Online Fraud Will Rise, But Don’t Blame EMV

With a critical deadline arriving in less than a year, it has become a common observation about the U.S. conversion to the Europay-MasterCard-Visa (EMV) chip card standard that transaction fraud prevented by EMV will simply move into e-commerce channels.

Now, a new report from Javelin Strategy & Research argues e-commerce fraud will indeed soar—but not because of EMV.

Instead, fraud will rise—and rise alarmingly—in card-not-present transactions because volume in that channel, which allows consumers to shop on both mobile devices and PCs, is expected to grow dramatically, says the report, entitled “Fixing CNP Fraud: Solutions for a Pre- and Post-EMV U.S. Market.”

Currently, online transactions in the U.S. account for just 8.5% of total U.S. electronic-transaction volume. Yet, this channel already generates a whopping 49% of all transaction fraud, according to Pleasanton, Calif.-based Javelin.

With online volume expected to grow to more than 10% of overall traffic over the next three years, Javelin predicts e-commerce fraud will only explode as a percentage of overall activity.

“The increase in dollar volume will likely be matched by increased dollar losses from CNP fraud even before EMV assimilation across the U.S.,” the report forecasts.

With this prediction, Javelin departs from what has more or less become conventional wisdom in the payments business: the idea that EMV will drive up CNP fraud by forcing criminals into the online channel.

The U.S. payments market moved in fits and starts toward EMV until about a year ago, when the discovery by Target Corp. that the massive retail chain had sustained a proportionally massive data breach forced the card networks’ hand just as they seemed to be on the point of extending previously established EMV-compliance deadlines.

Stung by negative publicity about the Target breach and a rash of other data compromises, the networks made it plain they weren’t backing off on the deadlines.

One key deadline arrives next October, when merchants will assume liability for counterfeit card transactions if they’re not equipped to accept EMV transactions.

That has experts predicting that frustrated fraudsters will merely move from the point of sale, where EMV is expected to dramatically cut down on counterfeit fraud, to the online channel, where EMV has no effect.

But Javelin argues online fraud must be considered as a separate phenomenon, apart from EMV. Indeed, the report argues online fraud “as a whole will rise in spite of EMV, not because of it.”

In this sense, the report says, online or CNP fraud will increase whether EMV is implemented in the U.S. or not. Far from blaming EMV, the report praises its effectiveness. “EMV is a net positive for the payments industry,” Javelin says, because of its likely effect on POS crime.

Indeed, in the U.K. which completed a two-year conversion to EMV in early 2006, POS fraud as a proportion of overall transaction fraud fell from 31% in 2005 to 13% last year.

So a booming e-commerce market will drive up U.S. CNP fraud, not a wholesale change in criminal behavior with the arrival of EMV, the report argues.

This will be a huge problem, nonetheless. U.S. CNP card fraud will balloon to four times POS fraud by 2018, compared to a multiple of 1.7 this year, Javelin forecasts. In dollar terms, that’s $18.4 billion in CNP fraud losses, more than double the toll in 2013, the report points out.

To combat this expected online fraud boom, Javelin advises issuers, merchants, and acquirers to investigate—and quickly adopt—a mix of technologies, including authentication and analytical tools that help ensure online buyers are who they say they are and that help identify dodgy behavior online.

Players should also use encryption and tokenization to fight CNP fraud, especially in the face of static card data “for the foreseeable future,” advises the report.

—John Stewart