Hi all,

Two question day. Wondering if there is any kind of best practice around types evidence that can be used to deny a claim if the transaction is believed to be authorized after we investigate it?

My general knowledge has always been the FI owes the consumer an investigation and the burden is on the FI to show the transaction was in fact authorized or not an error if the FI is to deny the claim. However, my understanding has always what that burden is, is left undefined, other than to say negligence is not an acceptable to reason to deny a claim.

For instance, if we get a claim on a debit POS, and it is chip-read (and not a mobile wallet token) and PIN-based with no bad PIN tries... is that sufficient to deny the claim if the customer hasn't made us aware of a circumstance that the card and PIN were both stolen? Can I deny at that point and take the stance that the consumer will reassert the claim once the denial is received if they suddenly remember they wrote the PIN on the Card?

While that is a specific scenario.... I'm wondering if there exists somewhere a "generally accepted" compendium of investigative methods or types of evidence for Reg E Claims?

Unless you can prove that they actually did the transaction or benefited from the transaction, the burden lies with the bank. Your scenario is only circumstantial evidence. Do you have film or a picture of the transaction taking place?

I understand what you are saying, though in many cases the photo/video is not made available or does not exist in the first place. Which I guess is irrelevant in the eyes of Reg E. It just means that is not something I will have access to prove or disprove the dispute.

Can the customers material statements be used? If the evidence shows chip-read and no bad pin tries and the customer asserts the card has never left their possession and asserts their PIN is not sored with the card and it is not possible for anyone else to know the PIN?

I've literally told customers I would believe them if they told me they gave the card to a "helper" or I would even believe if a close relation stole the card temporarily, and generally what we are met with from the customer is "that isn't possible"

I guess you are assuming that a chipped card cannot be cloned?

As it stands today, yes that is a safe assumption, IMO.

You can take elements of the chip data and place it on a magstripe but the transaction data will show it was magstripe read or a fallback in that scenario. In those two situations (magstripe read or fallback), yes a counterfeit card is possible. Card brands really need to pressure merchants and acquirers to dump magstripes and fallback nonsense in the US.

There are other data elements on the native EMV chip like transaction counters and rotating cryptograms that are no more good once cloned. If the transaction is chip card on chip reader using EMV, you can be confident (today) it is the genuine card.

I would only see mobile wallet tokens as an exception as mobile wallet registers as contactless chip-read at the POS. A fraudseter with knowledge of the card number, exp and cvv can load a card into mobile wallet but it requires subterfuge to trick the cardholder into helping the fraudster load the card into the fraudster's mobile wallet as most issuers have MFA as part of that process. That said, the transaction data indicates it is mobile wallet token transaction and would look for that before determining it was the genuine card and therefr native EMV.

That said, I guess there is always the chance a sophisticated fraud operation figures out EMV cloning for the first time, though outside the US the technology has been used since the 1990's without being cracked..... yet.

I will hang up my hat the day that happens and find a different industry than banking. Or, hopefully, I'll be close enough to retirement at that point to call it a career.

We are also trying to navigate this and we are wondering what other institutions are doing or if anyone has any feedback from examiners on this subject. The customer has stated that they have possession of the card, but the transaction was chip authorized. My dispute department wants to assume that chipped cards can not be cloned and since the card is in possession, they want to deny the dispute. I am concerned that this will not be considered a sufficient investigation, but I am struggling to find guidance on this subject. Any help would be appreciated!

I paid a member last year for 4 transactions on different days used at a Dollar General 4 blocks from her house. She works (her spouse does is retired and joint on the account) and her work is a few miles away from the store. She was at work on all of those days and states that she did not leave her card at home - it's always in her wallet although her card usage was very negligible, although she does shop at that Dollar General. Shortly after one of the transactions, a purchase was made at Home Depot with the same card, but she claims that was her after work. I asked if the card was ever left unattended at school in an unsecured environment and she said no. My belief is that the spouse was using the card and she was unhappy about it for some reason. Couldn't find enough other evidence to link it to her or him, so we paid it.

It is not a safe assumption that chip cards cannot be cloned. It's more complicated than cloning a mag strip card, but not impossible.

Cloning credit cards with chip

The article on Medium is describing things that would not be chip-on-chip transactions. I'd be curious if there is a payment card industry white paper on chip-on-chip cloning.

With the activity described in Medium, the bad actor lifts the card number with a skimmer and encode it to a magstripe and will damage the chip or otherwise cause the chip to malfunction. At that point it may fall back to the magstripe. Hence, "chip bypass." I can't speak for all card processors, but the three card processors I have worked with can differentiate within authorization details the entry method and whether it was fallback and whether it was a mobile wallet token. I would make sure I look carefully at the entry method, fallback, and token indicators before denying a claim.

Full magstripe read - could be counterfeit

Fallback indicator is yes - could be counterfeit (chip bypass)

Contactless chip through a token wallet - could be "counterfeit" if bad actor social engineered card data into mobile wallet.

Chip-read (chip card on chip terminal) - this will be a genuine card. Note the card and/or could still be stolen. But it's genuine plastic.

All that said, if chip-on-chip is disputed, there is still room for the card and/or PIN to have been stolen at the time of transaction and due diligence should be exercised before denying.

The thing to be careful about chips is that a chip card by itself does not preclude cloning/counterfeit as the data can be lifted and used in scenarios outside of reading from the chip. Review the transaction data and validate it was a chip card at a chip terminal and that the chip was what was used in the transaction. All of that said, even with a chip card used on a chip terminal... the card and/or PIN could have been stolen at the time of the transaction.

I agree the card was genuine plastic but could have been "stolen" at the time in this scenario and if you were at an impasse to show it was household member, you'd probably have to final credit the claim