Rippleshot Blog

Last year was a rollercoaster for the payments industry. An influx of mobile payment platforms, the start of EMV adoption, and a pack of criminals exploiting all of these uncertainties with a continued string of high profile data breaches has many fraud managers stressed beyond belief trying to manage it all. If it’s any consolation, Trustwave’s Global Security Report confirms that you’re not alone. Follow along as we highlight some of the report’s key insights on attacks, how they’re happening and what data criminals are targeting.

It’s been nearly a year since the Federal Financial Institutions Examinations Council (FFIEC) debuted the Cybersecurity Assessment Tool, commonly known in the industry as the CAT. At last week’s ABA Risk Management Conference, we learned a ton about the tool’s voluntary nature, how it compares to existing cybersecurity assessments, and how banks are passing the regulatory scrutiny onto their own vendors and third-party providers.

“I want it all…

I want it all…

I want it all…

And I want it NOW!” –Queen

Instant card issuance is the banks’ and credit unions’ ability to create debit, credit, prepaid and ATM cards right at the branch location, providing a new card instantly to the customer that can be used immediately.  Instant card issuance might not have been what Queen’s guitarist Brian May had in mind when he wrote “I Want It All” for Queen, but I think it applies. Fiserv recently produced a report on “The Role of Instant Card Issuance in Customer Satisfaction and Use.” Let’s use Fiserv’s report and May’s lyrics to dig in deeper on the many advantages and one big disadvantage to instant card issuance.

When large data breaches like the infamous ones at Target or Home Depot take place and millions of cardholders’ information has been stolen, it usually ends up on underground markets, where it’s sold in bulk. Many times, this information is purchased by criminals and used to create counterfeit cards to make purchases at brick-and-mortar stores. But with nearly 70% of credit cards currently EMV compliant (with chips) and debit cards slated to follow this year, making fraudulent purchases with counterfeit cards is becoming more difficult. As we’ve mentioned many times before, fraud is expected to shift to card not present channels, and the criminals have adapted with elaborate and sophisticated schemes to cash in on any weakness in the system they can find. Hewlett Packard Enterprise’s “Monetizing Stolen Credit Card Data” report gives us a window into the processes they’re employing to defraud U.S. cardholders and merchants of over $1 Billion each year.

In this week's recap, Rippleshot CEO Canh Tran comments on the latest Trump Hotel breach, the Fed starts reviewing proposals for faster payments, fraud is cited for slowing mobile payments growth, a Verizon database of customer information is found wide open, and the Rippleshot blog covers a new study about consumer behavior after card not present fraud.

We know that card not present (CNP) fraud, as a result of EMV implementation is on its way up and only going to continue to rise. In the U.K. and Canada, post-EMV ecommerce fraud spiked 80-100% in the three years following the conversion. Many financial institutions, knowing that most CNP fraud can be charged back to the retailer, have brushed off its impact. But according to a new study, the consumers affected by ecommerce fraud are taking more drastic measures that deserve the attention of both issuers and merchants.

In this week's recap, TreasureHunt malware steals card data direct from merchant POS systems, fuel pump payments set for major disruption and overhaul by 2020, retailers take to the Fed to try and lower debit card fees, hackers breach two major law firms, and the Rippleshot blog takes on the regulatory agencies' recent foray into cybersecurity issues.

It’s been a hot couple of months for regulators and cybersecurity. Back in June, the FFIEC (Federal Financial Institutions Examination Council) introduced a new cybersecurity assessment and recommended guidelines for banks and credit unions. In August, a U.S. appeals court ruled that the FTC (Federal Trade Commission) has the authority to regulate corporate cybersecurity. And just a few weeks ago, Dwolla, a payment platform company, found itself the first ever data security target of the CFPB (Consumer Financial Protection Bureau), and was hit with $100,000 in fines. We review the details of each, and what this means for the future.

In this week's recap, payment card fraud in the UK increases 18% year over year, even with chip and PIN cards in place, interchange fees are challenged by Dick Durbin, CNBC takes a look at how retail franchisees fare when a data breach occurs, debit cards are gaining ground on cash for small purchases, and the Rippleshot blog reviews the Federal Agencies' new guidance on prepaid reloadable cards.

As we’ve noted in previous posts, the heat is on in figuring out how to best stem fraud from gift and prepaid cards. Prepaid cards have long been a favorite of fraudsters looking for ways to move money anonymously, and the increased prevalence of reloadable prepaid cards (like those issued by Green Dot or Vanilla), where balances can be re-upped, are particularly susceptible to money laundering practices. The problem has been well-documented, with The Boston Globe reporting that in 2013, $30 million of the $20 billion loaded on Green Dot’s cards involved fraud. This week, The Federal Reserve, along with the FDIC, OCC, NCUA and the FCEN issued interagency guidance in an attempt to put an end to the problem.

In this week's recap, a skimmer video you have to see to believe, equipment retailer Bailey's suffers a data breach affecting 250,000 consumers, American Express issues alert for third-party breach, The Atlantic takes everyone on the payment card spectrum to task over security concerns, and a deep dive on the latest EMV implementation struggles, five months in.

Five months in, and the EMV rollout has gotten off to a relatively rocky start. Many of the smaller and mid-size financial institutions we’ve spoken to have yet to finish transitioning over to chip cards, and anyone with a chip card can vouch for the fact that most merchants aren’t yet accepting them. A fair number of EMV terminals have tape or notes over top of the slot used to dip cards, and we’re hearing from several financial institutions that card fraud is at painfully high levels. What’s happening? We dig in below..

In this week's recap, an imprisoned fraud-kingpin shares some of his schemes, mobile payment adoption gets a critical eye, NJ.com takes a deep dive on ATM skimming, Home Depot settles their consumer breach, and the Rippleshot blog takes a look at gift card fraud and what merchants are doing to try and stem it (as well as a new scheme merchants should be looking out for).

Back in November, we covered online gift card fraud extensively - why it’s such a hot new target for fraudsters, and why it will only continue to rise. But a recent piece by Robin Sidel at the WSJ suggests that traditional brick-and-mortar gift card purchases with counterfeit cards isn’t going anywhere. Given the recent liability shift due to EMV, retailers are finding themselves more on the hook for fraudulent gift card purchases than ever, and are taking drastic measures to attempt to curb it.

In this week's recap, Brian Krebs breaks news that credit unions are seeing record levels of fraud from the Wendy's compromise, RSA President gives security industry a wake-up call, Verizon's annual Data Breach Investigations Report gets a makeover, real-time payments in the U.S. get a closer look, and Marketing Director Kaleigh Simmons takes a look at e-commerce fraud trends and hot locations.