Credit card fraud cost banks, merchants, and consumers over $16 billion worldwide in one recent year, according to The Nilson Report. While it accounts for just under one-quarter of global credit card volume, the United States suffers the effects of nearly half of that illegal activity.
The single most significant reason for this imbalance, according to a working paper from the Federal Reserve Bank of Atlanta, is that the U.S. is only just now adopting the EMV payment-card security standard. Originally a joint venture between card networks Europay, Mastercard, and Visa, the standard has since been entrusted to an independent consortium.
EMV has been credited with greatly reducing overall levels of payment card fraud in Europe and elsewhere, as with a 70-percent drop in the United Kingdom. It is expected to do the same in the United States as adoption continues. While EMV has been effective at limiting fraud for transactions where a card is present, though, its implications for e-commerce merchants are a little more mixed.
EMV: What It Is, How It Works, and What It Achieves
As many people will have already seen in person, the EMV standard revolves around a security chip that is implanted in otherwise conventional-seeming payment cards. Each such chip hides a unique cryptographic key that is used to answer challenges sent by EMV-compliant card terminals.
While most EMV-equipped cards also include a fraud-prone magnetic strip and an imprinted account number, the EMV chip itself is virtually impossible for criminals to duplicate or counterfeit. As a result, fraud rates for card-present transactions have plummeted in places where EMV adoption has become nearly universal.
With far fewer opportunities to intercept unprotected card data or to use it to make purchases in person, criminals have, in general, found it to be much more difficult to commit payment card fraud. While EMV therefore represents an important development in general, it has produced at least one side effect of a clearly negative kind.
Online Merchant Concerns : The Fraud-Related Downside of EMV
The EMV standard does not directly account for transactions where a payment card is not physically present. For this reason and to accommodate terminals that are not EMV-compliant, the various card networks still allow for the old-fashioned kinds of transactions that revolve around card numbers, expiration dates, and security codes.
As a result, increasing EMV adoption tends to produce a surge in card-not-present fraud. Even while overall fraud levels decline, e-commerce merchants and those who accept payments by telephone can expect to experience a heightened pace of both fraudulent payment activity and attempts to steal any unprotected card data they collect.
Whether they obtain credit card information from large-scale online data breaches or the use of skimmers at pre-EMV physical terminals, the broader adoption of the standard encourages criminals to seek out other ways of acquiring and using cards. When it comes to EMV and e commerce, online merchants therefore have quite a bit to lose, at least in the short term.
Fighting Back Against EMV-Evolved Fraud
What this means in practice is that e-commerce merchants need to be even more vigilant than in the past about combating payment card fraud. For now, measures worth investigating can include:
- Better Fraud Detection: More advanced fraud detection systems and services do a better job of identifying transactions that are typical of criminals. In addition to presenting fewer false positives that might drive away legitimate business, the most advanced systems today can counter tools like Virtual Private Networks that fraudsters use to disguise their origins and activities.
- Tokenized Processing: E-commerce sites that transmit account information to payment processors can expose the data of their customers to interception by criminals. Processors that support tokenization, a feature that will also soon more widely become part of EMV, accept instead a random-looking string that is useless to would-be fraudsters.
- Encryption Everywhere: Making sure that account data is properly encrypted at each stage of transmission can also go a long way toward protecting it. A single unencrypted link in the chain is all that it might take for criminals to stage a successful man-in-the-middle attack and get away with card information.
In other words, with regard to EMV and e commerce, the stakes have mostly become higher, making the existing best practices even more important. While there is currently no easily accessible way for e-commerce specialists to enjoy the protections of EMV, initiatives like MasterCard’s Chip Authentication Program and Visa’s Dynamic Passcode Authentication system are starting to open up some options. Until then, e-commerce merchants do well to be even more vigilant than in the past about both protecting the card data of customers and guarding against fraudulent transactions.