Various financial institutions around the country have experienced counterfeit activity resulting from “PINless” debit transactions, some of which have led to losses in excess of $100,000. PINless debit authorizations involve purchases under $50.00 that do not require consumers to key in a PIN or supply a signature at a point-of-sale device (POS). As EMV technology continues to be adopted by merchants, more and more of them will choose to enable PINless debit transactions, to offer consumer convenience and reduced interchange fee costs, and fraudsters are taking full advantage.
When a merchant allows PINless debit transactions, fraudsters can more easily use stolen card information, since they are not being asked to supply a PIN or any other authentication when making these types of purchases. An account holder’s card may be used multiple times prior to the fraudulent activity being detected. So fraudsters make numerous PINless transactions and walk away with big rewards.
Here are steps you should take to help mitigate PINless debit fraud exposure:
- Confirm that your card processor’s fraud monitoring system recognizes and is paying special attention to PINless debit transactions at the POS, especially recurring transactions at the same location.
- Make sure you are not one of the many financial institutions that haven’t signed up for their card processor’s program to monitor PINless debit authorizations.
- See if your financial institution can decline all debit authorizations that are conducted without a PIN, and consider disallowing these transactions if this option is in fact permissible.
- Check that all networks used for PINless debit authorizations are in place with your card processor, so that you can monitor PINless debit authorizations.
- Ensure your fraud monitoring system has strategies in place to help address any uptick in PINless debit fraud exposure.
- Connect with you card processor to make sure they have velocity parameters in place for transactions requiring PINless debit authorizations.
- Consider blocking and reissuing cards that may have been impacted by a data breach, as this card data could potentially be compromised.
- Confirm your fraud monitoring system is identifying “chip PINless” authorizations and confirm strategies are in place to monitor and prevent PINless fraud exposure on these cards.
- Understand your card association’s PINless debit network liability rules, since Visa and Mastercard do not apply the same zero-liability program benefits to PINless debit.
- Understand the Durbin rights and how PINless debit transactions are routed.
- Read articles about how your account holders could be affected by PINless debit fraud.
- Educate your account holders! You will likely see a large decrease in risk exposures if your account holders know what they can do to protect themselves.
Your financial institution should continue to learn about PINless debit fraud so that you can fully understand the risks and take actions to help mitigate this type of debit card exposure.
This content was previously published in Allied Solutions’ Risk Alert newsletter. Click here to sign up for this email list.