been very valuable in helping me grow in understanding the nuances of privacy requirements and is a reflection of the importance of privacy to Finsphere. After all, on a personal level, Finsphere has funded my attendance at the conferences – not to mention paying me for the work I do as its Chief Privacy Officer.

This time it was with great excitement that I could discuss the recent announcement of the Mobile Location Confirmation (MLC) service by Visa with my peers at the conference. MLC is a service built around the concept that your mobile phone is a proxy for your identity; meaning it can be used as an authentication factor for validating your credit and debit card transactions. And, Finsphere is the underlying provider of the geolocation information and associated contextual analysis. Not only am I excited about Finsphere’s part in the provisioning of this service, I am excited about the importance individuals’ privacy was in its development.

The simple way for us to have built the service was to use technology that always tracked the individual. Simple, but one of its big downfalls is the negative perception associated with tracking. Even if the bank knows exactly where the financial transaction is occurring, we did not want to give customers the perception that an issuer’s MLC-enhanced mobile banking app is constantly monitoring them.

So, with a ‘privacy by design’ background, and working with our Visa counterparts, we designed a service that minimizes the privacy footprint. It starts with informed consent – cardholder explicit consent is required, with easy opt-out at any time. Next, to avoid always tracking the mobile device, geolocation specificity is minimized in a few ways. First, MLC does not need specific location, as in GPS-type location. Instead, a home area is created for each cardholder that Visa has set initially to be a 50 mile radius. On any given day, most people will never travel outside their home area. In that case, the app will simply notify Visa once a day that the cardholder is still within their home area. When a cardholder leaves his or her home area, MLC provides more frequent, albeit still general, geolocation information for helping to authenticate and validate card transactions.

Other privacy-enhancing choices made to protect privacy include persisting only the last known location in the mobile banking app, minimizing the data Finsphere receives to an issuer-generated device id and the location from the app (in this way we do not know who you are, specifically where you are, or have any other personally identifiable information about you or the transaction). The bottom line for MLC is that the cardholder’s privacy is and will be an ongoing critical design element.

So, I mentioned at the beginning of this blog that “it wasn’t easy.” This was referencing not only developing MLC with privacy in mind so it’s used only for its intended purpose – to validate card transactions – but also actually making the conference itself! I’m writing this blog from the airport, returning home to Seattle after weather delays almost prevented me from attending the conference. Luckily, I made it there and back (if only my bag could have made it home with me! I am still waiting for it…). But the silver lining has been that the privacy conference was fantastic. With over 3,000 attendees, it demonstrates the growing importance of privacy…one we have always recognized at Finsphere.

I invite you to share your view in the comments below and hope you will follow the conversation here or on Twitter, Facebook, or LinkedIn.

Jeff Brennan,

Chief Privacy Officer, Finsphere Corporation

For Finsphere, ‘Mobile As Identity’ Is Our Reason For Being

Mobile as Identity

We have always felt that the mobile phone is an ideal way to prove who you are.  On Tuesday, we stated our position as we felt it was time to go firmly on record as to why.

http://www.prnewswire.com/news-releases/for-finsphere-mobile-as-identity-is-its-reason-for-being-300040058.html?tc=portal_CAP

Give our point of view a read and let me know what you think. We invite you to share yours and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Mobile Location Confirmation on “CBS This Morning”

Finsphere-Visa

I noted in my prior blog how proud we were at Finsphere to have played a part in Visa’s announcement of its new Mobile Location Confirmation (MLC) product. There were many great articles that followed from multiple sources announcing and commenting on MLC. However, one of my favorites is CBS This Morning’s piece on Visa’s new service. CNET’s Tim Stevens does a great job describing the offering and his feeling about it…I couldn’t have said it better myself.

As always, we’d appreciate hearing your comments and we encourage you to stay tuned for further developments as we get closer to the rollout of MLC this year. You can connect with us on Twitter, Facebook, or LinkedIn.

Mike Buhrmann

CEO, Finsphere

Finsphere’s Key Role in Visa Announcement


At Finsphere we’re all extremely proud of the part we play in today’s announcement by Visa of its new Mobile Location Confirmation (MLC) product.

