Cyber Monday Reminder: CNP Merchants at Higher Risk Post EMV
Dec. 1, 2014
As if they needed a reminder, one industry vet’s holiday weekend experience this year highlights for card-not-present merchants the importance of both securing the personally identifiable information of consumers and that fraudsters will be targeting them specifically as the U.S. migrates to the EMV standard.
Michael Liquornik, president of payments consultancy Fin-Serv Advisors was notified by TD Bank this weekend that his wife’s card had been used fraudulently at a number of retailers. As a Canadian resident, Liquornik’s cards are of the Chip-and-PIN variety, and the fraudulent transactions, aside from one at a general-merchandise retailer for under $1 where the fraudsters appeared to be testing the validity of the card, which could have been a brick-and-mortar purchase, were all at online merchants and were in the three-figure range.
“In Canada, it very rarely happens that we have fraud that occurs at the point of sale, given that virtually all POS merchants have converted to EMV. This card wasn’t used in the U.S., so this is likely a card-not-present breach that yielded the card information. And, I’m guessing it was a fairly major event. Because our pattern of purchases didn’t scream fraud, TD must have had some idea something greater was happening here. It also took me a very long time and repeated attempts to contact them after they left us a message”
Liquornik cites his weekend experience as another glaring example of why CNP merchants need to be vigilant about using tokenization and not storing customer payment information. He did note the information could have been obtained from another source such as an upstream processor, but added that retailers still need to protect their customers and, in doing so, protect themselves from fines and reputation damage.
“My inkling, because it’s on my wife’s card, which we usually use only for everyday spend and smaller online purchases, is that this originated with a small merchant,” Liquornik said. “And a breach could be lethal for a small merchant. The fines alone, could put them out of business.”