As smartphones and wearable devices continue their exponential growth in Canada and globally – it’s expected to be worth $34 billion by 2020 – Canadians will need to be wary of this convenient card-based (or alternative NFC wearable device) service.
Tap payment allows Canadians to casually pay for smaller transactions using their devices without attempting a more involved and, yes, ultimately more secure Chip and PIN transaction. However, a fraud type we had almost exhausted in recent years, known as Lost and Stolen, could become a threat. Lost and Stolen had been considered so marginalized as a fraud type by a menacing brother fraud type: Counterfeit. The fraud on counterfeited cards, which is exposed at merchants through skimming events, became the most significant threat experienced by most consumers and was the prevailing problem that Canada had largely pushed beyond the border. As wearable payment devices and friction free (sans PIN) authentication options continue to proliferate, Lost and Stolen will be an increasing typology affecting issuers.
Perhaps it’s Canada’s own success at bringing debit card fraud to such a low rate that has resulted in consumers’ over-weighted sense of security, convenience and a habituation with their primary consumer payment device, the humble EMV Chip and its PIN companion. However, the initial path that brought Canada here was the dedication to deploying EMV’s cryptographic technology with significant enforcement, which mandated a PIN with the transaction. Relaxing the effective authentication controls for the Tap product means that below a threshold amount, typically less than $200, does not require a PIN, and the card or wearable NFC device itself is enough to authorize a transaction at a merchant’s point of sale. The residual here is that it’s not the amount, it’s the frequency, and residual Counterfeit cases are now a mere fraction of the counts of Lost and Stolen.
Cards and wearable payment technologies are frequently and casually left accessible to those who seek to abuse them. Payment devices must be guarded just as much as a wallet that contains debit and credit cards. When consumers leave payment devices in unlocked parked cars, or on open desks at work, without sufficient physical security, it creates an opening for opportunistic fraudsters, where simple car prowlers in the neighborhood can become an entry level fraudster.
Again, there is a ceiling on the amounts that reduce risk, but the inconvenience of having one’s card lost, filing a fraud case, or replacing the card, can be a stressful event and reduce confidence in electronic payments. Further, in the larger picture, the behavior we are seeking to reduce and bring awareness to is easy to remedy: focus consumer behavior to continue to treat plastic cards and NFC devices like the payment products they are. Create programs to bring awareness to secure them, or increase authentication requirements to two factors in every transaction, perhaps significantly lowering the amount threshold for PIN requirements that aligns with the PSD2 thresholds across the pond (50 Euro/transaction).
Part of Canada’s notable achievement in reducing card fraud and creating a culture of awareness was an altruistic commitment to protecting its citizens and financial ecosystem, which is truly admirable. This year, for fraud awareness month, I want to implore all stakeholders in Canadian payments to take steps to continue to eradicate all fraud types in the great white north.
I’ll be presenting on this topic and many more like it at the 2018 ACI Exchange Conference in Denver…hope to see you in May!