ATM / POS Fraud , Audit , Card Not Present Fraud
The Move to Chip Payment Cards: A Work in Progress
Although RBI Mandated Shift by Jan. 1, Not All Work Is CompletedAlthough the Reserve Bank of India mandated that banks complete the shift from magnetic stripe debit and credit cards to EMV chip-and-PIN cards by Jan. 1 to help reduce fraud, there's still plenty of work to be done.
See Also: The 5-Minute Guide to Cloud Identity Security
For example, work on converting ATMs and POS terminals to accept chip cards and updating card switches to process EMV messages is continuing, security experts say.
As of June 2018, there were 39.4 million active credit cards and 944 million debit cards in India, according to RBI. But RBI has not revealed what percentage of cards now in use are EMV-enabled.
Security experts, however, believe that most credit cards are now chip-enabled while the debit card conversion is still in progress.
The move to chip cards, once it's completed, could play a major role in cracking down on fraud.
"Compared to magnetic-stripe payment cards, EMV cards are much harder to counterfeit, and lost or stolen cards are unusable," says Singapore-based Tom Wills, strategy adviser at TuriQ, a blockchain company that advises financial institutions. "Markets that have migrated to EMV have all experienced a very substantial drop in these types of fraud."
Work to Be Done
Sriram Natarajan, chief operating officer at Quattro, a business outsourcing organization that consults with financial institutions, says some banks have still not upgraded their card switches to process the EMV message.
Another challenge is updating ATM machines, says Dr. Onkar Nath, the former CISO of Central Bank. "The majority of ATM machines are not capable of processing the chip-based cards as the technology behind EMV is that it generates a unique key for every transaction, which can't be reused. And the ATM machines do not accept the new PINs nor will it help user generate a new key."
Clearly, many banks and merchants still have a lot of work to do, Will says.
"The evidence is that the banks have continually asked for an extension to the deadline," he says. "The reason for this complacency is that migration from magnetic stripe to EMV in a given market requires extensive and expensive changes to payment card processing systems, both on the card side and the acquiring [acceptance at merchant point-of-sale or ATM] side."
In addition to issuing new cards, issuers must install back-office systems to accept and act on the additional data that EMV cards generate, Wills points out. Meanwhile, merchants must replace their POS terminals, and processors must replace their back-office systems.
Converting Cards
Many smaller banks have yet to convert to chip debit cards, Natarajan says.
All debit cards that have been "active" in the year have been converted to chip cards, as confirmed by card issuing banks to RBI, says Ram Rastogi, consultant for digital payments and financial inclusion at CGAP, the Consultative Group to Assist the Poor. Conversion of inactive cards is still pending, he says. "However, the definition of an 'active' card is confusing."
One challenge in issuing new cards, Rastogi says, is that the addresses available in the data base of public sector units banks, cooperative banks and old generation private banks are not updated or complete. And under RBI guidelines, if a new card is undistributed for more than six months, it must be destroyed.
While the POS terminal infrastructure has been enabled to accept and process EMV cards since May of last year, the ATM infrastructure still continues to process card transactions based on data from the magnetic stripe, the RBI reports.
EMV Migration
All of Europe has already moved to EMV. Malaysia was the first country in Asia to complete the migration, back in 2005. The migration is close to completion in Singapore. And the migration to EMV started in the U.S. in October 2015.
U.S. Payments Forum recently stated that 99 percent of the top 200 retailers now have the equipment necessary to accept chip cards, and the transactions make up 60 percent of overall transaction volumes in the U.S. Additionally, more than 50 percent of transactions are taking place at contactless payment-enabled merchants, the forum reports.
"Chip payments are effective at reducing fraud and they were introduced to curb in-store counterfeit card fraud, which was the largest source of fraud in the U.S.," says U.S. Payments Forum Director Randy Vanderhoof. "Counterfeit card fraud is down over 80 percent at merchants that have enabled chip, so it is indeed working,"
New Architecture
Among the many challenges in making the move to EMV, CISOs say, include establishing a new security architecture to meet the needs of new transactional systems and gaining the necessary funding.
In case of chip-based transactions, RBI has mandated providing an additional factor of authentication (one-time password) for domestic transactions.
Consumers now will pay nothing for fraud losses if the fraud was the fault of a bank or a third party or if the consumer reports the fraud within three working days of receiving a communication from the bank regarding the unauthorized transaction, RBI says.
Nitin Bhatnagar, associate director at PCI Security Standards Council, says dynamic authentication technology in the EMV can improve authentication for e-commerce and m-commerce environments. "The 3-D Secure helps in prevent unauthorized chip-and-PIN transactions and protect the merchant from exposure to CNP fraud," he says. "EMVCo recently updated its 3DS specification to 3DS version 2.0., which improves authentication by enabling consumers to authenticate themselves with their card issuers when making purchases through web browsers or via mobile applications."