The hidden risk of EMV conversion: E-retail fraud
Retailers and card issuers throughout the United States are rolling out EMV (Europay, MasterCard and Visa, a.k.a. chip-and-PIN) cards and acceptance systems this year in an effort to stem fraud liability in card transactions.
The last major economy to adopt the EMV standard, the United States accounted for 51% of payment card fraud costs in 2013, according to Business Insider. EMV cards are seen as more secure than the magnetic stripe cards to which U.S. consumers are accustomed — at least for in-person purchases.
But as retailers begin to adopt the EMV technology before the premeditated October 1, 2015 changeover, e-retailers may suffer from it. Thankfully, there are some precautions these businesses can take now to protect against fraud in the future.
The last to implement
EMV cards carry information on an embedded microchip that generates a one-time transaction code on in-store purchases. When used along with a consumer’s PIN number, the code makes EMV cards more effective in thwarting thieves, hackers, and data-skimming software that pilfer card data for fraud.
Somewhat more expensive to service than stripe cards, EMV was slow to take off organically among retailers in the United States. Following massive data hacks at Target and Home Depot, however, interest in adoption picked up, and more than two-thirds of credit cards—more than 575 million—will have EMV chips by the end of the year.
Both MasterCard and Visa has issued a chip-and-pin card and card reader-installation deadline of October 1, 2015. After that date, any company that accepts credit and debit card payments without chip-and-PIN systems in place will assume a greater share of the liability for fraudulent transactions resulting from stolen data.
While effective against in-person fraud and terminal breaches, however, EMV cards can't stop fraud completely. Many payments professionals believe that EMV cards will simply force hackers to look to other avenues for fraud.
“The U.S. has proven to have gaps within its payment chain and changes are being made in an attempt to rectify that,” said Monica Eaton-Cardone, cofounder of Chargebacks911, a payments firm specializing in chargeback risk mitigation, in a release. “However, EMV cards only offer a defense for point-of-sale purchases.”
Card-not-present sales at risk
Card-not-present (CNP) payment environments will be especially vulnerable, and may take on the criminal activity prevented by EMV’s improved onsite protections.
“EMV is very effective against counterfeit card fraud, but there is also a dollar-for-dollar displacement into CNP fraud,” Julie Conroy, research director at the financial services research firm Aite Group, told PYMNTS.com.
CNP fraud is expected to more than double from a total of $2.9 billion in 2014 to $6.4 billion in 2018. And as an EMV transition proceeds in the United States, fraud will shift from card-present transactions to other types of card payments that so far lack stringent protocols for authentication, says a white paper from the EMV Migration Forum, including e-commerce and other direct sales.
Basing its conclusions on precedents set in other countries’ EMV migrations, the report says that Internet, mail order, and telephone orders will be targeted increasingly by fraudsters.
In the United Kingdom, for example, fraud in these payment channels shot up at the beginning of its EMV deployment in 2003, and didn’t peak until additional authentication measures were put in place in 2008.
“Consumers need to be aware that… no one technology will protect them,” James Wester, research director at IDC Financial Insights, told ZDNet. “Implementing EMV at the point of sale is great, but if merchants think that absolves them of any more responsibility in protecting data, the result will be ongoing, large-scale data breaches.”
Additional measures needed
Techniques that could help secure CNP transactions include device authentication, one-time passwords, and biometrics; big-data analytics for risk management and card validation; the “3-D Secure” messaging verification protocol; and tokenization, which replaces card data with surrogate values that have no value outside a specific merchant or transaction.
But criminals are getting increasingly tech-savvy; some even worked around Apple Pay’s tokenization to create new identities.
“Tokenization worked as planned, but fraud happened somewhere else,” Thomas Rand-Nash, director of operations at the transaction analytics firm Brighterion, told PYMNTS.com.
“With CNP fraud, fraudsters’ methods are continuously evolving,” he added. “By the time you identify a new pattern and have a set of experts write up rules to test it, the fraudsters have moved on and are looking for new methods.”
Companies can use behavioral analytics to enhance authorization decision-making, but they should only do so with the understanding that fraud will always occur. Multifactor authentication like the one-time codes banks issue via SMS can be effective as well, but tend to make transactions less seamless.
“No single security mechanism can protect against all possible fraud scenarios,” said Randy Vanderhoof, EMV Migration Forum director, in a statement. “Instead, the best practice to protect against card-not-present fraud is to use a systematic, multilayered approach using tools that work together to create a successful fraud reduction program.”