U.S. e-retailers could face more risk of payment fraud in the coming years thanks to the transition from magnetic-stripe cards to those with chips, as is already the case in much of the world. But the good news is there’s time to prepare.
Consumers across the United States might already be seeing workers at restaurants, bars and similar places bringing card payment terminals to tables instead of having servers disappear to back areas with cards to process transactions. Those businesses are responding to the ongoing shift to EMV chip-and-pin payments. EMV stands for Europay, MasterCard, Visa, the three payment card companies that developed a standard for the use of chips in payment cards in the 1990s.
European banks adopted EMV cards about a decade ago, and Canada made the move more recently. U.S. banks and retailers resisted the move because of the cost of moving their cards, payment terminals and processing systems away from magnetic stripe technology. But security breaches have increased the pressure to go to EMV; those breaches include significant data thefts within the past year at Target Corp. and other retailers. In those cases, criminals inserted software that stole credit and debit card numbers from store point-of-sale terminals or computer networks. With EMV, the data transmitted between card and terminal is encrypted so that it would be of no use to anyone who steals it.
In October 2015, the payment card networks plan to shift liability for fraudulent transactions to the party to a transaction that has failed to deploy EMV technology, whether the card issuer or the merchant. That is intended to pressure both card issuers and merchants to make the investments necessary to move to chip card technology. According to a recent report from Javelin Strategy & Research, 29% of U.S. credit cards—166 million—will have EMV chips by the end of 2015, along with 17%—105 million—of the debit cards in circulation. “Issuers are only just beginning to move to mainstream EMV card issuance beyond high-worth and international-traveler-focused cards,” Javelin says. It adds that “it will take until the end of 2018 for EMV card ubiquity” in the United States.
So what does this mean for e-commerce operators in the United States? Well, with in-store transactions presumably safer as more consumers use EMV cards, criminals will likely increase their efforts at targeting presumably less secure online retailers.
That’s been the case in countries that earlier went to EMV. Take Australia, which migrated to EMV in 2008. According to the Australia Payments Clearing Association, card-not-present fraud increased from about 50% of the country’s total card fraud in 2006 to nearly 75% in 2010. In the United Kingdom—it adopted EMV in 2001 but its liability shift did not take effect until 2005—card-not-present fraud increased from about 55% in 2007 to about 65% in 2012, according to the UK Card Association. EMV “has increased fraudulent behavior online,” says Peter Osberg, senior vice president at EVO Snap, a division of payments services provider EVO Payments International.
Among the tips he has for e-retailers to prepare for the shift to EMV are these:
• Analyze all aspects of storing and processing payment card data, even if done by a vendor. “Take it beyond PCI,” he says. PCI refers to the Payment Card Industry Data Security Standards—a set of rules created by payment card networks for securing consumer payment account data.
• Consider 3-D secure credit card verification—a tool that has cardholders tie their credit cards to an online password that they must enter at checkout. 40% of European retailers rate 3-D secure credit card verification among the three most effective anti-fraud tools, as opposed to 18% in United States, according to the Merchant Risk Council (MRC) Europe and CyberSource, a fraud-prevention service provider that is part of Visa Inc. Visa and MasterCard have offered incentives to European retailers to deploy these systems.
• Also consider use of “tokens” for payment processing. Tokens use encrypted code that represents a consumer’s credit card account number rather than using the actual number. Such a process can help defeat hackers because stealing the scrambled data of the token would not allow them to commit fraud.