Preventing consumer e-commerce fraud in the age of EMV

Image credit: iStockphoto/Ismailciydem

After years of lagging behind many other developed nations, the US market is rolling out EMV technology. While the transition is still in process, and has in many cases been a bumpy, road to adoption, it will go a long way towards tackling some of the most common types of fraud. Keep in mind, the US market had the most cards to re-issue and the most POS devices to replace, it was a costly initiative, but in the long run, can save substantial costs associated with fraud.

Where it is prevalent, EMV has proven to be a highly effective method of preventing card-present/counterfeit card fraud. Being able to enter a card into a POS reader makes it much harder to create a counterfeit plastic from credentials stolen by swiping a magnetic strip.

According to figures from Mastercard, in the first year following the merchant liability shift in October 2015, counterfeit fraud costs at retailers who had either completed or were close to completing EMV transitions dropped by more than half (54 percent).

The shift to e-commerce CNP fraud

Of course, criminals are not likely to give up just because their preferred method of committing fraud is thwarted. Instead, they will look to find channels where it is easier to succeed – and when EMV makes card-present fraud more difficult, attention will naturally shift to e-commerce card-not-present (CNP) fraud.

This is a tempting target for criminals because it often involves fewer verification processes. With the right information, such as a card number, 3-digit secure code, expiry date, and billing address – which can often be found relatively easily by determined fraudsters through hacking attacks, phishing attempts and social engineering methods – it can be a relatively straightforward process to commit e-commerce fraud.

Lessons from elsewhere in the world show how fraud patterns change in the wake of EMV. In the UK, for example, where chip-and-PIN cards have been commonplace for over a decade, figures from Financial Fraud Action UK show CNP fraud losses have been rising steadily since 2011, reaching a record high of £432.3 million in 2016. Of this, online fraud against UK-based retailers hit £189.4 million, a rise of 20 percent on the previous year.

Similar stories are seen frequently where EMV migrations have taken place. A report earlier this year from the US Payments Forum found that in Australia, for instance, the rate of CNP fraud has increased in line with greater EMV adoption. In 2009, CNP fraud accounted for 52 percent of total card fraud in the country, but this had risen to 77 percent in 2014. It is a similar story in Canada, where CNP has increased from 48 percent of fraud in 2010 to 76 percent in 2015.

While there may be a range of reasons for this shift, such as the overall growth in ecommerce and more card details being compromised in hacking or phishing attacks providing a fertile environment for fraudsters, the impact of EMV is clear.

Experian also reported increases in e-commerce fraud across EMV-enabled countries including the UK, France, Australia, and Canada, with the firm noting: “We suspect that the EMV liability switch and increased adoption by merchants of chip-and-pin enabled terminals have had a profound impact on driving up e-commerce attacks.”

Stemming the flow

So what lessons can card providers take from the experiences seen elsewhere to ensure that they don’t witness similar increases in e-commerce CNP fraud?

User education needs to play a key role in any strategy. Frequently reminding customers of basic security practices such as not revealing their full security details and checking to ensure emails or phone calls they receive are genuinely from who they claim to be need to be ongoing activities to make sure the message sinks in.

Support for efforts such as two-factor authentication should also be high on the agenda. For instance, 3-D Secure tools such as Verified by Visa that require consumers to enter characters from a second password, or solutions that send consumers a one-time passcode to their phone, which they have to enter to confirm the transaction, are effective ways of cutting CNP fraud. These ensure people need more than just card details to complete a purchase – though they must be implemented carefully so as to not inconvenience or frustrate legitimate users.

Banks in the US may also have another advantage in that the fraud detection solutions that are now available have come on hugely since earlier EMV shifts took place elsewhere in the world. Tools such as behavioral analytics have become increasingly powerful, allowing banks to flag up suspicious transactions in real-time and request additional verification from the user before allowing it to proceed.

As criminals focus more closely on the e-commerce channel as a target for fraud, being able to identify such transactions before they are completed will be essential. And remember, in the US, the EMV chip is part of the card, however, requiring a corresponding PIN is not a requirement at this time.

Written by Dena Hamilton

Dena Hamilton

Dena is NCR’s Director of Enterprise Fraud & Security Software Solutions. She specializes in fraud, risk, compliance and security, with over 35 years of experience in the financial services space. Her focus is the development and deployment of enterprise financial crime solutions optimized in prevention, detection and back office efficiency.

Read more articles from Dena Hamilton
Our privacy policy has been updated. Click here to see the updates.