As EMV rolls out in stores, fraud heads online

Computer crime, credit card abuse.

gremlin/E+/Getty Images

Your card now has a chip, and an increasing number of stores are asking you to dip instead of swipe. Chip cards are harder to counterfeit, and their encryption capabilities mean breaches like the Target holiday breach of 2013 will become practically impossible.

That’s the good news.

The possibly bad news? Fraudsters aren’t going to die off – they’re going to adapt.

Fraud will move online

EMV chips grant protection only to in-store transactions (aka “card-present” purchases). Both the hard-to-clone chip and the end-to-end encryption, which scrambles payment data so it can’t be used by thieves, don’t work for online and over-the-phone (aka “card-not-present” purchases). Thieves will therefore follow the path of least resistance.

In other words, fraud may not decrease with EMV – it will likely just shift.

“Think of it as a balloon,” says Andrew Davies, vice president of financial and risk management solutions at financial-services technology firm Fiserv. “When one size is compressed, the other expands.”

Other countries that have adopted EMV (Canada, the U.K. and Australia, for example) have seen a recurring pattern: in-store fraud went down, online fraud went up. According to fall 2015 data presented by Fiserv in an American Banker webinar, online and in-store fraud were roughly neck-and-neck back in 2003 in the U.K. (which started rolling out EMV in 2002). By 2013, in-store fraud had indeed decreased, but online fraud skyrocketed:

uk fraud shift emv

A mass exodus of thieves to the online realm won’t happen overnight, says David Frick, co-founder and president of merchant payment-processing solutions company Transaction Resources, Inc. EMV migration in the U.S. will be gradual, and there are still plenty of brick-and-mortar merchants who haven’t upgraded. But merchants are increasingly getting on board, at which point thieves will jump ship to online fraud.

“The bad guys aren’t going to stop,” says Frick. “If the retail door is closed, they’re going to go to the e-commerce door, if it’s still not doing something to prevent them from using it.”

Should I worry about using my card online?

Thanks to zero-liability policies on most debit and credit cards, consumers have very little to worry about when it comes to losing money when a thief uses their card.

But consumers getting refunded for purchases leaves online merchants in a particularly vulnerable position. While consumers’ banks pay them back, the merchant often ends up having to foot that bill – in the form of a charge-back. Brick-and-mortar merchants have traditionally been more shielded from this risk. Thanks to policies put in place by the card networks (Visa, MasterCard, etc.), they can avoid charge-back liability by upgrading to EMV-capable card readers — and have always had some protection from charge-backs if they collect a signature for the purchase and authorize the card with the issuing bank. Online merchants, however, have always been liable for charge-backs – and don’t have the ability to use EMV card-readers.

“The [online] merchant is liable,” Frick says. “They’ve been liable all along, and they remain liable.”

How will online shopping change due to all this fraud?

Even though the consumer will likely be refunded for fraudulent charges, having card data stolen and used is a huge inconvenience. Fortunately, e-commerce merchants (who would also like to avoid the horde of thieves heading straight for them) have a variety of solutions at their disposal:

Hosted payment gateway

Impact on consumer: none

Merchants can use a hosted-payment server that tokenizes payment data. When the consumer hits “pay,” the payment server exchanges sensitive card info for a token, which it then passes to the merchant. If a merchant is hacked, the thief ends up with a useless key that doesn’t fit the lock, so to speak. Yes, payment servers can get hacked, but they generally have robust security in place, Frick says (much more robust than small e-commerce merchant would usually have).

The consumer should notice no difference.

“They wouldn’t even know it’s happening,” Frick says. “There’s a split second for the token to get married up with the data, and then off it goes. They shouldn’t notice anything different.”

3D Secure technology

Impact on consumer: An extra step in the payment process

This technology goes by the names of Verified by Visa, MasterCard SecureCode and American Express SafeKey in the U.S. E-commerce sites that have implemented it have arranged with these card networks to make the consumer go through an extra verification step in the payment process. Sometimes a window pops up asking you for your bank password. Other times, you might get a text from your bank with a code you need to key in (this is already common in some other countries, Frick says, but not in the U.S.)

This extra interference may leave customers annoyed or suspicious about the pop-up windows. But, in today’s world, managing fraud is a balancing act, Davies says.

“On the one hand we do not want to increase security to such a degree that it deters a consumer from making a purchase,” he says. “On the other hand we do not want to expose the consumer to risk if we make the experience insecure.”

As with EMV (which significantly slows down the purchase process in-store), the key is educating customers about the importance of additional measures, Davies says.

Fraud detection algorithms

Effect on consumer: Minor inconvenience if legitimate purchase is flagged

The payments industry (issuers and merchants alike) are constantly collecting and using data to detect suspicious patterns and block purchases accordingly. You’ve probably experienced it when a merchant blocks an expensive clothing purchase going to a state where you don’t live, Frick says. And you’ve experienced it when your issuer texts you to ask if you were really four states away buying train tickets.

With fraud moving online, sharpening this fraud-detection weapon is vital.

“Using behavioral analytics and predictive models to detect potential fraud and unusual customer behavior is critical,” Davies says.

More from our EMV anniversary package: Why a third of the largest retailers aren’t EMV-ready, EMV 1-year check-up: Is U.S. on track?

The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

No comments yet.