As the clock counts down to the October EMV liability shift,experts caution that a wave of card-not-present fraud is headed forthe United States – and the only question now is when it willhit.

EMV's long-standing pledge has been that it thwarts the use offake credit cards at the point of sale. And as has been the casefor other countries that have migrated to EMV, that kind of fraudhas indeed declined. However, much of those declines have beencountered by corresponding increases in card-not-present fraud.

Canh Tran, CEO of the Chicago-based fraud analytics firm Rippleshot, said that in Canada,card-present fraud fell by more than half after it moved to EMV,but card-not-present fraud more than doubled between 2008 and 2013,for example. In the United Kingdom, card-present fraud dropped by50% after chip-and-PIN arrived, but big increases incard-not-present fraud actually drove the overall rate up in theyears after conversion there.

He's not the only one bracing for a post-EMV fraud influx in theUnited States.

“We're the last G-20 country to implement [EMV] actually, and prettymuch in every instance, there has been a fairly significantincrease in online fraud,” Doug Parr, chief revenue officer for theOmaha, Neb.-based Prairie Cloudware, which markets a cloud-basedpayments service called Digital Payments Guardian, said. “I thinkit would be highly unlikely that we will be the country that breaksthis trend.”

There is one key difference between the United States andvirtually every other EMV country, however – it's not mandating theswitch. For the large number of merchants and card issuers that won't be ready intime, the idea that the feds won't be knocking on the door inOctober is generally a relief.

And, EMV's protracted implementation in the United States likelywon't speed up the shift to card-not-present fraud – though itprobably won't slow it down, either.

“I don't think it's going to be a tsunami,” CO-OP Director ofProduct Development Michelle Thornton said. “But what we don'tknow, of course, is how sophisticated the fraudsters can get andwhere they can find those holes quickest.”

“Criminals in the payments game, they're no longer just hackersin a basement somewhere with personal issues,” Prairie CloudwareChief Marketing Officer Mike Carter said. “It's just organizedcrime, and they understand how to find the soft spots.”

That's why, timing aside, card issuers are going to have toinvest more in authentication, encryption, tokenization andanything else that locks down data to prepare for the predictedrise in card-not-present fraud.

Online payment protocols such as 3D Secure are one example,according to Anthony Genovese, associate vice president of thepayment systems company Compass Plus. It allows issuers toauthenticate cardholders and stands as a third party betweenmerchants and customers, he explained. Close to three-quarters ofU.S. financial institutions can support the technology, but justover a quarter of them use it, he estimated.

“In Europe, the merchants use Verified by Visa or MasterCardsecure codes,” Ian Drysdale, executive vice president of sales andbusiness development at Elavon, a card processor whose website hasa giantclock counting down to the EMV deadline, added. “Long storyshort, they have to use a password to do a card-not-presenttransaction. That mitigates fraud in Europe. It's an option forissuers in the U.S., but it's largely not used. My understanding isthat the brands are moving toward using their wallets in the U.S.,which will be password protected, similar to how PayPal is passwordprotected.”

Adding features that let members control card use are alsooptions, Thornton said.

“CO-OP has a tool, and there probably are some other ones comingout on the market as well, where members can actually control howtheir card numbers are used online,” she explained. “So, as anexample, they can turn off online transactions. They just turn itback on when they want to use it, and then turn it back off.”

Credit unions could also make their mobile apps work harder to fight card-not-presentfraud.

“Consider the mobile channel as a more integral part of yourstrategy to combat fraud in general, but specificallycard-not-present fraud,” Parr said. “Why not use the mobile as avehicle, so text alerts go to your members when you see suspectactivity? You can even do a two-way message, where you push themessage to the member.”

Credit unions can also use their wallet technology, of whichtokenization is a common component, to fight card-not-presentfraud.

“As an issuer, if you're tokenizing things so that thosemerchants really never have the card data on their system, if thereis a breach, really the data that's been stolen there has limitedif any use,” Genovese said.

Parr added, “Issuers really need to get on this issue oftokenization, and the mobile wallet is a golden opportunity to do that. Here wehave essentially a greenfield opportunity as the payments worldmigrates to a mobile world to get the primary account number out ofthe equation by replacing it with a token.”

Many financial institutions, especially small ones, tend to beintimidated by digital wallets, Parr noted, but he said consortiumsand CUSOs such as CO-OP and CU24give him hope.

“It doesn't have to be rocket science, and I think that's a keypart of our equation,” he said. “We're trying to make this assimple as possible, make it an extension of existing mobile strategies, not some big bangevent to have a digital wallet. I also happen to think creditunions have a golden opportunity. They have the ability to bandtogether. Think about the shared branch concept. Why can't shared branch be extendedto shared wallet logic?”

Carter added, “The idea that the credit union could take controlof this we think is key. We really think it's a dangerous thing tolet someone else handle the payment relationships you have withyour member and how they use their money.”

They're all strategies worth considering, especially becauseafter October, card issuers surprised by card-not-present fraudlikely won't get much sympathy.

“If you look at fraud today, probably half of it today iscard-not-present,” Thornton warned. “So, it's not that people havebeen ignoring it. It's been there.”

“You have to remember, it didn't just start raining, right?”Carter added. “It's not like it's not going on now. I think[card-not-present fraud after EMV] will be more of a storm surge,but the storm's already active, and this will amplify it. I trustgreed in situations like this, and I also trust that nobody,particularly fraudsters, like to work harder than they have to. Andthis is a soft spot.”