New payment technologies, more stringent security protocols, and rigorous regulations and growth opportunities have all had an enormous impact on the payment industry in Canada in recent years, as has payment card fraud which has spiked, leading to losses for Canadian businesses and credit card companies. For merchants in Canada, understanding these threats and responding to them within your contact centre environment, as well as communicating the important steps that can be taken to prevent this kind of fraud to peers and employees, is of upmost importance as your business continues to face new challenges.
In response to growing rates of credit card fraud in recent years, the Payment Card Industry Security Standards Council (PCI SSC) provides a robust framework to help companies deter these threats. A global organisation formed in 2006, the PCI SSC is an independent body formed by the five major payment card providers (Visa, MasterCard, American Express, Discover, and JCB), charged with overseeing many aspects of the payment industry and serves as both a governing organisation and an open forum responsible for the development, management, education, and awareness of PCI Data Security Standards. Its remit includes maintaining both the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS).
The PCI SSC has two core goals: to help identify vulnerabilities in card payment systems, and to offer steps and procedures to help companies thwart fraud attempts and reduce the risk of financial loss that would otherwise have a significant impact on business. In 2004, realizing the burden they were putting on merchants with their separate security programmes, and to address the crisis of the growing amount of data breaches due to the rise in ecommerce payments, the major card brands came together to condense their standards into one comprehensive, overarching programme. The end result was the PCI DSS, a living set of standards, with the PCI SSC providing updated guidance and periodic revisions when new data protection issues and fraud threats warrant considerable changes to security measures.
These standards apply to all merchants processing payment card transactions, however the reporting requirements change slightly based on merchant level. Depending on the amount of transactions a merchant processes each year, they may have to work with a QSA to prove compliance by filling out a Self-Assessment Questionnaire.
To learn more about the PCI SSC and PCI DSS compliance, be sure to take a look at our earlier blog post that provides additional context for why security is so critical to the payment card industry, and highlights the twelve major security requirements for any merchant that accepts card payments.
Credit Card Fraud in Canada
Taking a look at the landscape for credit card fraud in Canada, we can see several similar trends that have occurred in many other countries as well. The global fraud mix continues to move towards the card-not-present (CNP) channel (fraud conducted via online or over the phone transactions) and is growing evermore within Canada fraud.
According to a 2017 Visa report on the Canadian payment card industry, card-not-present fraud accounted for 78% of all fraud, and 74% of fraud losses at Canadian merchants are perpetrated in the CNP channel. What’s more, higher than 97% of card-not-present fraud occurs on transactions where enhanced authentication through 3D Secure (3 Domain Secure) is not enabled, a feature that would increase the security of transactions.
In recent years, the industry has introduced EMV chip technology, which provides enhanced security and enables contactless and mobile payments. With EMV technology, chip cards generate a unique one-time code each time they’re used in-store at a chip-activated terminal. Unlike mag-stripe cards, this feature makes it impossible to duplicate in counterfeit cards, ultimately preventing in-store fraud from occurring.
New and Upcoming Requirements for Canadian Merchants
While any merchant in any country accepting card payments must follow the same requirements outlined in the PCI DSS, with the ever-evolving fraud landscape and the onset of new technologies and protocols – covering card-not-present to chip card transactions – we thought it pertinent to highlight a few of the newer requirements that are being imposed by Visa on complying with the Visa Contactless Payment Specification, unique to Canadian merchants.
With the introduction of EMV technology, it is calculated that almost 93 percent of Canadian-acquired card present transactions have been a chip transaction as of July 2017. However, a small number of merchants have yet to adopt chip technology terminals and are continuing to put consumers’ payment card information at risk. Because of this, Visa has made it a requirement that all merchants be chip-enabled by October 2020.
Contactless payments are also becoming more prevalent. In fact, the majority of contactless terminals in Canada support both Magnetic Stripe Data MSD and quick Visa Smart Debit / Credit (qVSDC) transactions. But these have also been used for fraud, where criminals have used mobile applications to emulate Visa MSD contactless magnetic stripe transactions and use the device at merchants with contactless acceptance. Due to this activity, Visa is now requiring that effective October 2019, all contactless acceptance devices in Canada must not support MSD.
Since October 14, 2017, all new ecommerce or telephone order merchants have been required to capture Card Verification Value 2 (CVV2) – the three-digit security code located on the back of debit and credit cards – and include it in the authorisation request during a Visa transaction. Further, if an issuer approves a ‘no-match’ transaction – for example, a CVV2 is provided but it doesn’t match the cardholder’s account – the issuer is 100% liable for that amount. This offers an added layer of protection for merchants. Additionally, all merchants in Canada are now prohibited from requesting CVV2 for mail order transactions if the data is provided in a written format. This reduces potential for that information to be stolen and used fraudulently.
These changes have been expanded to include all ecommerce transactions and those Canadian merchants taking telephone payments, effective October 13, 2018. Of special note, these changes will not be applicable for credential on file, recurring or installment payments, or Visa commercial card virtual account and digital wallet transactions. Canadian companies also still have to follow all of the same requirements noted in the PCI DSS that merchants in every other country must follow. Failure to do so can result in fines anywhere between $5,000 – $100,000USD per month. For repeated violations, the card brands who form part of the PCI SSC may revoke a merchant’s privileges to accept payments using their cards entirely, which could be catastrophic for business.
There are obviously a number of benefits to achieving PCI DSS compliance, aside from just avoiding hefty fines, including tighter data security and reduced risk of data breaches. At the end of the day, following these compliance requirements provides businesses proper security controls and ultimately, peace of mind.
To learn more about the Future of Payment Security in Canada, click here.