Was it a mere coincidence that the day following the release of Javelin Strategy & Research's 2011 Identity Fraud Survey Report, CNBC aired American Greed: Operation Get Rich or Die Tryin'? This show examines Albert Gonzalez's hacking into computer networks of retailers (most notorious, TJX Companies) and a payment processor (Heartland Payment Systems) and the subsequent extensive fraud using compromised credit and debit card information.
While the CNBC story was intriguing, Javelin's 2011 report just might be even more intriguing given the surprising results that identity thefts and the related losses in 2010 were at their lowest levels since 2003, when the survey began. In 2010, the incidence rate for existing card account fraud stood at a lowly 2.3 percent and only 7 percent of consumers were notified of a data breach, compared to 11 percent in 2008. While many factors are responsible for these low levels, it seems that preventive and detection measures by financial institutions, merchants, and consumers are playing a positive role. However, the fact remains that in the current magnetic-stripe environment, all parties could still experience significant losses from counterfeit cards if a large data breach were to occur.
Merchants and PCI implementation: Success in reducing data breaches
At year-end 2010, Visa reported that 96 percent of its Level 1 and 2 merchants (merchants with more than 1 million transactions a year) were compliant with the Payment Card Industry Data Security Standard (PCI DSS), and 100 percent had been validated as not storing prohibited data. For smaller merchants (Level 3 and 4), Visa reports moderate PCI DSS compliance but does not offer any figures. Watching the CNBC special, it was a bit harrowing to fully understand the amount of card and personally identifiable data that merchants and processors store, sometimes without even encrypting the data. The PCI DSS was put into place to not only require the encryption of data, but also prohibit the storage of certain sensitive cardholder authentication data such as full magnetic-stripe data, CVV2 codes, and PINs. In the event that a PCI DSS-compliant merchant is hacked, it would be much more difficult to perpetrate a fraud as extensive as Albert Gonzalez and his accomplices pulled off. It’s possible that these strict data standards have been effective in thwarting fraudsters and hackers.
Financial institutions and consumers working together to reduce detection times
Not only are the incidence of existing card account fraud and related losses stemming from identity theft at all time lows, the detection time—and subsequent losses—for this type of fraud is significantly shorter than for existing noncard fraud and new account fraud. According to Javelin, 31 percent of all existing card fraud is detected within a day or so, and nearly another 30 percent within a week. The top three fraud detection methods as reported by Javelin are notification to a consumer by a financial institution, consumer's monitoring of accounts through paper statements, and consumer's monitoring of accounts through electronic means or ATM. With increased availability, and consumer usage, of online and mobile banking, consumers can more easily monitor their accounts and more quickly identify fraudulent transactions than with the traditional method of a monthly paper statement. Many financial institutions are also being proactive in their battle against fraud by using the mobile channel to push notification alerts of potential fraudulent transactions to the consumer. According to Javelin's 2010 Banking Identity Safety Scorecard, 85 percent of the top 30 banks or credit unions offer mobile phone alerts.
Still vulnerable from the mag stripe, but where to go from here?
Even though we've taken great strides to reduce identity theft and related fraud losses, we can't make the same claim for card technology in the United States. As history shows us, fraudsters are often a step ahead of the industry. And unfortunately, implementation of new standards and technology is often reactive to the latest fraud rather than proactive to fraud that could happen. As long as the United States remains a magnetic-stripe country, we'll continue to have the risk for widespread fraud losses from the counterfeiting of magnetic-stripe cards.
Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States. Though much has been written about the lack of a business case for contact or contactless chip form factors in the United States, will continued mag-stripe fraud and the potential for even larger losses—all while the rest of the world migrates to chip-and-pin—finally build that case?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed