One of the most notable trends in payment card fraud is the production of magstripe clones of EMV cards – and their subsequent use at signature-only terminals in non-EMV markets such as the USA. The methods for creating this type of fraud are well documented (data usually skimmed via ATM or POS in Europe, or stolen from unencrypted databases, sold and then written to fake magstripe card), and can be exceptionally low-cost with high returns. Invariably as there is no EMV liability shift agreement with the US, it is the issuing bank that end up footing the bill for this fraud. So why don’t they just decline all magstripe signature only transactions from abroad? Well, there are a number of considerations.
Firstly, as an issuer your ‘duty’ to your cardholder is to ensure that their card works whenever and wherever they want it to. Then, the international schemes all have mandates to the effect that ‘thou shalt not decline transactions based on location or type’, which in essence means that issuers are expected to analyse and approve every transaction on merit. But such is the cost of this type of fraud, an expected 12m EUR in Belgium this year, that Issuers are weighing up the pro’s and con’s of blanket declining of transactions performed in magstripe countries on signature-only POS.
Of course to facilitate this they need to put in place a mechanism to allow cardholders to actually use their card if they go to one of these places with retro infrastructure. Inevitably this requires the cardholder to contact their bank and let them know they are entering the payments timewarp. This is fine for the annual family trip to visit Mickey Mouse, but of course for business travellers it can be a bind. While some banks have made the effort to rollout clever additions to their internet banking software that allows you to do this, I’m still waiting for a seamless link into MS Exchange or Lotus. Perhaps that could be part of the extended offer from firms like Tripit?
However, banks should beware when going down the ‘tell me if you’re travelling’ route – not all consumers are happy with sharing this kind of info (except on their facebook, linkedin, twitter and wordpress pages) as unscrupulous banks may misuse the information. Do you have travel insurance by the way?
Returning to our core issue, magstripe cloning. While it may be only a matter of time before the US takes the plunge – particularly as the whispers are now conversations according to those in the know - they are not the only country left without EMV. But perhaps when the table is turned on the influential US market and their EMV cards start getting cloned to magstripe and used in Ecuador or Kenya, a global EMV mandate might be on the table at last.