Pub. 10 2015-2016 Issue 2

www.nebankers.org 12 Extraordinary Service for Extraordinary Members. COUNSELOR’S CORNER Your Bank Is Not a Gazelle Bryan Handlos, Kutak Rock LLP 1 There’s a Wikipedia page for the term and its history. “FUD” is of course different than “jiggery-pokery.” 2 For more information and additional resources, a good place to start is www.emv-connection.com . 3 A complete and accurate description of the technology, even a general one, would require more space (and technological expertise) than is available here. We may not have our flying cars and jetpacks yet, but the fact that we can walk around with a little computer embedded in our credit and debit cards is fair justification for marveling at the times we live in. For details on specifica- tions see www.emvco.com/specifications.aspx. For a glossary of EMV terminology see www.emv-connection.com/standardization-of-terminology. 4 PIN CVM can be online or offline. 5 Not discussed here is “first-party” fraud, a huge category, where issuers are defrauded by their own customers (or fraudsters posing as such). There does not appear to be much EMV can cur- rently do to alleviate this category. 6 See Smart Card Alliance Payments Council White Paper “Card-Not-Present Fraud: A Primer on Trends and Authentication Processes” February 2014. 7 See EMV Migration Forum Whitepaper “Card-Not-Present Fraud Working Committee White Paper: Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud” Version 1.0 April 2015. 8 According to one reported study, this could be a number in excess of $8 billion. See “Will Retailers Be Ready for EMV by Oct 2015?” at www.paymentsleader.com/will-retailers-be-ready-for- emv-by-oct-2015. 9 It might not be a surprise to learn that fraudsters selling counterfeit cards on the Internet are having “sales” on counterfeit card information in advance of card issuers moving to EMV cards. 10 Each market and its roll-out of EMV has been different. In the U.K. and Canada, for example, counterfeit and loss/stolen fraud declined significantly (in the range of 50 percent or more). See Aite Group Report “EMV: Lessons Learned and the U.S. Outlook” June 2014. 11 Id. 12 MasterCard Risk Leadership Conference 2015 “EMV: The Countdown Is On.” 13 From perhaps 30 to 70 percent for cards and 15 to 60 percent for terminals. See, e.g., “EMV: U.S. Won’t Make October Deadline” www.bankinfosecurity.com/-a-7791/op-1 January 2015. I N D I SCUS S I NG A R I S K T OP I C recently, a favorite bank client questioned whether a vendor was trying to use “FUD”—fear, uncer- tainty, and doubt 1 —to influence the bank. This question also seems relevant in reviewing what’s been published recently in the lead up to the Oct. 15th “deadline” for EMV implementation. Lots of associations, vendors, and experts have a particular point of view to press on this topic and some don’t mind adding a little dramatic flair to their stories. What’s better than a little FUD and an imminent deadline to bring urgency to a topic? “Time is running out.” “You don’t want to be the last card issuer to have the protection of EMV.” “You don’t want to be the weakest ga- zelle in the herd!” Banks, of course, are not gazelles any more than fraudsters are lions. Criminal fraudsters do exist and banks have many tools to fight them. Banks don’t, however, have unlimited money to pour into fraud prevention. Nor do banks have the freedom to alienate their customers with products tuned tomaxi- mum security rather than convenience. Where should EMV fit in a bank’s fraud- fighting toolkit? What Is EMV? Europay, MasterCard, and Visa, or EMV, refers to a set of specifications used to implement a particular tech- nology to minimize fraud. 2 Central to that technology are chip cards which are relatively new to the United States but already inmany customers’ wallets. Chip cards incorporate an embedded microchip that can do impressive things with cryptography and other technol- ogy. 3 Chip cards provide protection that is superior to magnetic stripe cards and are supposedly virtually impossible to counterfeit so that the card can be used to successfully complete an EMV transaction. The chip card is, therefore, an important card authentication and counterfeit fraud prevention tool. There is, of course, an added cost to issue chip cards and support their use.