Preventing Card-Not-Present Fraud Migration
As EMV chip migration is implemented for U.S., card-present transactions, fraud will “shift to other types of card payments with weaker authentication protocols,” according to a new EMV Migration Forum white paper.
The white paper, “Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud,” based its conclusion on historical precedence in other countries evolving to EMV. As EMV secures face-to-face or card present transaction card-not-present payments—Internet, mail order and telephone order—sometimes referred to as IMOTO become a weak link in the defenses against transaction fraud.
For example, the move to EMV payments in the U.K. left IMOTO authentication unchanged. IMOTO fraud grew rapidly from the start of EMV deployment in 2003 until it peaked in 2008. Beginning in 2008, IMOTO fraud declined for several years as merchants implemented more secure authentication protocols for Internet transactions and as magnetic stripe-only locations in continental Europe decreased. Data from the U.K., France and Australia2 show that CNP fraud also became a larger portion of overall fraud during and after their EMV chip conversions.
“As the U.S. migrates to EMV chip technology, it’s important that the payments industry makes a concerted effort to protect against the redirection of fraud from in-store to the card-not-present channel,” Randy Vanderhoof, EMV Migration Forum director said. “No single security mechanism can protect against all possible fraud scenarios. Instead, the best practice to protect against card-not-present fraud is to use a systematic, multi-layered approach using tools that work together to create a successful fraud reduction program.”
Techniques and best practices discussed in the white paper to secure the CNP channel include,
- Authentication methods: Device authentication; one-time passwords; randomized PIN pads and biometrics;
- Fraud tools: Proprietary and transactional data used for fraud analysis and risk management, and validation services;
- 3-D Secure: Messaging protocol that enables real-time cardholder authentication during an online transaction; and,
- Tokenization: A technique, which replaces card data with surrogate values (i.e., “tokens”) that are unusable by outsiders and have no value outside of a specific merchant or acceptance channel.
Meanwhile, a report issued recently by analyst firm Mercator also suggested that the change to chip cards might not diminish fraud, but just push criminals towards different fraud.
“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report said.
While EMV migration efforts in the U.S. are taking place, fewer than one in 10 credit cards in circulation were EMV-equipped as of mid-January, according to a survey of 20 issuers conducted by the Auriemma Consulting Group. While this number is expected to increase throughout 2015 — issuers are targeting 50 to 60% penetration by October — projections are tied to large-scale advances in merchant acceptance that have yet to occur.