EMV and the fallback conundrum!
Fall back transaction is the word that came into picture along with EMV – the work around to make successful transaction in case the chip or terminal chip reader does not work. However, this is looked upon as a huge security threat in the era of trillion transactions. Fallback should not be appreciated as it leads us back to the less secure magentic stripe system.
There was no fallback concept during magnetic stripe era as there was no alternative technology to be leant on, except perhaps manually typing in the card details. After EMV, fallback was introduced as an option to make transaction till the time the entire ecosystem migrates to EMV infrastructure. Unfortunately, despite the progress in EMV, fallback is still being used as a work around to reduce decline in transactions.
How is fallback used now – during the EMV era?
Generally, there is possibility that either the chip on card or the reader in terminal does not work properly. In that case, when the card is inserted in the terminal, the terminal detects that chip is not being read. Then terminal prompts to swipe the card and the transaction will be processed as magstripe transaction, without chip data and a fallback indicator. Issuer approves transaction based on magstripe data fields details.
Another possibility of transaction leaning to fallback mode is when the particular AID (Application Identifer) is not loaded in the terminal. The terminal will be unable to identify the chip due to absence of AID terminal and prompts the user to swipe the card to process the transaction in fallback.
Damaged Chip – Are they an issue?
The main pillar for EMV standard is security, which prevents counterfeiting of cards. So, if a chip is damaged then complete security is compromised. EMV provides three level of security i.e. card authentication, card holder authentication and issuer authentication. Once the chip is damaged at least card authentication and issuer authentication are not performed. Whereas card holder authentication is still possible for PIN based transactions only. Card with damaged chip is as good as holding a magnetic stripe card.
Merchants should ideally reject transactions on damaged chip even in the fallback mode.
As fallback is a workaround process, it can be performed intentionally. If a chip is not even damaged, a fallback can be initiated inserting the card in the opposite direction. The terminal will detect it as chip failure and will prompt to swipe the card to process it as a magstripe transaction.
This is done intentionally many times by merchants with fraudulent intention and initiate such transactions with perfect chip, so that counterfeiting is possible. After counterfeiting the card with magstripe data, a card can be created with dead chip or without chip and transaction is initiated with the counterfeited card to debit customer account.
These are a list of good practices, which can be practiced to reduce fallback and remove them completely:
1.After proper terminal integration certification bank or payment brand should ensure proper field roll out of each terminal or terminal application
2.Periodic follow-up for the expiry of EMV L1 & L2 certification and re-certifying terminals with expired certificates
3.Periodic follow-up for expiry of terminal L3 certification of each terminal deployed in the field and re-certifying terminals with expired certificates
4.Regular monitoring or data analysis on fallback transaction count coming from a particular terminal with maximum number of cards and try to replace such terminals on priority.
5.Regular monitoring or data analysis on fallback transaction count coming from a particular card and replace the card as soon as possible. Issuer should have monitoring system for fallback transactions.
6.Periodic exhaustive training should be provided to terminal vendors or manufacturers, issuers, MSPs and even to Merchants and card holders.
EMV standards were introduced to reduce the number of chargebacks being raised for fraudulent transaction. But due to extensive increase in fallback transaction counts, the objective is not being fulfilled. With mentioned remedies to reduce fallback transactions, the number of chargebacks can be reduced easily.