June 23, 2015
By D.J. Murphy, Editor-in-Chief, CardNotPresent.com
The scenario facing U.S. card-not-present merchants is the result of impeccable logic. As the payment card system evolved, first in the U.S. and then around the world, fraud naturally followed. That fraud took many forms but perhaps the most lucrative was accessing the increasingly voluminous mountains of illegally obtained account information (courtesy of those data breaches you might have heard something about), using that information to produce easily duplicated counterfeit magstripe cards and walking into stores to buy products with the fake cards that could quickly be sold for cash.
In nation after nation, however, that road to quick cash was closed to criminals with the introduction of the EMV standard and chip & PIN transactions at the point of sale. Replacing the magnetic stripe on the card with a chip made counterfeiting them nearly impossible. Logic, however, does not dictate that the criminals leveraging that particular scam close up shop and live out their lives as law-abiding citizens. They simply took the information they already had access to (from the aforementioned breaches) and applied it in the next-easiest way. Between the time EMV technology was conceived and the time it was implemented—first in the U.K. and Europe, then around the world—a new opportunity emerged for criminals to put stolen payment card information to productive use: e-commerce. And EMV does not account for fraud perpetrated via e-commerce—or any other card-not-present channel.
There was one place left in the world, however, where counterfeiting cards was possible long after it was severely curtailed everywhere else: the United States.
This fall, after a decade of resistance by merchants and issuers that would face the increased costs associated with upgrading POS systems and manufacturing chip cards, EMV implementation in the U.S. reaches its most important milestone: liability for card-present fraud will shift from issuing banks to merchants, if the merchants are not equipped to handle EMV transactions.
What Now? [hide for=”!logged”]
For several years, experts in card-not-present fraud, outlets like CardNotPresent.com and, to a lesser extent, the payments industry in general, have been urging merchants to look at what has transpired in other countries and prepare themselves for what logic says is coming: a significant surge in card-not-present fraud transactions.
But, what exactly is in store of U.S. merchants? The short, unsatisfying answer is, it’s not clear. In just about every market where EMV was introduced to curtail counterfeit fraud, it has been a smashing success. In the U.K., fraud losses from counterfeit credit cards dropped from a high of nearly £128 million ($199 million) in 2004 when the EMV rollout began (the liability shift was in 2006) to £47.8 million ($74.4 million) last year, according to the UK Cards Association.
Most of Europe quickly followed the U.K. by implementing EMV. In fact, globally as of the end of 2014, Europe has the highest percentage of EMV cards in circulation (more than 83 percent of all cards) and the highest percentage of EMV-compliant transactions (nearly 97 percent of all card transactions). The U.K., because its EMV implementation happened so long ago and its credit-card penetration is so high, is seen as the best test case for what may happen in the U.S. after the liability shift in October. There, while card-present fraud was plummeting, card-not-present fraud was seeing the same trend in reverse. In 2004, CNP fraud losses totaled nearly £151 million ($239 million). Those losses climbed to more than £183 million ($285 million) a year later and peaked in 2008, two years after the liability shift, at £328.4 million ($510 million).
The evidence seemed fairly clear: fraudsters, as they always do, were changing their tactics when confronted by a shifting defense. The pattern was repeated all over Europe and other geographies like Canada and Latin America.
EMV Really to Blame?
But, does the logic hold? Not everyone is convinced that EMV is the only, or even the primary, culprit sending CNP fraud losses into the stratosphere. Many believe it is simply the growth of e-commerce that has contributed most heavily to the increase around the world in CNP fraud. Looking at the U.K. and other countries that migrated to EMV a decade ago, the argument has merit. The years 2004 to 2008 showed explosive growth in e-commerce sales around the world and CNP fraud in the U.K. followed this trend. The 2008 peak in CNP fraud also coincided with the start of a global financial crisis that saw e-commerce sales (and all retail sales) suffer for several years. And the CNP fraud losses in 2009 through 2011 fell along with sales.