Visa partnered with Finsphere for critical infrastructure services, including our expertise in location-based services, our toolkit which enables mobile banking apps to capture geo-location while protecting the consumer’s privacy, and our geospatial analysis engine which analyzes and transforms the geo-location data sent from the consumer’s mobile device into a format which can be easily used by Visa’s fraud-risk systems.

You can read Visa’s news release here. Visa says MLC will be available to credit and debit card issuers in April 2015.

We’re very pleased that Visa chose Finsphere’s mobile app toolkit and geospatial analysis engine as its safe and secure geo-location infrastructure solution to help protect card holders, banks, and merchants. Put simplistically, MLC will help ensure that card transactions are approved when they need to be.

Visa believes Finsphere’s geo-location services can help eliminate the need for cardholders to notify their banks of imminent travel plans, while also reducing the number of legitimate transactions that are declined while traveling, otherwise known as “false positives.”

We developed our sophisticated solution over the last six years in the belief that your mobile phone can be a proxy for your identity. Cardholder privacy, safety, and security were considered to be of paramount importance during this development process.

Finsphere has been working closely with Visa this year to implement MLC. Now that the news is out, we look forward to continuing that work in support of a successful launch this April as well as providing assistance to issuer banks as they develop MLC-enhanced mobile apps for their cardholders.

It is thrilling that such a reputable market leader like Visa is endorsing the technology we’ve worked so hard to build. As always, we’d appreciate hearing your comments and we encourage you to stay tuned for further developments as we get closer to the rollout of MLC this year.

EMV is Coming to the US, but at What Cost?

EMVThose who follow my musings here will recall two posts last July devoted to the “myths and truths” of EMV. The EMV solution has been widely embraced in Europe and Canada, but continues to face uncertainties on the way toward adoption in the United States. Driven by the desire to cut card fraud, EMV card rollout continues with one estimate showing that nearly one third of issued credit cards will be EMV by the end of 2015. And while EMV has been shown to cut some types of debit and credit card fraud, a case can be made that fraud will just shift from one transaction type to another.

Synonymous with EMV, “Chip and Pin” refers to a payment system for credit and debit cards consisting of a computer chip embedded in the card and a requirement for the cardholder to enter a personal identification number (PIN) or a signature to authenticate a transaction.

Implementation of EMV in the U.K. and Canada has been credited with decreasing fraudulent uses of credit and debit cards, but not all types of fraud are reduced, and EMV has the downside of sharp increases in Card Not Present (CNP) fraud where the transaction does not occur in-person, such as telephone, online, and mail-order purchases.

Industry watcher 451 Research, in a recent report, said that during Canada’s EMV rollout, the Royal Canadian Mounted Police reported the country experienced a 25% increase in CNP fraud between 2009 and 2010. This parallels what occurred in the U.K., where CNP fraud jumped by 79% between 2005 and 2008.

These experiences show that switching to EMV shifts fraudulent transactions from brick-and-mortar businesses to online, telephone, and mail-order retailers. Why would our experience in the U.S. be any different? Chance are, it won’t be.

EMV is coming to the U.S., so card issuers and businesses need to prepare for an increase in CNP fraud. We are working with industry leaders on solutions to address CNP that are simple, safe, and secure…more to come on this in future blogs!

We invite you to share yours and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

 

Will Apple’s Mobile Payments Service be Secure?

Apple Pay Video

Over the weekend, I read and watched several pieces about Apple’s new mobile payments service, specifically about the security of the new service. By far, the most interesting to me was an interview on Bloomberg TV with Shape Security Director of Product, Michael Coates, and Square’s former COO, Keith Rabois.

While both interviewees were focused on Apple’s new service, what interested me most were their views on today’s payment protections and security.

Keith shared his view that today’s debit and credit cards are extremely exposed to fraud, and protected by a user PIN or signature at best. I believe Keith underestimates the tremendous amount of fraud analytics that happen behind the scenes to protect users’ transactions. Keith does note that signature validation is rarely checked by merchants, which is an all-too-valid observation and a point I plan on discussing in an upcoming blog post as it pertains to the introduction of EMV in the United States.

In discussing authentication, Michael Coates certainly gets it right when he says we need to move away from user passwords and towards additional systems that employ user-friendly two-factor authentication. The constant trade-off is adding security layers for better payment protection, but ensuring that the defenses employed are frictionless and convenient for the customer.

