Digital Transactions Authoritative, insightful and timely information for payments professionals
Merchants and card issuers have been hearing for several years that the advent of EMV chip cards at the point of sale in the United States would drive fraud into card-not-present channels, and now evidence is emerging that this is happening with a vengeance, even with companies like airlines that don’t sell valuable hard goods.
Dallas-based Southwest Airlines Co., where 98% of some $22 billion in annual ticket sales takes place online, has seen its fraud loss jump fully 20% in the past year, according to Randy Gibbons, senior manager for payment strategies. He blames EMV, which causes criminals to seek out less-protected channels. “The reality is, there’s lots of fraud out there. We’re highly motivated because we own all the risk,” Gibbons told an audience of bankers and merchants at a trade show on Wednesday.
EMV began in earnest in the United States in October 2015, when a so-called liability shift ordained by the major card networks moved responsibility for counterfeit card fraud from issuers to merchants in cases where merchants were not prepared to accept chip cards. But, as Gibbons was quick to point out, merchants have always borne responsibility for fraud online.
Fraudsters attack airlines for a number of reasons. In some cases, they simply want to take a trip without paying for it. But in many, cases they resell the fraudulently purchased tickets to unsuspecting victims on markets like craigslist.org, using deep discounts as a lure, Gibbons said. In other cases, the bogus purchases are used to buy gift cards, which can then be resold, or to support global scourges such as human trafficking, he said.
While most legitimate passengers book their travel 30 days or so in advance, fraudsters are apt to buy within days of the flight in hopes of reducing the time the airline has to detect the fraud. Complicating matters further is that half of the customers who buy tickets aren’t the ones who will take the flight, Gibbons told the audience attending the final day of NACHA Payments in Austin, Texas. This happens, for example, in the case of corporate-booking facilities or where parents are sending a child to college.
Fraudsters are becoming increasingly methodical, using robotic routines online to continually test stolen card numbers, checking to see which ones will work, “We’re getting hit pretty hard every day,” Gibbons said. “Every 44 seconds I see a different transaction [from the same source].”
Gibbons tells Digital Transactions News the upward fraud trend is likely to continue for the foreseeable future. While there is no EMV for card-not-present transactions, a new version of a 15-year-old protocol called 3D Secure has emerged to authenticate online users. Gibbons, like many merchants, has bad memories of the original version of 3D Secure, which caused high rates of cart abandonment as it took users away from a merchant’s site temporarily to enter passwords. He also wondered how much data the new version will require merchants to share with issuers. “How much more data do we have to send, because this is our secret sauce, too,” he said during the conference session. There has to be a “happy trade-off,” he said.
Another technology Southwest is looking at, Gibbons says, is device fingerprinting, which takes account of the unique characteristics of the desktop or mobile device a buyer is using to help establish whether a transaction is genuine. But so far, he says, the airline is not ready to make any commitments.
