Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold
No retailer wants to become the next Target (pun intended). Payment card fraud costs businesses and consumers billions of dollars every year. What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys. The Target breach in 2013 exposed the data of 110 million payment cards. Hackers got into the network using perfectly good credentials of the HVAC company. Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.
EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries. As it was implemented in various countries, guess where it pushed the fraudsters? Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report”.
EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much. A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP). Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers. As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.
Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system. Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information. There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase. The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.
Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push. Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions. Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security. The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.
 Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1071