Both interviewees understood the tradeoff is security versus usability: the more security layers you add, the more cumbersome the payment process tends to become for the consumer. Only when this balance is struck will the customer be likely to take full advantage of the security technology. Here at Finsphere, we are strong advocates of multi-factor authentication and believe that adding security that is noninvasive and works in the background is critical to usability and acceptance by the customer.

I am excited by Apple’s recent announcement of its new mobile payment service and the many conversations about security and payments usability it has sparked. As my previous blogs have shown, I am certainly in favor of simplifying the financial experience for customers!

I encourage you to watch the interview and let me know your own views in the comments here, or on TwitterFacebook, or LinkedIn.

Until next time,

Mike Buhrmann,

CEO, Finsphere

EMV Myths and Truths (continued)

EMV-for-blogIn my last post, I examined the first two myths and “truths” presented in a recent downloadable report from Gemalto titled “Four myths and truths about EMV payments.” We looked at some hard numbers regarding the US migration to EMV, as well as the rationale behind adopting EMV at all, as opposed to transitioning straight to mobile payments. These two topics were fairly easy to tackle, but the next two are a bit more complicated. Here is my stance on the last two myths and proposed “truths.”

Myth #3 – EMV isn’t the right solution because it doesn’t address CNP (card-not-present) fraud, leaving e-commerce and online fraud untouched. 

Truth – Actually, EMV payment cards enable some of the most successful CNP fraud solutions in the world.

I mentioned in my prior post that I believe Myth 3 and its “truth” minimizes the level of fraud still present after EMV implementation. Actually, Myth 3’s truth never addresses the level of CNP fraud remaining. I have yet to see a report anywhere showing anything other than a spike in CNP fraud after EMV implementation. In fact, some of the growth statistics regarding CNP fraud post-EMV is startling.

The Gemalto report claims that EMV payment cards enable more effective authentication tools for CNP fraud (if only merchants and banks would implement them!), which include one-time-passwords, on-card PIN codes, and personal card readers. All of which likely add another layer of end-user interaction and complication.

Myth 3’s response ends by pointing out that EMV payment cards are a worthwhile solution for card-present fraud reduction alone, and “can enable” strong authentication against CNP fraud too. There is no question that EMV payment cards have significantly reduced card-present fraud following implementation – no doubt worthwhile for those with a card-present-only solution. What is less clear is whether it is worthwhile when CNP fraud is considered a part of total card fraud, especially if it will take significant time, money, and effort to enable additional solutions.

Myth #4 – EMV is expensive and difficult for merchants to deploy.  

Truth – EMV payment technology is cheaper and easier for merchants to install than ever before.

Gemalto’s truth statement is technically true. Most technology becomes cheaper as time passes and development continues. That EMV might be less expensive and less difficult to implement now than previously does not alter the fact that the total cost of merchant deployment in the U.S. is projected to run into the several-billion-dollar range. In my opinion, a more credible statement is that EMV implementation is costly and deployments can be time consuming and technically challenging, but that the return on investment can be worth it.

Concluding thoughts:

Gemalto states up-front that the purpose of its “Four myths and truths about EMV payments” is to address four of the most common myths associated with the migration to EMV chip cards. I believe it did choose the most common concerns associated with the EMV migration underway in the U.S., however, I believe the responses could have been more direct and precise in context to add credibility to the overall report.

Next up, I’ll submit my own myth about how EMV will simplify the customer experience and then provide my own truth! And I promise to do my best to provide the appropriate amount of context and balance. Until then, we hope you’ll follow the conversation and share your views in the comments or on Twitter, Facebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

EMV Myths and Truths

myth_vs_travelI received an email this past week offering a downloadable report from Gemalto titled “Four myths and truths about EMV payments.” The offer ended with the statement, “Read more and then take a stance.” How could I resist? I figured the report would be somewhat slanted given that Gemalto has a vested interest in EMV, but nevertheless, downloaded the report. The following are my thoughts on the first two identified myths and truths – my stance, if you will.

Myth #1 – EMV will never take hold in the U.S.

Truth – The migration to EMV is well underway, and momentum is growing.

The only argument I have with the above “Truth” statement is the use of the word “well.” The migration is clearly underway, but how “well” it is going in terms of timeliness is debatable.

