Credit Unions: Is It Time to Decline Fallback?

Credit Unions: Is It Time to Decline Fallback?
Posted: Aug 10, 2017
Comments: 3

An update on credit or debit EMV chip cards

Fallback occurs when a credit or debit EMV chip card cannot be read at a chip terminal when inserted and is processed by swiping the mag stripe. Fallback is typically seen in a market where EMV is first being introduced. An incorrectly configured terminal, terminals that are not set up to process “chip and PIN”, terminals that have not been programmed to route transactions over some networks, and in rare cases, defective chips within the card, are all potential or legitimate reasons for a chip card to not be capable of being read properly at the terminal. In these cases permitting the cardholder to complete the transaction by swiping the mag stripe card at the terminal seems like the proper way to minimize customer inconvenience.

Liability for fraudulent activity conducted in this manner lies with the issuer, not with the merchant/terminal owner. A thought leadership article published last year suggested that fallback transactions should not be declined by issuers, since the inconvenience to legitimate cardholders greatly outweighed the fraud using fallback, or in fraud terminology – EMV chip circumvention.

Several circumstances have changed since this time last year, all leading up to a decrease in “legitimate” fallback and a rise in fraudulent fallback transactions. Nearly all of the terminal configuration issues have been resolved, and while there are still many merchants that have not begun to convert their mag stripe terminals to chip-accepting terminals, the vendors in this space have the experience from other implementations to ensure that future conversions are less problematic. At the same time, fraudsters have developed new ways to force fallback and use magnetic stripe data obtained in the many breaches that have occurred recently. Creating real chip cards with chips devoid of any programming (not something the terminal expects), or chip cards with unreadable chips are ways to force the terminal to request the cardholder, in this case the fraudster, to continue the transaction by swiping the card.

In fact, in the recent breach of Chipotle where malware downloaded to the terminals was able to obtain millions of magnetic stripe card data, 10% of all the fraudulent transactions conducted using the breached data was due to fallback transactions – putting the stolen data on a mag stripe of a counterfeit card with a fake, or otherwise unreadable chip, forcing the chip-enabled terminal to request the fraudster to swipe, and thus enabling the fraudster to use breached card data for a chip card at a chip terminal. And worse, a similar breach at Arby’s resulted in a quarter of all fraudulent uses, 25%, to be conducted as fallback. In all those fallback transactions, the issuer was liable for fraud conducted even though the issuer had gone through the expense of issuing chip cards.

This raises the question – is it time to deny authorization of fallback transactions? In the previous thought leadership article on this topic, the specific advice was: “It is strongly recommended that you do not decline fallback transactions, not for the first one or two years.” The EMV liability shift went into effect in October 2015, nearly two years ago. And while every issuer has a different mix of tolerance for risk balanced with ensuring cardholders are never declined for reasons out of their control. It seems that the point has been reached that declining fallback will accomplish more good, or at least prevent more bad, than not.

What are your thoughts? Have you already started declining fraud? Have you noticed any complaints? We want to hear from you.


Rate this article:
Dave Chojnacki

Dave ChojnackiDave Chojnacki

Dave has more than 10 years of relationship management experience and holds a Credit Union Compliance Expert (CUCE) Designation from CUNA. He currently serves as Director of Consulting Services at Trellance.

Other posts by Dave Chojnacki

Full biography , Contact author

3 comments on article "Credit Unions: Is It Time to Decline Fallback?"

Ali Knuckles, 8/15/2017 10:19 AM

We have. At least for now. We were hit with fallback fraud due to the Chipotle breach over the 4th of July holiday. It started over the weekend before and ramped up on the 3rd. I was watching it happen from home and working on and implementing auth blocking rules in the middle of the night between the 3rd and 4th. Fun. Times.

They were using the cards at Home Depot and Sam's Club in our footprint and the machines were processing as fallback without requiring any attempt to use the chip first. I could tell that was the case because we would have card usage at the same terminal (sometimes 4 or 5 cards in a row) that would come through as fallback all within a 1-2 minute period. So the fraudster was standing there ( I assume at an unmanned terminal) purchasing, I assume, gift cards for $200-$250. Swipe card, finish, swipe another card, finish, swipe another card, finish, and so on - all within a 1-2 minute period. If they were requiring a chip attempt first they would not be able to get that many transactions completed in that short of a time frame I don't think.

We now decline all fallback transactions. Most of the cards being declined are at locations where chip is accepted but the merchant still allows them to swipe first. We could prove that because they would following the declined swiped/fallback transaction with a completed chip transaction at the same terminal. There are still quite a few merchants in our footprint (Greater Cincinnati) that allow for swipe without requiring the chip first.

We also see many declines at ATMs for fallback. It is actually now (since the fraudsters have moved on to other fraud for Chipotle breach) the most common transaction being declined for fallback. Not sure what is going on there but I assume, like merchant machines, the chip ATM is not set up properly.

Lou Grilli, 8/15/2017 5:57 PM

Ali - Great feedback, and very insightful. Thanks for taking the time to share.

Curious about your statement regarding fallback at the ATM. Is it possible that the fallback at the ATM is also attempted fraud?

BRIAN PETERSON, 8/18/2017 1:22 PM

We get fallback reports from our processor on a daily basis. There are at least a few transactions on the daily report, mostly small-dollar purchases. Our processor claims these are misconfigured terminals that are accepting a swipe but are chip-enabled, thus causing the transaction to look like a fallback to the networks. The cardholder has no idea of any problems because the terminal works with no messages or complications at the POS.

If we were to decline all fallback, we'd have these cardholders calling us after the decline. All we could tell them is the merchant has incorrectly configured terminals, there is nothing we can do since nothing is wrong with the card. Not a great answer and nothing the cardholder can do to minimize their troubles in the future.

Even though it has been 2 years since liability shift, unfortunately there are still merchants with terminal configuration issues that would negatively impact the cardholder.

Clearly, more time is still needed for EMV to mature in the U.S. market before fallback can be eliminated completely. If 100% decline on fallback is the path you take, you run the risk that the cardholder will abandon your card in favor of a more reliable card that permits fallback allowing the transaction to complete.

The best answer today is to limit the fallback transactions by count or dollar amount. For example, we have limits in place to allow up to 2 fallback transactions per day up to a total of $200. So even if a fraudster forces fallback, they are limited to the amount of fraud they can get, but the average cardholder will not have a decline of there small-dollar purchases like their morning coffee or lunch. If your processor has this ability, you should seriously consider setting this up.

Please login or register to post comments.


Featured Stories