Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold
No retailer wants to become the next Target (pun intended). Payment card fraud costs businesses and consumers billions of dollars every year. What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys. The Target breach in 2013 exposed the data of 110 million payment cards. Hackers got into the network using perfectly good credentials of the HVAC company. Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.
EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries. As it was implemented in various countries, guess where it pushed the fraudsters? Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report[1]”.
EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much. A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP). Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers. As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.
Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system. Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information. There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase. The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.
Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push. Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions. Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security. The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.
Make Sense?
J
[1] Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1071
There is ‘big change a comin’ for retailers, merchants and any business that accepts credit cards for payments, and there are a great many businesses that are completely unprepared for it. The change, what is being referred to as the “
I’m a little concerned, and any professional in accounting and finance who works with small businesses should be just a little concerned, too. Why? Because there is a belief out there that some nifty software and Internet Of Things (IoT) approach to finance will ultimately eliminate the need for a small business to work with skilled, trained accounting professionals. Remember the marketing slogan introduced by Intuit with QuickBooks – the one that suggested that, “if you can write a check, you can do your own books”? Most accountants will tell you that it is not true, and the ability to operate a product like QuickBooks does not magically turn poor accounting and bookkeeping information into good business data. In fact, it most frequently enables 
Make Sense?
One company earns what the other company spends. This is business, and it seems like it would be pretty straightforward, accounting for the money coming in and the money going out. But it is really not that simple when it comes to business finances and accounting for revenue. With investor pressure to improve share prices and market pressures forcing greater competition, businesses have always sought out ways to make the performance look as good as possible – on paper even if not in reality. It is this requirement to make the business look better than it may actually be that drives “innovation” in financial reporting, and encourages some companies to use whatever rules are available to mislead investors or paint a rosy picture for stakeholders. When the balance is lost and financial reporting standards become so oblique as to allow regular and gross misrepresentation, it is time to change the standards.
Cooper Mann Consulting 
