Fallback 101: Understanding fallback authorizations

With the widespread adoption of chip technology in payment cards, credit unions have been forced to fortify their defenses against fraud and are investing more money and resources into advanced security measures. However, as security systems evolve, so do the schemes of the bad actors. Fallback authorizations, which were introduced following the rollout of chip technology, require careful examination as they can expose financial institutions to significant risk.

How fallback works

In instances where a chip card fails to read at a chip-enabled device, fallback authorizations allow the transaction to proceed using the card’s magnetic stripe at the point-of-sale (POS) or automated teller machines (ATM) and interactive teller machines (ITM). Built into payment systems as a safety net, fallback authorizations do, however, introduce major vulnerabilities when used. Even though convenient, enabling fallback authorizations forfeits the card issuer of their dispute and chargeback rights, thereby assuming liability for any unauthorized fraud losses. While it is vital that merchants’ POS devices and systems are properly programmed to be able to accept chip-enabled cards seamlessly, understanding the workings of fallback authorizations and implementing proper policies are essential for mitigating this risk.

Fallback attacks

Fallback authorizations primarily occur at POS devices and ATMs/ITMs using the very technology designed to make transactions easy and seamless. A bad actor will deliberately cause a chip card to fail at a chip-enabled POS device, leading the merchant to request a magnetic stripe swipe—a technique especially attractive to the bad actors who have obtained card information fraudulently through skimming or other ways. A legitimate cardholder may also encounter a chip failure at a merchant’s POS device, prompting a fallback transaction as well. In both scenarios, the card issuer still forfeits chargeback rights and assumes full liability for any fraud that results.

The occurrence of any fallback transaction should be a red flag, signaling the need for an investigation and/or member education on how to report these incidents. The benefits of addressing merchant compliance should be considered to help mitigate these risks.

Managing fallback risks

Recognizing and managing the risks associated with fallback authorizations requires a proactive and strategic approach. Some strategies to consider include:

1. Review your fallback authorization policy: Review and refine your institution’s policies regarding fallback authorizations. Is the convenience of allowing fallback worth the accompanied risks? Limiting or blocking fallback transactions may be a consideration for your strategy.

2. Enhancing ATM and POS security: Ensure that all ATM/ITMs and POS terminals under your institution’s control are fully chip-enabled and regularly updated to prevent exploitation.

• • ATM/ITMs: Only allow chip or contactless authorizations at your ATM/ITMs. Configure them to permit only POS 05 (chip) and, if supporting contactless, POS 07 (contactless) with Merchant Category Code (MCC) 6011 for electronic cash disbursements. This setup prevents fallback magnetic stripe authorizations, ensuring declined attempts if a card is skimmed.
  • POS device authorizations:
    • Monitor for fallback fraud: Ensure your current strategy minimizes POS fallback fraud. For example, limit POS fallback authorizations to a specific amount (e.g., $100) within a 24-hour period.
    • Dispute/chargeback rights: Recognize that unauthorized POS fallback fraud on your chip cards leaves you with the fraud liability.
    • Risk assessment: Assess the balance between fallback fraud risk and customer service. Restricting to “chip on chip” or “contactless” authorizations reduces fallback fraud liability.

3. Monitor and report incidents: Establish robust monitoring systems to detect and flag fallback transactions. Regularly review authorization reports to identify problematic merchants and terminals and report them to the card association.

4. Collaborate with partners and providers: Work closely with technology partners to disable fallback where feasible, reducing exposure to fraud.

• • POS terminals: Work with your card processor and authorization provider to prevent fallback authorizations on POS terminals.
  • ATM/ITMs: Collaborate with your ATM/ITM authorization provider to prevent fallback authorizations. These efforts can lead to the development of more effective controls and industry-wide standards.

5. Cardholder education: Encourage cardholders to use the contactless feature on their chip cards or mobile wallets if the chip fails at POS and ATM/ITMs that have contactless enabled and to report any instances where a chip card fails to read at a terminal.

As the bad actors increasingly exploit fallback mechanisms, it is imperative for credit unions to adapt and strengthen their security measures. By limiting fallback authorizations, closely monitoring POS and ATM/ITM activities, and collaborating with key stakeholders, you can effectively mitigate the risk of potential fraud losses for your institution.