EMV puts card-not-present transactions at greater risk of fraud, study says
While the introduction of EMV payments has given brick-and-mortar stores an added level of protection against counterfeit transactions, it has put online retailers at an even greater risk of being targeted for fraud.
According to a report by Aite and RSA, fraudsters will not simply give up when their efforts are thwarted at physical shops. Instead, their energy will be funneled into the path of least resistance. With card-not-present (CNP) transactions becoming the new lowest-hanging fruit for fraudsters, U.S. online merchants should expect to see a massive spike in fraud, according to the report, which cites similar trends following the shift to EMV in Canada and the U.K.
"The data from Canada's EMV migration paints this picture clearly; counterfeit and lost/stolen fraud enjoyed a 54% decline from the inception of the migration in 2008 through 2013," reads the report, "while CNP saw a corresponding increase, jumping a whopping 133% over the same time period."
Counterfeit fraud enjoyed a 54% decline since the migration, while CNP jumped 133% over the same time period.
To head off this threat, merchants must be ready to take proactive measures to prevent CNP fraud, layering several strategies to offer the most effective protection. Here are some of the best techniques for fighting card-not-present fraud:
- Behavioral analytics: Behavioral analysis tools detect fraud by monitoring each user session and transaction to detect suspicious activities or patterns in Web browsing and checkout behavior. This detail-oriented strategy offers merchants an automated way to bring fraud protection all the way down to the transaction level. Because behavioral analytics tools can sometimes "detect" false positives, it is also important to include a step-up authentication process as part of the solution.
- 3-D Secure: 3-D Secure is a protocol designed to add an additional layer of authentication to CNP transactions. In addition to leveraging 3-D Secure's risk-mitigating technology, merchants who invoke 3-D Secure for CNP transactions pass the fraud liability on to the issuer, which further insulates merchants from the risk of fraud.
- Tokenization: While behavioral analytics solutions and 3-D Secure technology can help prevent fraudsters from making purchases with stolen or counterfeit cards, tokenization can help prevent them from stealing card data in the first place. Tokenization does this by removing the account number on the payment card from merchants' databases and replacing it with a string of letters and numbers that serve as a proxy for the true cardholder data. In CNP transactions, a process called issuer-driven tokenization is most useful. As a merchant sends a transaction to an issuer, the issuer returns a 16-digit numerical token that the merchant can store in place of the card number, protecting tokenizing issuers and their cardholders from merchant breaches. Not only can tokenization help make CNP transactions more secure, but it can also serve as a useful complement to EMV, which does nothing to encrypt card data after it enters the merchant system.