ITBusiness.ca

Microchips – and common sense – help bust debit fraud

Merchants offering customers Interac Direct Payment (IDP) to facilitate sales can now get computer chip technology machines to help guard against fraud, but industry insiders say using common sense is still the best shield against PIN thieves.

IDP is Canada’s national debit service for purchasing of goods and services. Customers enter their personal identification number (PIN) and the amount paid is deducted from either their chequing or savings accounts.

The Toronto-based Interac Association – the group of financial institutions and merchants responsible for the familiar black and yellow logo – began rolling out their new chip technology last Fall. A market trial is currently underway in Kitchener and Waterloo, Ont.

The project involves credit and debit card companies, banks as card issuers, and merchant payment services – all making a bid to upgrade to chip technology across the board, says Matthew Cram, a spokesperson with Mississauga, Ont.-based TD Merchant Services.

“This will go on for the rest of the year,” he says. “Once that is complete, it’ll move to a national rollout.”

But we’ll have to wait until 2010 – by which time most cards and point-of-sale (POS) and ATM machines are expected to be upgraded.

In the interim, the association has offered retailers a list of simple steps to practice. The retailer tips were issued March 5.

“These tips are a reminder for retailers…pretty simple steps can make a pretty big difference,” says David Senf, director of research Canadian security at Toronto-based analyst firm IDC Canada Inc. “It’s not rocket science.”

Merchants would be wise to treat their POS machines like cash, according to the Interac tips. They should check them regularly for anything out of the ordinary and keep them stowed away safely.

“Merchants should become very familiar with the PIN pads in their store,” says Emma Rickard, manager of stakeholder program for Interac. “You should check your serial number every day.”

Fraudsters are apt to swap out retail PIN pads with their own modified devices. The fraudulent device records the magnetic strip information and collects the matching PIN number when the customer punches it in, the two items needed to steal money from an account.

It’s one example of thieves’ growing sophistication that has pushed the association to adopt the more secure chip technology, according to Tina Romano, public relations manager at Interac.

“It will have the power of a computer on the card, so it will be harder to duplicate,” she says. “The card and the ATM can talk to each other and perform security checks.”

The degree of Interac fraud has been out-pacing the growth of the technology itself in Canada, according to the associations’ Web site.

Between 2003 and 2007, the amount of money lost to Interac fraud more than doubled from $44 million to almost $107 million. But the number of merchants offering the card had only increased marginally by 40,000 to a total of 410,324 in 2007.

There’s no guarantee the chip technology will turn that trend around, analysts say.

“When a technology changes, the target is more secure than what a hacker can bring to bear,” Senf says. “But in the cat and mouse game of security, it generally doesn’t take too long for hackers to figure out a way to access the information.”

So Interac wants merchants to be vigilant. They’re trying to educate merchants about how to prevent fraud, Romano says.

“Education plays a big role in preventing fraud, it’s important to make consumers and merchants aware of potential threats.”  

To that end, security cameras are advised in Interac’s tip list. Police often recommend a surveillance system that stores at least 60 days of footage, Rickard says.

Good hiring practices are important to prevent would-be fraudsters from entering your business as employees, he says, adding that a log-in sheet should be used to identify who is responsible for the PIN machine at what time.

“Merchants should treat PIN pads the same way they treat their cash drawer.”  

As far as the new chip technology pads go, IDC’s Senf advises caution.

Merchants should not rush to spend money to get them, he says. And this is especially true in the case of small retailers who might be burdened by the cost of new POS and ATM machines.

Waiting until your next upgrade is good enough, the IDC analyst says.

Businesses must weigh the importance of the new technology for their needs, he adds.

“What’s the probability fraud might happen at a given location, and what’s the loss if it occurs? If a compromised [transaction] costs you $100 every two years, then it’s not a big deal.”

How merchants upgrade will depend on whether they own or rent their machines, says Cram. But most will just be able to put them in place at the time of a natural upgrade.

Many merchants have already been upgraded through a natural transition, he says. Located in “individual and family-owned and operated stores, those terminals are all chip-integrated now.”

Interac chips could help reward customers by keeping better track of rewards programs, or by condensing multiple cards down to one smart card, Interac’s Rickard says. Financial institutions will push the technology adoption since they’re on the hook for most fraud-related losses.

The Canadian Code of Practice has held Interac card issuers as liable for losses beyond the control of the cardholder since 2002. That includes when unauthorized use occurs.

According to Rickard, it’s a really big migration to move everything to chip technology. “Every single piece needs to be replaced to be compatible.”

And even once this is accomplished, Senf warns no technology is completely secure: “If it has a vulnerability hackers believe they can exploit, they’re going to do it.”

For now, retailers can protect themselves from fraud with the use of some common sense. For example, remind customers on occasion to cover their PIN pad when punching in a transaction, Rickard says. “Just a comment” will do.

Those extra concerned about Interac security can check with their payment service provider to see if there are further measures they can take. Often a simple secure tether, or an alarm system will help.

Exit mobile version