It was only a decade ago that we lived in a 4G-less world – at an intersection of equal parts dial-up users and broadband users – that had just given birth to what would become the biggest online shopping day of the year: Cyber Monday. And now, in the year 2015 – a world in which almost two-thirds of Americans own smartphones – it only seems natural that the majority of people will do almost half of their holiday shopping online. To compare: in 2004, 38.3% of people purchased holiday items online, and last year - just 10 years later – that number rose to 56.0%.
The reason for the rise in number is obvious: purchasing items, not just holiday items, via the Internet is incredibly convenient. Not only do consumers not have to deal with the crowds at brick-and-mortar locations, but the abundance of free shipping deals means consumers get to save the gas money they would have spent travelling to various stores to complete their shopping.
While the migration of holiday shopping to the online environment greatly benefits the convenience of consumers, online transactions can ultimately end up hurting retailers’ bottom lines, especially now that retailers have to conduct business in an EMV-compliant era.
Just to give a quick overview of EMV for those who do not know much about this recent change in payment card policy: EMV is an organization that was founded in 1994 by Europay, MasterCard®, and Visa® - hence the acronym. It has since been joined by American Express®, JCB, Discover®, and UnionPay, and is now officially known as “EMVCo”.
The purpose of the EMV organization was to agree upon a new standard for payment cards – debit cards and credit cards – in an effort to improve security and ultimately reduce fraudulent activity. The standard which ultimately resulted from the EMV negotiations was the chip card.
The chip card uses a microprocessor chip, as the name implies. This microprocessor chip produces a unique code for every transaction. In contrast, the traditional magnetic stripe card has a static transaction code, meaning that the same number is used for every transaction.
This unique code means that fraudsters cannot produce new transactions (i.e., make any purchases) using information produced by a chip card during a transaction due to the fact that they would need a new code for each subsequent transaction. By contrast, under the non-chip card system, if a fraudster gets his hands on the static code from traditional cards, he could theoretically produce as many new transactions as he desires. In other words, it should be near-impossible to produce a fraudulent, working payment card under this new EMV standard.
The unique transaction codes produced by chip cards are the primary reason why they are considered more secure than traditional magnetic stripe cards.
In order to process these new chip cards, retailers (merchants) were given an October 1, 2015 deadline to upgrade the hardware and software of their point-of-sale systems or else they would be liable for the costs of fraud that arise from being not EMV-compliant. However, many merchants have yet to become EMV-compliant – even now, almost two months after the deadline has passed. According to data released by The Strawhecker Group, only 27% of merchants were EMV-compliant by October 1, 2015; they estimate that it will take until 2017 for at least 90% of merchants to be EMV-compliant.
It’s not hard to see why merchants have been reluctant to become EMV-compliant:
"Many small merchants were not ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards...But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting."
- Payments Source
It is quite distressing that the cost of protecting businesses under the EMV standard is so cost-prohibitive that a great deal of (small) businesses are consciously choosing not to upgrade their POS systems, but that is perhaps not the most unfortunate aspect of EMV-compliancy.
As secure as the chip card may be, it does little to nothing to protect businesses, even those who have become EMV-compliant, from card-not-present fraud.
""While the banking industry maintains that the shift to EMV was driven by the weak security infrastructures of retailers, merchants are upset that they’ve had to foot the bill for updating their systems to read chip-enabled cards, which they say does not go far enough in protecting them and their customers against fraud."
Card-not-present transactions describe transactions that are conducted without physically presenting the payment card that is to be used. These types of transactions can be conducted over the phone or by fax, but the overwhelming majority of card-not-present transactions refer to using a payment card to make purchases through a website. It follows that card-not-present fraud describes fraudulent transactions that do not require the payment card to be physically presented.
Although the EMV standard has the ability to reduce fraudulent charges, it only has that ability at brick-and-mortar POS channels – where a customer has to physically produce the payment card with a functioning microprocessor chip. In the realm of the Internet, the security advantages of EMV fall by the wayside.
It is rather easy to see why the security features of EMV do not translate well in the online environment: anyone could use any payment card to make purchases online – all you need is the information on the card (you don’t need the unique transaction code generated by the chip) and the billing address; there is no need to prove your identity and the only indication that fraud has occurred is the charge that will appear on the victim’s next debit/credit card statement.
The inability of chip cards to authenticate online transactions wouldn’t be such an issue if it weren’t for the fact that card-not-present fraud has been rather quickly increasing year after year:
"Card-not-present fraud is increasing, and now outpaces card-present fraud in the U.S. by a ratio of 3:1 . . . In fact, one of out of every 86 CNP transactions conducted between January 2015 and July 2015 was fraudulent, ACI finds, versus one out of every 114 CNP transactions conducted during the same period in 2014."
Countries that have already made the switch to the EMV standard can attest to the rise in e-commerce phenomenon:
"Many point to the U.K.’s experience in switching to EMV cards: online e-commerce fraud rose 79%. Other countries have experienced similar post-EMV effects."
- National Retail Federation
And it doesn’t help that the EMV transition arrived just in time to coincide with the busiest time of year for retailers: the holidays. As mentioned at the beginning, consumers are flocking to the Internet for their holiday purchases, a situation in which criminals are sure to take advantage.
"Fraudsters see the busy holiday shopping season as an easy opportunity to take advantage of a much larger pool of consumers, ranging from data hacks stealing card information from large retailers, to criminals targeting individual cardholders with online scams."
- Jennifer Kerry, Vice President, Credit Card Services for CO-OP Financial Services
Strengthening the security of POS transactions is undoubtedly a step in the right direction to lessening the amount of fraud that occurs. Indeed, payment card fraud is a $7.9 billion problem in the United States alone. However, as more and more transactions move online, it is equally, if not more, important to address the need for a new payment card standard for e-commerce transactions.
"As the United States transitions to EMV, POS fraud will grow less lucrative. Higher-security cards will make counterfeiting substantially more difficult, if not impossible. Additionally, any encrypted or tokenized payment information will make data gained from compromised terminals useless for future POS transactions. Criminals will focus on other areas including card-not-present (CNP) fraud, vulnerable merchants that have been slow to transition to EMV terminals and businesses that store Social Security Numbers that will be of significant value in committing new account and account takeover fraud."
- National Retail Federation
As Nick Holland, Senior Payment Analyst at Javelin Strategy & Research, eloquently states: “EMV is not a holistic solution to card fraud and therefore should be implemented in parallel with solutions that are designed to deal with where fraud is growing the most --- online.”
We have reported much in recent months regarding the increasing sophistication of ID thieves, and...