Fall back transaction is the word that came into picture along with EMV – the work around to make successful transaction in case the chip or terminal chip reader does not work. However, this is looked upon as a huge security threat in the era of trillion transactions. Fallback should not be appreciated as it leads us back to the less secure magentic stripe system.
There was no fallback concept during magnetic stripe era as there was no alternative technology to be leant on, except perhaps manually typing in the card details. After EMV, fallback was introduced as an option to make transaction till the time the entire ecosystem migrates to EMV infrastructure. Unfortunately, despite the progress in EMV, fallback is still being used as a work around to reduce decline in transactions.
How is fallback used now – during the EMV era?
Generally, there is possibility that either the chip on card or the reader in terminal does not work properly. In that case, when the card is inserted in the terminal, the terminal detects that chip is not being read. Then terminal prompts to swipe the card and the transaction will be processed as magstripe transaction, without chip data and a fallback indicator. Issuer approves transaction based on magstripe data fields details.
Another possibility of transaction leaning to fallback mode is when the particular AID (Application Identifer) is not loaded in the terminal. The terminal will be unable to identify the chip due to absence of AID terminal and prompts the user to swipe the card to process the transaction in fallback.
Damaged Chip – Are they an issue?
The main pillar for EMV standard is security, which prevents counterfeiting of cards. So, if a chip is damaged then complete security is compromised. EMV provides three level of security i.e. card authentication, card holder authentication and issuer authentication. Once the chip is damaged at least card authentication and issuer authentication are not performed. Whereas card holder authentication is still possible for PIN based transactions only. Card with damaged chip is as good as holding a magnetic stripe card.
Merchants should ideally reject transactions on damaged chip even in the fallback mode.
As fall-back is a workaround process, it can be performed intentionally. If a chip is not even damaged, a fall-back can be initiated inserting the card in the opposite direction. The terminal will detect it as chip failure and will prompt to swipe the card to process it as a magstripe transaction.
This is done intentionally many times by merchants with fraudulent intention and initiate such transactions with perfect chip, so that counterfeiting is possible. After counterfeiting the card with magstripe data, a card can be created with dead chip or without chip and transaction is initiated with the counterfeited card to debit customer account.
These are a list of good practices, which can be practiced to reduce fall-back and remove them completely:
1. After proper terminal integration certification bank or payment brand should ensure proper field roll out of each terminal or terminal application
2. Periodic follow-up for the expiry of EMV L1 & L2 certification and re-certifying terminals with expired certificates
3. Periodic follow-up for expiry of terminal L3 certification of each terminal deployed in the field and re-certifying terminals with expired certificates
4. Regular monitoring or data analysis on fall-back transaction count coming from a particular terminal with maximum number of cards and try to replace such terminals on priority.
5. Regular monitoring or data analysis on fall-back transaction count coming from a particular card and replace the card as soon as possible. Issuer should have monitoring system for fall-back transactions.
6. Periodic exhaustive training should be provided to terminal vendors or manufacturers, issuers, MSPs and even to Merchants and card holders.
EMV standards were introduced to reduce the number of chargebacks being raised for fraudulent transaction. But due to extensive increase in fall-back transaction counts, the objective is not being fulfilled. With mentioned remedies to reduce fall-back transactions, the number of chargebacks can be reduced easily.
Payhuddle Consulting has got you covered. Our Level 3 consulting focuses on acquirer needs, with remote consulting services available in 35 countries. We help banks avoid testing pitfalls and handhold them through testing and certification. Our consultants are available during their work time, and we've helped banks undergo certification across various terminal types. Trust us, our credentials speak for themselves - we are an EMVCo-qualified Level 3 tool provider, Discover Accredited E2E certification service provider, and Visa accredited CVES provider. Contact us today to learn more.
Simplifying Integration Testing and Certification for Payment Schemes. How to streamline and automate TSEC file creation, ensuring compliance with EMVCo L3 standards.? Read this article to learn more.