Unintended But Predictable
The U.S. arrival of EMV virtually ensures criminals will step up attacks on card-not-present channels, which EMV doesn’t protect. So what is the industry doing to defend itself?
Just about everywhere that Europay-MasterCard-Visa (EMV) chip cards have replaced magnetic-stripe payment cards, greatly strengthening the shield protecting brick-and-mortar merchants from counterfeit card fraud, fraudsters have turned their attention to the more vulnerable card-not-present (CNP) channel.
Card-industry executives and researchers expect that pattern to repeat itself in the United States—the last major bastion of the mag stripe—as the nation finally embarks on its EMV conversion.
In Canada, which began converting to EMV cards in 2008, CNP fraud more than doubled from C$128.4 million at the start of the conversion to C$299.4 million in 2013, according to Canadian Bankers Association figures cited in a June report by Aite Group LLC.
In the United Kingdom, a pioneering chip card country where the EMV conversion began about a decade ago, CNP fraud, already bigger than lost/stolen card fraud and counterfeit fraud, increased 64% between 2005 and 2013 while the other two forms of fraud declined, the report says. Australia’s CNP fraud also jumped when the country migrated to chip cards.
“The international experiences would suggest the fraud is going to migrate,” says Carolyn Balfany, senior vice president of product-EMV at MasterCard Inc.
Adds Karisse Hendrick, program manager, Americas, at the Merchant Risk Council, a Seattle-based e-commerce trade group: “There’s kind of a tsunami coming.”
Thus, it’s no surprise that American card executives are piling up digital sandbags to stave off an expected flood of online fraud.
CNP fraud currently accounts for about 45% of all U.S. card fraud, according to Aite. But it already is on the uptick in the U.S. even though chip cards currently account for only a low-single-digit percentage of a market with more than 1 billion payment cards.
And a major EMV deadline that will shift liability for counterfeit point-of-sale transactions to the non-EVM-capable party—merchant or card issuer—is still 13 months out.
The Aite report, “EMV Lessons Learned and the U.S. Outlook,” estimates CNP fraud losses were $2.1 billion in 2011, the year Visa Inc. got the EMV ball rolling in America by unveiling the first network plan for a migration. This year CNP fraud will total $2.9 billion and by 2018 it will more than double to $6.4 billion, Aite predicts.
“That is very much in line with the changes we’ve seen in other geographies,” says Julie Conroy, research director at Boston-based Aite.
Fraudsters often buy credit and debit card numbers in underground forums that sell information stolen in data breaches, Conroy says. There’s been a lot to choose from given the steady stream of data breaches at Target Corp. and other retailers in just the past year. The Target hack alone compromised 40 million card numbers.
After getting stolen data, fraudsters start shopping at inadequately defended e-commerce sites. “We’re going to see the full force of that data focused on CNP channels,” says Conroy.
‘A Soft Spot’
CNP fraud encompasses more than online shopping. In the 1980s and up to the mid-1990s it mostly meant fraud on mail and telephone orders. But then the commercial Internet burst upon the scene, and e-commerce has boomed ever since.
In 2014’s first quarter, online volume totaled $71.2 billion, up 15% from a year earlier and it accounted for 6.2% of all retail sales, according to the U.S. Census Bureau.
No surprise here. The fraudsters are migrating to the Web, where payment by card is most common, and they’re being shooed away from the point of sale by chip cards.
“EMV is going to push a lot of people to find a soft spot,” says Patrick Davie, vice president of card risk solutions at bank processor Fiserv Inc. Brookfield, Wis.-based Fiserv provides processing services for about 3,000 financial institutions, about 1,000 of which use Fiserv’s Risk Office for fraud monitoring and mitigation.
That soft spot remains e-commerce, which doesn’t require a physical card. The card networks have always considered CNP transactions riskier than face-to-face sales and have forced merchants to pay higher interchange rates to compensate.
Looked at alone, fraudulent transaction counts would justify that stance: a CNP credit card transaction is nearly three times risker than its face-to-face equivalent, according to the Federal Reserve’s 2013 Payments Study.
By value of the average fraud loss, however, card-present signature-debit card sales lead the pack, the Fed’s data show. That statistic provides some justification for converting to EMV, but merchants complain that, despite the fraud risk, issuers prefer signature debit cards because of their higher interchange rates than PIN-debit cards, which are much less fraud-prone at the point of sale than signature debit. (PIN debit remains a minor force in e-commerce payments despite the efforts of some debit networks and tech companies.)
Over the past 20 years, the card industry has gotten better at controlling CNP fraud through the implementation of technologies that identify the buyer’s computer and location, and instantly pull up data about a card’s transaction velocity and related important factors. A “layered approach” deploying numerous digital weapons and tactics is needed, says the MRC’s Hendrick.
“Having just one solution is not going to do it,” she says.
Dallas-based Chase Paymentech, a leading e-commerce acquirer, has a range of CNP risk-control services, says Marc Massar, senior vice president of enterprise product, Emerging Solutions. A full-featured service has 240 parameters, but many merchants elect for something less than that.
“I think that for most merchants that use these, they’re looking at a confidence level,” Massar says. “They want 75% assurance, 80% assurance.”
But merchants, ever fearful that one more step in the online-checkout process means lost sales, may not use all the risk-control tools they have available.
