Authorization Strategies to Help Banks & Credit Unions Prevent Fraud & EMV Fallback Transactions

by Paul Albright,  Executive Vice President

While U.S. ATM operators and merchants (acquirers) are deploying EMV chip acceptance at a higher rate, financial institutions (issuers) continue to receive authorization requests on number of transactions that are designated as ‘fallback.’

Fallback transactions occur when a chip card is used at a chip-enabled terminal such as an ATM or POS terminal; however, the transaction is not routed as an EMV transaction, but instead is initiated as a magnetic-stripe or key-entered transaction.

Courtesy of Visa Business News, 22 June 2017

Courtesy of Visa Business News, 22 June 2017

The following are a few causes of fallback transactions:

  • The ATM or POS terminal may be incorrectly programmed for EMV transactions
  • The ATM or POS terminal may have a technical malfunction with the chip card reader
  • Cardholder error during the card entry process, interrupting the reading of the EMV Chip
  • Chip card may be incorrectly encoded
  • Damaged chip card
  • Fraudulently, reproduced mag-stripe plastic using chip card data

Even though the overall number of fallback transactions is proportionately small — among total transactions, fallback transaction accounts for more than 15 times the amount of fraud, as compared to non-fallback, card-present transactions. 

Fraudsters continue to target the U.S. market by manipulating card information and the card-insertion process via skimmers. Once compromised card data is obtained, fraudsters transfer that data to ‘white plastic’ that does not have an EMV chip.  Then, the fraudsters rely on a bank or credit union’s poorly managed authorization strategy by creating or forcing fallback transactions, to steal money through fraudulent transactions.

Authorization Strategies for Fallback – Best Practices

  • Leverage Real-Time Scoring During Transaction Processing: Segregate chip transactions from other card-present transactions and apply a different scoring approach to the fallback transaction.

  • Identify High-Risk Merchant Category Codes for Defined Rule Strategies: Consider denying fallback transactions that exceed a pre-set dollar amount or a defined merchant category type. Data indicates that fallback fraud is concentrated in certain merchant segments such as food and drug, retail goods and apparel. Specific merchant category codes with the highest concentration of fraud include department stores, grocery stores / supermarkets and electronics stores. 

  • Tailor Fraud Strategies to Fit Distinct Fraud Profiles: It is advised that financial institutions create fallback and fraud prevention strategies that build on confirmed experiences across similar geographies, BIN (bank identification number) ranges and/or other relevant criteria. 

  • Incorporate Velocity Rules by Count and/or Amount: Banks and credit unions can also target potentially high-risk activity by incorporating velocity rules and monitoring declined transactions or card limits or significant variations in card activity.  Spikes in specific types of activity could indicate fraudster are ‘pinging’ a BIN to attempt to identify weakness in the authorization strategies. 

  • Evaluate the Use of “Time of Day” Rules: Fraudsters tend to target hours when an issuer will have reduced personnel to review incoming alerts. Holidays are highly desirable periods for fraudsters, because there are fewer staff to timely react to potential fraud alerts.

To help mitigate fraud when determining whether to approve or decline a transaction, financial institutions can also employ: 

  • Service Codes: Banks and credit unions should decline any transaction where the service code differs from the value the issuer encoded on the card.

  • Country Codes: While card fraud occurs all over the world, the origin of card fraud has a higher concentration among specific countries and merchant category codes. Banks and credit unions should consider using the acquirer / merchant country code and the issuer country code to differentiate between domestic and international transactions and establish separate authorization rules for these types of transactions.

The most significant drawback to these strategies is actually using them.  Financial institutions have a wealth of data that can help prevent fraud if they simply take the time to use them.