December 21, 2015
By CardNotPresent.com Staff
In January, Apple CEO Tim Cook called 2015 the “year of Apple Pay.” Perhaps, the “year of [fill in the blank] Pay” makes more sense. But, in addition to the explosion of mobile wallets that could have a material impact on CNP transactions going forward, there were lots of other big stories that affected the card-not-present industry in 2015. While its true effect on CNP fraud may not be felt for years, the long-awaited liability shift in the ongoing U.S. EMV migration arrived. In the meantime, steadily growing e-commerce transactions and an explosion in m-commerce growth had more immediate effects, along with the seemingly daily reports of the most recent data breach. Increasing attention of governments around the world to cybersecurity and the cost of credit card acceptance, an uptick in consolidation in the payments space and shifting fraud trends also made news this year. Here are the most important stories covered in CardNotPresent.com in 2015.
Rapid Growth of CNP Commerce
Records fell during the 2015 holiday shopping season, and all year long the numbers indicated more consumers are turning to their PCs and mobile devices to make purchases than ever before. CardNotPresent.com chronicled the promise of opportunities in global markets. With U.S. online retail sales to hit $480 billion by 2019 , global online B2B sales approach $7 trillion by 2020 and Chinese cross-border e-commerce hitting $1 trillion in 2016 , CNP commerce is not showing any sign of slowing down. And, while e-commerce has been the most prominent CNP channel for more than a decade, this year mobile e-commerce traffic surged past desktop .
Evolution of Data Breaches
While 59% of compromised identities came from retail breaches in 2014 , most large scale data breaches in 2015 were at the expense of health care companies, hotel chains and the U.S. government. [hide for=”!logged”]With the Hilton Hotel chain , Starwood Hotels and the recently confirmed Hyatt breach, the payment card information of millions of travelers was exposed. This year, however, 81% of health care companies said they had been compromised and hackers appeared to be targeting different kinds of information. Personal data contained in 80 million records stolen from health insurer Anthem, Inc. and 11 million more from health insurance company Premera Blue Cross was used by bad actors to steal identities and fraudulently open new lines of credit.
A massive breach of the Office of Personnel Management resulted in more than 22 million records of government employees, including military personnel, exposed. While it isn’t the largest breach in history, the extensive information obtained made this breach historic: social security numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints.
Evolution of How Stolen Data is Used
While most network intrusions did not directly affect companies in the card-not-present space, fraudsters continued to turn to the anonymity of CNP commerce to monetize the stolen personal information. CNP fraud topped the list of global fraud concerns , while revenue lost to fraud continued to rise for CNP merchants . As the data obtained changed from credit card numbers to personal information and passwords, however, the type of fraud experienced by CNP merchants has also been evolving. While account takeover fraud made its first appearances over the past several years, 2015 was the year it flourished, making Account Takeover Fraud the New Black this year. Coffee giant Starbucks was one of the more prominent companies to suffer an ATO attack this year as fraudsters took over many of its customers’ accounts and drained the stored value.
New Ways to “Pay”
Though one report stated 9 out of 10 Consumers are “unlikely” to begin using digital wallets in next 12 months , this year was marked by the introduction of many wallets and a stunning lack of originality from the marketing departments tasked with naming them. Apple started the trend at the end of last year with the launch of Apple Pay . Device makers, retailers and banks followed suit, offering their customers new ways to tap credit and bank accounts. Samsung Pay , Android Pay and Walmart Pay were all born in 2015. Merchant-backed MCX finally began testing its CurrentC payment app and also entered a partnership with Chase, to be involved with its ChasePay wallet. While most of these payment methods are primarily designed for in-store purchases, many are also expanding to include CNP transactions. The adoption by consumers and merchants in 2016 will determine which of these payment methods will last.
The EMV Deadline Came…and Went
For at least two years, the CNP ramifications of the U.S. conversion to EMV have been examined in industry publications and conferences across the U.S. After watching several markets around the world convert to chip cards, U.S. e- and m-commerce companies feared an increase in payment fraud as criminals move from more difficult counterfeit fraud to relatively easier card-not-present fraud. However, the impending date of the liability shift (Oct. 1) came and went without much definitive to point to. In fact, some experts suggested the lack of EMV preparedness became an opportunity for CNP merchants .
So far in 2015, CNP fraud has not seemed to increase precipitously as a result of the U.S. conversion to EMV cards. But, there has been an impact to CNP commerce that was not anticipated by most. Online subscription companies began to see an increase in declines, including Netflix , who blamed the re-issuance of EMV cards for a decrease in sales in a quarterly report.
A Year of CNP Acquisitions
Growing e- and m-commerce sales have caused the ecosystem of companies that support CNP payments to grow rapidly, too. The biggest evidence of this growth is the billions of dollars spent on acquisitions of CNP payment, security and fraud providers this year. Dell acquired EMC for $67 Billion , Global Payments nabbed Heartland Payments for 4.3 billion and ACI bought PAY.ON for $200 million . Additionally, Mitek acquired IDChecker , TransUnion acquired Trustev and CVC Capital Partners took an $80 million stake in Kount . The acquisitions and investments in these providers in our industry signal an exciting and booming time in card-not-present commerce.
Paralleling the growth and expansion of the CNP Industry, CardNotPresent.com experienced rapid growth and was, itself an object of interest to possible acquiring companies. In November CardNotPresent.com was acquired by Reed Exhibitions . Reed, the largest trade show company in the world, and one with a respected publishing arm, will provide resources to enabling CardNotPresent.com and the CNP Expo to reach more merchants and technology providers than ever before. CEO Steve Casco and Editor-in-Chief DJ Murphy will continue in their current roles with CardNotPresent.com. It is Casco’s fourth successful exit from a startup and Murphy’s first.
Other Stories That Changed CNP in 2015
Data security continued to be a strong regulatory focus in 2015. This year, President Obama signed cybersecurity executive order urging more information sharing between financial institutions and merchants, which was recently passed by Congress. The European Parliament passed PSD2 , a payments directive including regulations on electronic payment security. The card brands, through the EMV Council, also made fraud prevention a priority by taking the reins of 3DS 2.0 .
Merchants continued to push back on interchange costs from payment card brands, in both the U.S. and European Union. While the Supreme Court declined to hear Durbin case , the European Parliament capped interchange for merchants.
Additionally, Visa brought Visa Europe back into the fold , combining both organizations into Visa, Inc. This change will mainly affect merchants and issuing banks processing payments in the European Union in 2016, though the impact is still to be determined.[/hide]