The notion that the belated U.S. conversion to the EMV chip standard will drive up e-commerce fraud was fresh wisdom several years ago, when EMV was but a glimmer in the payments industry’s eye. Then, with repeated airings, it became a commonplace. And now, with the point-of-sale liability shift having passed, it’s achieved the status of cliché. Indeed, its triteness doesn’t prevent pundits from repeating it at any of the multitude of industry conferences.
The logic behind the notion is inescapable. The EMV chip card protects against counterfeit (and sometimes lost-and-stolen) fraud at the physical point of sale. Frustrated, criminals will simply shift to card-not-present channels, the notion goes.
What’s interesting is that a surge in online fraud attempts is already happening, even though the U.S. market is far from having completed its conversion to EMV.
In fact, the numbers are rather dramatic. Between January and July, one in 86 online transactions was an attempted fraud, compared to one in 114 for the same period a year earlier, according to a study released last month by ACI Worldwide Inc., a Naples, Fla.-based vendor of transaction-processing and fraud-detection software. That’s a 33% jump in fraud attempts in one year.
Other numbers from the study are just as sobering. Indeed, the rate of attempts measured by transaction value has also risen 33%, ACI says. Especially prone to fraud are pathways such as e-gift card downloads (fraud rate: 9.55%), next-day/overnight purchases (6.57%), international purchases (2.38%), and buy online/pick up in the store (2.15%). The last avenue is vulnerable because, before releasing the merchandise, store clerks don’t ask customers to swipe the card they used online, ACI says.
Now, the study included both European and U.S. retailers. And the study doesn’t say how much of the attempted fraud turned into real fraud. Also, the sharp rise in attempted fraud can be as much due to the secular increase in e-commerce traffic as to the arrival of EMV to secure the point of sale.
But the direction is clear. There’s no point in continuing in prophecies of impending doom in online commerce. The fraud has already arrived.
What to do? One remedy—not sure-fire, but helpful—is relatively simple: strengthen account passwords. Another study, released last month by an identity-management company called Dashlane, found that 20 of 25 major U.S. retailers had weak online password rules. In some cases, passwords like “123456” or “letmein” were acceptable. Mixes of numbers and capital and lower-case letters weren’t required.
Longer term, stronger online authentication technologies will be needed. EMVCo, the company behind the EMV standard, is working on one such system. It can’t come soon enough.
—John Stewart, Editor, john@digitaltransactions.net