Cutting Debit Fraud: Lessons from CanadaInterac's Sullivan on the Impact of EMV, Real-Time Payments
Debit fraud losses in Canada hit an all-time low in 2015, mainly because of Canada's nearly complete migration to EMV and its real-time settlement of debit payments, says Mark Sullivan, who heads fraud management for Interac, Canada's payment network .
Canadian debit fraud dropped 27 percent in 2015, compared with the previous year, and accounted for the lowest fraud losses linked to debit compromises in six years, according to a new debit fraud update that Interac recently released.
Sullivan says the U.S. will likely see similar fraud-reduction patterns once its migration to EMV nears completion. But some unique fraud-fighting characteristics of the Canadian market, most notably its real-time settlement of debit transactions, may offer additional lessons from which the U.S. could learn, he says.
"With Interac Debit, we do not have offline transactions; every transaction is an online transaction," conducted in real time, Sullivan explains during this interview with Information Security Media Group. "So a data breach becomes non-existent for the debit cardholder. There is no information stored about the consumer, the individual, [nor] identifying features in the transaction that has just taken place; it's not stored anywhere within the data of the posting merchant. And that data is a one-time transactional code ... that will never be repeated."
EMV chip payments are significantly more secure than magnetic-stripe payments because they cannot be skimmed; however, they are not foolproof. After the Target breach , security experts repeatedly have warned that EMV alone would not have prevented card data from being compromised in that attack.
Real-time payments - which the Federal Reserve has been pushing for in the United States - offer a huge advantage over current methods. For example, because Interac's transactions are conducted in real time using dynamic EMV data, fraudsters can't intercept usable transmitted or stored payment card data. Interac transactions even are protected in a card-not-present environment and are not susceptible to CNP debit fraud, Sullivan says.
Sullivan recommends that U.S. organizations take advantage of the fraud intelligence that can be gleaned during this time of transition to EMV when fraudsters will be working overtime to exploit lingering mag-stripe vulnerabilities before that opportunity dies out.
"In [countries] where EMV is in the process of being adopted and where specific timelines have been published, there is also an appropriate and enlisted response from the criminal community, who realize that the window of opportunity is starting to narrow," Sullivan says. "We've ... seen an increase in the amount of attacks on the system, which is generally the sign of a dying opportunity."
Watching transactions and sharing information with law enforcement through a central source could help the U.S. bring some of the cyber gangs that have been attacking the payments infrastructure to justice, Sullivan says.
During this interview, Sullivan also discusses:
- Canada's EMV migration and how it was rolled out;
- Why the U.S. market's migration to EMV won't have an adverse fraud effect on Canada; and
- How real-time payments can significantly reduce fraud across numerous payments channels.
In addition to overseeing fraud market management for Interac, Sullivan also heads up fraud market management for Acxsys Corp., which specializes in the development and operation of payment innovation, including Interac e-Transfer, Interac Online and Cross Border Debit. Sullivan joined Interac Assoc./Acxsys Corp. in 2010 and is responsible for providing fraud risk mitigation programs. He is the central point of contact for global risk professionals and international law enforcement, and is the co-chair of the Private Sector Liaison Committee, which is affiliated with the Canadian Association of Chiefs of Police.