Interestingly, one expert who subscribes to this theory lives in a country where the evidence does point to EMV.
“In my view, it’s more to do with the huge volume of new transactions coming online,” says Chris Hamilton, CEO of the Australian Payments Clearing Association. “Merchants are offering that facility and getting used to the new risk environment they’re working in as they offer that facility. While I think EMV is a factor—that fraud has become much harder to execute in the face-to-face environment because of chipping—I wouldn’t have thought that was the main cause.”
Australia’s EMV liability shift occurred in 2013. Despite rising e-commerce figures from 2011 to 2013 in the country (from $22.86 billion in 2011 to $26.66 billion in 2013, according to eMarketer), the APCA’s own numbers show CNP fraud losses holding steady around $200 million per year in those three years before skyrocketing to around $300 million in 2014.
So, can EMV definitively be shown to cause the spike most countries experienced in CNP fraud? No, but the data does point in that direction and merchants that aren’t at least prepared for a surge in online fraud could be burying their heads in the sand.
What to do?
While the liability shift offers a milestone for the U.S. conversion to EMV, it has been a process that has taken years in other countries and will continue for many years in the States. It could be some time before the expected surge in CNP fraud comes to fruition. For U.S. merchants that want to be proactive, a plethora of effective antifraud tools are available that were not available to U.K. merchants in the mid-2000s. Antifraud providers, acquirers, card networks and others all offer services merchants can leverage to protect themselves. Fully implementing new tools, however, can take time. With the liability shift only months away, merchants that want to add protection should start evaluating their options immediately.
One such option, which has enjoyed a spotty reception in the U.S. but has been mandated by the card networks in many countries that experienced a post-EMV CNP fraud increase is 3D Secure (an additional layer of security for online transactions that asks users to input a password in addition to their account password to complete a transaction). While merchants are leery of 3D Secure because many think the extra impediment to completing a transaction negatively affects conversion rates, it was one technique that U.K. merchants used to retake some ground from fraudsters from 2008 to 2011 when CNP fraud losses fell from their 2008 high.
In addition to antifraud tools and 3D Secure, and as mobile devices begin to account for an increasing number of online transactions, many companies are looking at better ways to authenticate users. Dynamic passwords, tokenization and biometrics are some of the techniques organizations like the FIDO Alliance are hoping to standardize for stronger authentication and less CNP fraud. Merchants leveraging mobile also can begin looking at solutions that integrate these technologies.
While any CNP fraud increase likely will affect U.S. merchants primarily, some experts believe that since the U.S. was the last bastion for counterfeit fraud, it’s logical to expect the coming shift to CNP fraud will spill over to other countries—a frustrating form of double jeopardy for markets that already have weathered their initial CNP fraud surge.
Andrew Churchill, a cybercrime and security consultant who has advised the U.K. government on fraud issues points out that organized crime is international and well-funded. When the U.S. finally closes off the ability to commit counterfeit fraud, which has been an incredibly lucrative opportunity for them, the heat on CNP channels, which has been rising anyway, will get turned way up.
“The moment the U.S. goes EMV, I don’t think it’s going to be the fraud moving online just in the U.S.,” says Churchill, currently the secretary of a U.K.-based industry consortium that, like FIDO, is working on standards for stronger online authentication. “I think the research dollars of the organized criminal fraternity will pile into online attacks with such gusto that the entire world is going to be swamped with new sophisticated variants of CNP fraud.”
Churchill compares the threat of CNP fraud to the bear in the old adage, “I don’t have to run faster than the bear, I just have to run faster than you. At the moment,” he says, “God bless America, because you’re running slower than the Europeans. But, you’re about to get a new pair of running boots.”
Next week in this space, look for Part 2 of our three-part series on how retailers are coping with new security requirements promulgated by PCI SSC. Part 3 of our series on EMV returns on July 20, with a look at EMV and how it relates to tokenization.
Read EMV Part 4: Take it From Me [/hide]