June 25, 2015
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
Previously in this series, we explored the reasons for implementing EMV chip-enabled cards in the U.S. market, the possible effect on CNP fraud and how tokenization and encryption technology can improve card security in the CNP environment if CNP fraud does surge. In this final article, various players in the card-not-present ecosystem from merchants to the card brands share their thoughts and predictions on what EMV will mean for the card-not-present environment. Will the U.S. experience the increases in CNP fraud other countries did? Or, are U.S. companies using more advanced fraud-prevention strategies than companies in other markets were when they made this shift? And most importantly, what should CNP merchants do now to prepare for a possible increase in fraud?
EMV and CNP Fraud: Cause and Effect?
While it’s a fact that CNP fraud surged in Europe and other markets after EMV was implemented, not everyone believes the causal link is firmly established.
“The EMV launch in Europe coincided with a rapid increase in CNP volume as a whole,” says Jamon Whitehead, senior manager of risk and payment operations at Backcountry.com. “Existing merchants were moving to the Web, pure-play merchants were launching straight to the Web and customers were migrating from an in-store to an at-home shopping experience. At the same time, criminals were realizing that perpetrating CNP fraud was easier, safer and more anonymous than in-store/counterfeit fraud could ever hope to be.”
An additional factor that came into play during the EMV conversion in the U.K. and in other markets was [hide for=”!logged”] that merchants were not as equipped from a technological perspective to identify and prevent CNP fraud as many are today.
“Merchants’ ability to identify CNP fraud in 2006 was also somewhat limited by technology,” Whitehead continues. “We have seen a massive increase in third-party solution providers as well as highly sophisticated home grown solutions designed to outsort, flag, tag and outright reject orders that would have otherwise shipped years ago. This has resulted in an arms race of sorts with the best armed and trained merchants often forcing fraudsters to move along to merchants who are less prepared to deal with increasingly sophisticated attacks.”
Tim Sherwin, executive vice president and co-founder of CardinalCommerce agrees that larger merchants are doing a better job than ever identifying fraud threats and preventing fraudulent transactions. But, he cautions that not all companies are ready for the probable increase in fraudulent attempts.
“This is especially true if you are a small-to-medium sized business that has not yet invested in a fraud prevention strategy,” says Sherwin. “Larger merchants are more educated about fraud prevention, interchange optimization and which tools to employ, though smaller companies are still catching up. If a fraudster tries to make a purchase with a stolen credit card at a large e-retailer and it’s canceled, they won’t just give up. Instead, they’ll go to a smaller retailer who carries the same product, but may not be as up-to-date with their fraud strategy and rules.”
As a merchant who has built fraud-prevention processes to meet changing fraud landscapes, Whitehead echoes Sherwin’s sentiment.
“Merchants in this category should take a serious inventory of existing vulnerabilities and attempt to fill gaps as best they can in a short period of time,” he says. “My fear is that these merchants may not even be aware of the possible negative impact.”
As the landscape continues to shift, fraud will continue to be pushed to the path of least resistance, and that isn’t always merchants who don’t have a fraud strategy at all. Liron Damri, co-founder and COO of antifraud technology provider Forter says that merchants need to continue to be vigilant and informed of the latest fraud trends and tools available to prevent high losses due to fraud costs.
“Fraud prevention is not an area where you can afford to ‘set and forget.’ New methods and technologies are being developed all the time, and you can’t rely on what worked a year or two ago,” Damri says. “For example, fraud rules and scores are giving way to automated decision services leveraging machine learning and big data in addition to human experience. Retailers should have regular review periods in their calendars to test new technologies and services to evaluate whether their fraud prevention solution is giving them everything they need.”
Consider New (and Improved) Tools
One technology that many governments have mandated for CNP channels in the wake of high fraud rates post-EMV conversion is 3DSecure. 3DSecure authenticates consumers using information from the card issuer. Sometimes this means the consumer is required to enter an additional password during checkout, which many merchants feel negatively affects conversion, but most authentication can now be done with little to no impact to the consumer. And, as Jane Khodos, vice president and business leader at MasterCard, explains, the 3DSecure process has greatly evolved due to lessons learned in the U.K.’s post-EMV environment.
“In the U.K., consumers were originally asked to use passwords to authenticate themselves when making online purchases,” Khodos says. “This greatly reduced fraud; however it also presented challenges for consumers, merchants and banks as consumer struggled with ‘password fatigue.’ The market then implemented a more layered approach, checking device information, behavioral patterns, geolocation and occasional use of one-time passwords. This low-friction, high-insight approach successfully reduced fraud while providing consumers with a more seamless checkout experience.”
In addition to 3DSecure and enhanced consumer authentication, major card brands have invested in multiple layers of security and fraud prevention, for all channels of card processing. Both Visa and MasterCard have announced tokenization solutions. Khodos says MasterCard will start testing the service with selected merchants this year and is planning for widespread availability in 2016.
Visa agrees that tokenization is one way that the card brands can assist CNP merchants in preventing fraud, and in increasing security.
“Tokenization, is one of the most innovative and promising technologies for fighting fraud in the digital card world,” says Mark Nelsen, senior vice president of Risk Products and Business Intelligence at Visa.
While consumer authentication and tokenization are tools that Visa and MasterCard have worked on together, each individual card brand has various initiatives to decrease fraud in all channels. Specifically for card-not-present environments, Nelsen says, “we continue to invest in predictive analytics and risk monitoring to identify and prevent fraud from happening in real-time. For every transaction Visa processes, our systems evaluate up to 500 different data elements to protect against fraud, including the transaction history of an account, recent breach notifications, and global fraud trends.”
“MasterCard is also helping the banks and merchants accurately identify who the consumer is, before and during the transaction,” says Khodos. “We have new services that allow the banks, wallets and merchants to work together to enroll consumers in digital programs and securely store their data. We are also launching low-friction services that allow consumers to verify themselves with biometrics when they are making an online purchase. There has been a lot of recent focus on the pilots with the “selfie”-based solution and early results are very encouraging.”
CNP Fraud on the Rise
Regardless of whether EMV is solely to blame, all experts agree that CNP fraud attempts will be on the rise in the next three years. As Al Pascual, director of Fraud and Security at Javelin Strategy & Research explains, “without the widespread adoption of new CNP fraud-mitigation technologies, we expect CNP fraud to grow to $19 billion by 2018. EMV is not the primary driver as CNP fraud was already trending in that direction, growing in tandem with legitimate transaction activity (which is consistent with other markets where EMV was deployed). While U.S. merchants and issuers have gotten better at detecting and preventing CNP fraud over the past decade, the rate of improvement has largely flat lined.”
For CNP merchants, the true cause of a predicted increase in fraud is not as important as the need to plan and prepare for it. For merchants of all sizes, being aware that the increase is coming is the first step in creating a strategy that can protect a business from an increase in lost revenue. Working together with the card brands and issuers on authentication, enrolling in tokenization when it becomes available, creating a fraud strategy utilizing the right combination of tools and continually staying informed of new fraud tactics are all ways to prevent any residual fraud from card-present markets from impacting your business. While we may never be able to truly end the epidemic of credit card fraud, as Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.”