The report clearly points out that the issue of timing involves the cards and terminals – end-users have to have EMV chip cards and merchants have to have point-of-sale (POS) terminals to read them.

EMV will truly arrive in the US when cards and terminals are in place to support it. The good news is that current estimates call for 100 million EMV chip cards issued and 4.5 million physical terminals to be in place by year-end 2014. But even at this rate, it is projected that 50% of merchants will still not be ready to accept EMV payments by the fourth quarter of 2015.

Bottom line: Yes, the migration is underway and the momentum is growing. But, to be fair, a transition that will cost businesses over $8 billion dollars to implement is not going to happen overnight. Nor was that the expectation, based on the durations of the EMV implementations in other parts of the world and the complexity of the U. S. market. Fortunately this report is not claiming that the migration will be complete any time soon…now that would be a myth!

Myth #2 – It makes sense to jump straight to mobile payments.  

Truth – Cards aren’t going away, and we need to secure them. EMV chip cards and mobile payments will both likely be big players in the payment ecosystem for the foreseeable future.

The underlying assertion made by some is that the U.S. should skip EMV and move straight to mobile payments. Gemalto points out that new contactless POS terminals are capable of handling both EMV and mobile payments and that not all customers own a smartphone or want to pay with their mobile phones. In essence, the migration to EMV provides a path for both mobile payments and contactless EMV cards and more choice for consumers. I am in agreement with the rationale behind the truth asserted here; cards are not going away soon and there is a foreseeable path for both mobile payments and cards in the future, if merchants choose to go that route.

Myths 1 and 2 were fairly easy to tackle. In a future post we’ll examine myths 3 and 4 of the Gemalto paper. Myth 3 deals with card-not-present transactions and I think the so-called “truth” minimizes the level of fraud still present after EMV implementation. Myth 4 deals with the expense and difficulty for merchants implementing EMV technology.

After that, maybe I’ll submit my own myth about how EMV will simplify the customer experience and then provide my own truth! Until then, we hope you’ll follow the conversation and share your views in the comments or on Twitter, Facebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Happy New Year! – Some Resolutions for All of Us

New-Year_Resolutions_listHappy New Year! And with the new year comes the inevitable resolutions – pledges to lose weight, exercise more, read a new book, spend more time with the family, eat healthier – the list is endless. On my way to work this morning, I was listening to a radio announcer proclaim that the average male’s New Year’s resolution lasts three days…that’s it, just three days! Females were only slightly better – one week! Given that we are into the second week of 2014, I assume that most of us have already broken our pledges to ourselves.

But wait, don’t feel bad. In my last blog, I provided theft and fraud prevention suggestions to keep your identity (and money) safer. In this blog, I will recommend two resolutions for 2014 that are very easy to do and keep. And the payoff is increased security and soundness of your money!

One of the notable news stories over the holidays was the theft of debit and credit card information from Target stores. Over 40 million debit and credit card accounts were affected, which included basically everyone who used his or her card at a Target store between Black Friday and December 15th. Not only was card information taken, but also encrypted personal identification numbers (PIN). Put this information together and you have the potential for putting a lot of people’s debit card accounts at risk.

With the Target breach as a backdrop, here are my two 2014 resolutions for you: 1) Change your PIN on your account at least once this year. In fact, if you do nothing else for a resolution this year, make your resolution to change your PIN today – it’s easy to do at your bank’s ATM or branch. 2) Check your bank statements monthly. Better yet, get an online account with your bank and monitor your transactions daily or weekly through your bank’s web portal or a third party service provider.

Why change your PIN? Simple, if your financial information is compromised, a new PIN makes it more difficult for the bad guys to use your credentials to make charges. Why monitor your transactions? Although banks monitor for fraud, only you know the legitimacy of every transaction you’ve made. Banks often fail to detect fraud and count on their customers to monitor their own accounts. Your catching it early will help avoid many headaches down the road. It’s that simple.

That’s it! Two easy resolutions: change your debit card PIN and monitor your transactions. It doesn’t matter whether you used your debit card at Target or not. These two resolutions will help protect your debit card and monies from being misappropriated and make for a better and safer 2014!

Here’s hoping your 2014 is great. I’ll be checking in with you later in the year to see how these resolutions are going!

We invite you to share your resolutions and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere