There’s little question that the shift to chip-based cards will lead card-not-present fraud rates to rise—CyberSource Corp. says the current U.S. e-commerce fraud rate is 0.9%—the only unknown is when. That’s because many payments experts expect the shift to chip-based cards to be rocky; only 59% of U.S. point-of-sale locations will be chip-capable by the end of the year, according to a February Aite Group LLC report. But even if it takes a while for the remaining 41% of stores to have chip-capable systems in place, the transition is coming. To prepare, online retailers can learn from the experiences abroad.
For instance, U.K. card-not-present fraud costs jumped 79% between 2005, which is when it shifted fraud liability to the party using the least secure technology, and 2008, when fraud peaked. Research and advisory firm Aite Group similarly expects U.S. card-not-present fraud costs, which grew more than 33% between 2011 and 2013 to continue to rise. By 2018, it expects such losses will reach $6.4 billion, more than three times the $2.1 billion in losses reported in 2011. That’s far greater than the 126.7% growth rate between U.S. Commerce Department-reported e-commerce sales in 2011, which totaled $194.3 billion, and research firm eMarketer Inc.’s forecast of $440.4 billion for 2018.
“There’s going to be nowhere else for fraudsters to go but online,” says Sean Curran, a director in consultancy West Monroe Partners’ Technology Infrastructure & Operations practice. “That’s where they’ll go. Online retailers have to be ready.”
Technology can help online merchants fight back. U.K. card-not-present fraud losses started to dip in 2009 because more merchants and issuers began using sophisticated tools that let merchants determine a shopper’s true identity, says Julie Conroy, research director for Aite Group’s retail banking practice. Retailers like Dave Klein, owner of motorcycle gear and accessories multichannel retailer MxMegastore, hope that those types of technologies—he uses tools from Eye4Fraud—will help him avoid some of the mistakes U.K. e-retailers initially made.
MxMegastore put Eye4Fraud’s technology in place last June after being hit hard by online fraud in December 2013 when the retailer had about two dozen incidents that a month later resulted in chargebacks. The criminals had bought several pieces of casual apparel and they entered shipping and billing addresses that matched. Klein didn’t suspect anything until he was hit with the chargebacks.
The incidents were a wakeup call, he says. But since he began using Eye4Fraud technology, he has only had a “handful” of incidents that resulted in chargebacks. The technology uses security tools like device fingerprinting, which uses data to identify individual PCs, phones or tablets to verify a shopper’s identity, and proxy piercing, which uses signals to determine the geographic location of the shopper’s IP address. While Klein expects an uptick in the number of criminals who attempt to run cards on his site, he’s confident the controls he has in place will stop most of them.
“We see criminals try to use fraudulent cards on our site every day,” he says. His site is vulnerable because the type of casual apparel and biker accessories he carries is “easily sellable” on eBay and other sites, he says. But in the past year, he has erected barriers to help prevent crime. For instance, if a shopper tries to place an order more than three times, the site freezes him out. Such moves have largely succeeded, which is why he says he isn’t concerned about more attempts. “Our systems are working,” Klein says.
Click here to read more about how retailers can prepare for the EMV liability shift in the March issue of Internet Retailer.