EMV Roll-out Provides 650 Million Reasons to Still Care about Address Changes
Major card issuers will have a lot of plastic in the mail during the EMV roll-out. By the end of 2015, Aite estimates 70 percent of U.S. credit cards and 41 percent of U.S. debit cards will be converted from mag stripe-only cards to EMV chip and pin cards. To put that into real numbers—that’s over 650,000,000 cards in envelopes that are hopefully received by the intended cardholders. During this same time period, over 35,000,000 Americans will move to a new address. Just from a pure odds standpoint, there is a high likelihood that many cards will not reach their intended destination, especially if issuers don’t take steps to figure out the best address and screen high risk segments for account takeover. A mass re-issue could result in a massive headache.
Get it Right with Legitimate Customers
Most cardholders are not purposefully trying to avoid their financial institutions; however, the timing of the re-issue and that fact that up to 50 percent of consumers don’t submit the National Change of Address (NCOA) form to the U.S. Post Service, means that many of the re-issued cards will not make it to the corresponding customer—especially on the first try. In the scenario of a good customer moving to a new address, the objective for the issuer is to ensure that the most accurate address is identified with the following goals in mind:
- Reducing returned mail cost
- Avoiding production of yet another replacement card
- Averting a bad customer experience and the resulting loss of trust
- Preventing a gap in card usage and the associated interchange income
- Keeping the card top-of-wallet
In the case of good customers making an authentic move, the actions required to meet the objective of getting the cards to the updated cardholder address are about freshness, validity, and accuracy:
1) Screen all names and addresses through a process to verify that the input names match the address
2) If a new address is identified for an input name and address, return that new address
3) Provide any address correction data and information to correct any errant addresses
Pay Special Attention to High-Risk Segments
Not every address change is actually a good customer moving to a new location as described above. Instead, these address changes are the “set-up” event to an account takeover. The classic account takeover scheme involves changing the address from the victim’s address to an alternate address controlled by the fraudster. Once the address change is made the fraudster then request a replacement card. Once they receive the replacement card, they are then able to enable the “cash out” event by using the card.
To make your life even harder and the fraudster’s life even easier, the classic account takeover scheme is cut in half. Because the fraudsters have a good idea of when the cards are going to be re-issued, they only have to change the address and wait for the new card to arrive.
The bad guy does not even have to request a new card!
The normal controls that financial institutions have in place to mitigate risk for “customer initiated card requests” are completely sidestepped. Once done, criminals are able to authorize the card by providing the last four digits of Social Security Number (SSN) which are readily available on the black market.
Therefore, issuers must pay special attention to two segments in their portfolio that exhibit an elevated risk for account takeover: 1) those accounts that have shown a recent address change (e.g., within the last 60-90 days), and 2) accounts where the foundational address processing identified an updated address. Because of the heightened risk, there needs to be additional scrutiny on these accounts in the form of fraud prevention services specifically designed to detect account takeover fraud occurring as a result of an address change or an address discrepancy. This additional screening should include the following:
1) Matching the addresses against suspect and known fraud address databases
2) Measuring velocity of activity (e.g., several identities associated with one address) at a given address to detect fraud rings
3) Scoring of the addresses in question in order to identify and isolate the majority of fraud in a much smaller number of cases
4) Identify “out-of-pattern” addresses by analyzing the difference between the old and new address
When the roll-out of EMV is completed, card issuers will be in a great position to prevent counterfeit fraud. But during the next 12-18 months, there will be a maelstrom in the mail stream as fraudsters will undoubtedly take advantage of the situation. Protect yourself. Avoid the ambush. Advance carefully and you will weather the storm.
Written by Adam Elliott
ID Insight President, Co-Founder
Adam has a passion for creating data-driven solutions that produce positive and measurable business results. A recognized name in the analytics area, Adam has won numerous awards for marketing and training, including “Minnesotans on the Move,” the Gold Award at the Houston International Film Festival for analytics training and an award from the American Marketing Association for leading the creation of the largest B2B Webcast in Yahoo’s history. When he’s not inventing new products, he’s on the ice coaching his daughter’s hockey team.