For example, some e-commerce merchants don’t always ask the cardholder to type in the three-digit (four on American Express cards) security code printed on the card. Often called the Card Verification Value 2, or CVV2, presentation of the code is not a guarantee that the legitimate cardholder is the buyer, but a transaction lacking it is less likely to be approved because such codes are not encoded in the mag stripe.
Conversely, a fraudster who has a card’s CVV2 can go on a virtual shopping spree, at least for a while. “If they got CVV2, they’ve got the keys to the kingdom,” says Aite’s Conroy.
Two of the best-known technologies in CNP fraud prevention are 3-D Secure and tokenization.
3-D Secure dates back about a dozen years and is offered under such names as Verified by Visa, MasterCard SecureCode, American Express SafeKey, and others. Visa Inc. owns the intellectual property and licenses it to other networks. Issuers liked 3-D Secure because it required consumers to register and enter a password, making it easy for them to authenticate their cardholders during subsequent purchases.
But many e-commerce merchants snubbed the service because of the impediments it put in the way of the checkout process. A pop-up window took the consumer from the merchant’s site for verification with the issuer before returning the buyer back to the online store.
“It was very password-based, very static-based,” says Bob Reany, group head of authentication and product development at MasterCard, who notes that the more sophisticated e-commerce merchants measure customer drop-offs during the checkout process in milliseconds. “It just kind of sat there for 10 of those 12 years.”
Mike Keresman, chief executive of CardinalCommerce Corp., the leading U.S. vendor of 3-D secure services for merchants, says “3-D Secure historically has been a one-size-shoe fits all.”
‘More Merchant-Friendly’
In the past 18 months or so, however, the networks and tech companies such as CardinalCommerce have been modifying and supplementing 3-D Secure with more checks and data on both the merchant and issuer sides to make its use easier for consumers and more palatable for merchants.
Pop-up windows are being replaced with in-line images that don’t give the consumer the impression he’s left the merchant site. And much more is going on behind the scenes, with the authentication systems drawing on data about the cardholder’s previous purchases and other relevant data.
Merchants, in fact, may feel comfortable enough with the data they now get about a repeat customer that they may decide they can safely bypass presenting the consumer with the authentication screen.
“We’ve made it much more merchant-friendly,” says Reany. “It’s up to the merchants’ tolerance for risk.”
Visa is making similar improvements to Verified by Visa. Its early iterations struggled “mostly because of the friction that occurred,” says Mark Nelsen, vice president of risk products and business intelligence.
Nowadays, however, in the vast majority of low-risk transactions, no consumer prompting occurs, he says. “We’ve had very good response by the issuing community,” Nelsen says. “As a result, we’re seeing merchants deploy 3-D Secure now.”
Keresman of CardinalCommerce says the improvements in 3-D Secure derive from the idea of issuers not forcing full-blown authentication for every transaction. That’s possible, he says, because of “a combination of private-sector [data] suppliers getting smarter about what they’re supplying, and the networks getting smarter.”
The improved technology is coupled with network incentives that can lower a merchant’s e-commerce acceptance costs by 15 to 20 basis points, Keresman says.
Neither Visa nor MasterCard would say how many of their U.S. merchants use 3-D Secure. But the coming of EMV could further boost the service. It’s already happened in such countries as the United Kingdom and Brazil.
“You’ve seen much stronger adoption of 3-D Secure when those markets went to chip,” says Nelsen.
Like 3-D Secure, tokenization, which replaces critical card information with random data strings that are useless to fraudsters, also has been around for a while. But tokens are about to become a whole lot bigger in payment-card risk control as technology for generating and distributing them advances, and as mobile payments gain ground.
“This is brand-new territory,” says Chase Paymentech’s Massar, adding that an emerging tokenization standard “is going to drive a lot of change in the industry; we’re just not sure what.”
But with tokenization is coming a fight for control.
Last October, Visa, MasterCard, and American Express proposed a framework for a global tokenization standard. Overseeing the specification would be EMVCo, the card-network-owned standards body that governs the EMV chip standard. The Clearing House Payments Co. LLC, which is owned by 22 financial institutions, also said it is exploring a tokenization scheme.
While not opposed to tokenization, retail trade groups in July issued a call for an open and universal tokenization standard. Similarly, the Secure Remote Payments Council (SRPc), whose members include large U.S. debit networks, issued a plea for an open approach to tokenization.
“Standards must be open, enabling all to compete equally,” a SRPc press release stated.
Merchant groups want payment-industry companies to create a techno-logy-neutral platform for tokenization that is part of recognized standards bodies, such as the International Organization for Standardization and the American National Standards Institute.
“The merchant community is concerned about the migration of important technical standards regarding payments from an open, standardized environment to one that is exclusively controlled by the prominent payment brands,” says Mark A. Horwedel, chief executive of the Merchant Advisory Group, a trade association.
Already, he says, two major pieces of payments security—the EMV chip card standard and the PCI Security Standards Council—are controlled by the card brands.
Visa’s Nelsen, however, says EMVCo has advisory groups that enable merchants to provide input as the standard evolves. “I think there’s just lack of understanding of the process,” he says. “EMVCo is a very well-respected international standards body. There absolutely is a forum for all stakeholders to participate.”
The tokenization flap is likely to continue for some time as the specifications develop. Tokenization aside, acquirers and issuers are betting that CNP fraud will continue to grow as point-of-sale fraud becomes more difficult.
“I virtually guarantee it, because the fraudsters will go to the path of least resistance,” says e-commerce payments consultant Todd Ablowitz, president of Centennial, Colo.-based Double Diamond Group.