Poor controls on prepaid cards accounted for nearly 60% of the fraud losses issuers took in the wake of the Target breach, according to one top-10 issuer.
Prepaid cards present a vexing fraud challenge. There are three primary ways in which the fraud risk materializes:
- Funding risk: Reloadable prepaid cards are loaded with stolen funds (e.g., from a compromised demand deposit account).
- Counterfeit prepaid card risk: The prepaid card data is compromised, and the data is used to create counterfeit cards.
- Stolen card risk: The prepaid gift card is purchased in store with a stolen credit or debit card.
Funding risk and counterfeit card fraud do exist in the prepaid world, but in Aite Group’s discussions with prepaid issuers and program managers, this is not a substantial source of pain at this point. In fact, as the rest of the U.S. payment industry gears up for a move to EMV, few prepaid issuers have plans to add the chip to their cards, as the business case for adding that security just doesn’t work. The real issue with prepaid cards is behind door number three: the risk of the prepaid card being purchased by a stolen card. This has turned into criminals' favorite way to monetize the data they steal in data breaches, and it is responsible for substantial losses for those stolen cards' issuers. Here’s a use case:
- Card data is compromised in a database breach.
- The criminals use that card data to create a counterfeit credit or debit card.
- Money mules go into stores with counterfeit cards and buy hundreds of dollars worth of prepaid gift cards.
- Because retailers are not required to validate the identity of a customer making a purchase with a gift card, the criminals are then free to monetize those gift cards risk free.
- The issuer of the stolen cards absorbs the fraud loss when the owner of the stolen card (which was used to purchase the prepaid cards) disputes the charge.
The challenge is that the prepaid issuers and program managers that control the issuance of the cards are not the entities that ultimately bear the losses, so there is very little incentive for them to add any front-end security. Quite the contrary—the more prepaid cards sold, the greater the opportunity for fee and interchange revenue.
The losses from this type of fraud are painful for issuers, but they are able to absorb them today. In just 14 months, however, the United States will migrate to EMV, shifting the liability for these losses to non-EMV-enabled merchants. The majority of large merchants plan to be EMV-enabled prior to the liability shift date, but Aite Group research shows that small merchants will lag. The result? This prepaid fraud will shift to small mom-and-pop merchants that are least capable of absorbing it—and it will put some out of business if they do not bolster their front-end verification process between now and then.