A new retail credit card verification system that debuts Thursday may spell bad news for e-retailers, experts say.
Retailers can expect a doubling of online card fraud because criminals will turn to e-commerce to get around a tougher in-store card-payment system set to take effect Thursday, says consulting firm Aite Group.
The new standard for debit and credit card payments in stores uses cards with microprocessor chips rather than the decades-old magnetic stripe technology. Unlike magnetic-stripe card transactions, which typically track the card number and expiration date, every chip-embedded card creates a unique number that is sent with every transaction and validated by the issuer. The process makes it difficult for criminals to use data stolen during breaches or skimming attacks to perpetrate counterfeit card fraud, says Julie Conroy, research director for the retail banking and payments team at Aite Group. The standard is commonly called EMV, an acronym that stands for Europay, MasterCard and Visa, the companies that created it. Consumers must input a PIN with each transaction elsewhere in the world, but not in the U.S.
The more sophisticated in-store fraud protection system will prompt criminals to turn to online fraud, says Michael Reitblat, CEO and co-founder of Forter, a Tel Aviv, Israel-based company that provides e-commerce retailers technology that decides, in real time, if a transaction is legitimate.
“People who make their living by copying credit cards will no longer be able to do so or will find it significantly harder to do,” Reitblat says. “We already see chatter on the deepest, darkest parts of the Internet where the criminals are starting their own education and training on transitioning to online fraud.”
E-commerce fraud spiked in the United Kingdom, Australia, Brazil and Canada after those countries started using microchip cards that required personal identification numbers s) for authentication, according to Aite Group, a consulting firm focusing on the financial services industry. Online fraud is the U.S. is estimated at $3.4 billion a year.
The National Retail Federation criticizes the U.S. microchip card system for omitting the PIN security feature that the other countries required. By doing so, the U.S. system protects only the numbers on the front of a credit or debit card, and not the more fraud-prone cardholder’s signature on the back of the card, says Mallory Duncan, NRF’s senior vice president and general counsel.
The financial services industry, which supports the EMV card system, “has locked the front door and left the back door open for thieves to come in,” Duncan said during a news conference Tuesday.
However, Conroy says a PIN only addresses lost and stolen card fraud, which is a very small portion of fraud today, and issuers will continue to absorb the costs of such fraud.
Mark Horwedel, CEO of the Merchant Advisory Group, lobbyists for merchants and franchised businesses seeking tighter security for the card payments system, says some large retailers are paying to beef up their internal e-commerce security systems. He says that leaves smaller e-commerce retailers vulnerable because they don’t have the resources to pay for vendor technology to protect their systems.
Doug Johnson, senior vice president for payments and cyber-security policy for the American Bankers Association representing Visa, Mastercard and commercial banks, says banks and credit card issuers are working to advance e-commerce technology in order to thwart the predicted online fraud spike. He says pilot projects are under way for “tokenization,” in which online transactions can be protected with a unique authentication password or number.
Johnson says e-retailers remain liable for online fraud on their e-commerce networks under the new EMV standard. Banks and stores take on liability for fraudulent transactions, as well, if they fail to implement the new standard, Johnson says.
“If a bank decides not to deploy the EMV card, the bank maintains liability, and if a retailer makes the determination not to update its point-of-sale devices, they will pay for the fraud,” he says.