How the EMV shift could impact online retailers

In every country that has migrated to chip-embedded EMV cards, instances of fraud shifted to the online channel, which holds considerably weaker authentication protocols.
Written by Natalie Gagliordi, Contributor

After the EMV migration rolls through the US this October, the payments industry expects to see a significant reduction of fraudulent activity within the card-present (CP) environment.

As it stands now in pre-EMV America, the most prevalent type of fraud results from counterfeit, lost or stolen magnetic-stripe based cards, which have become easy marks for hackers looking to break into retail POS systems. (See Target and Home Depot.)

But the EMV migration also carries with it a less promising expectation for card-not-present (CNP) transactions and the online purchase environment.

In every country that has migrated to chip-embedded EMV cards, instances of fraud didn't really go away, they just shifted somewhere else. Overwhelmingly, that somewhere else is the online channel, which holds considerably weaker authentication protocols.

"If fraud from card-present situations is harder to commit, we can safely assume that fraudsters will move to the online and mobile payment space and try to figure out where there are holes to exploit," said Tim Russo, fraud prevention team leader for ecommerce software provider Cleverbridge. "Online merchants with exploitable vulnerabilities will see an increase in fraud attacks and chargebacks."

There's not just logic to back up Russo's widely agreed upon assumption -- there are also statistics.

Data from the UK, France and Australia show CNP fraud accounting for a greater portion of overall fraud during and after each country's respective EMV migrations. In the UK, where the EMV liability shift occurred in 2005, CNP fraud increased almost 40 percent over a span of 10 years. In Australia, where EMV standards went into effect in 2008, CNP fraud climbed almost 20 percent in the first two years. Similarly, France saw CNP fraud increase just over 20 percent between 2007 and 2011.

However there is one important difference to how the US is handling EMV that could impact how the whole CP/CNP fraud scenario plays out.

"The US is not moving to EMV in the same way as the rest of the world -- they are moving to a choice between chip-and-signature, and chip-and-PIN -- with the former being the apparent preferred choice," said Seth Ruden, a senior fraud consultant at ACI Worldwide, a global banking and payments systems company. "This makes the picture potentially very different in terms of what happens next, because the US is keeping additional fraud prone channels on the table."

The difference between a chip-and-PIN card and a chip-and-signature card is pretty simple. The PIN iteration requires users to enter a four-digit Personal Identification Number that corresponds to information contained in a chip embedded in the card. Chip-and-signature differs in that users verify their identity with their signature, rather than a PIN. Therefore, the signature iteration is less secure than chip-and-PIN, but more so than magnetic-stripe cards.

There are varied perspectives as to why the US is opting for chip-and-signature instead of the more secure PIN-based EMV cards, but it mostly boils down to infrastructure. With chip-and-PIN credit cards, the PIN is essentially coded into the card's computer chip, so if someone forgets their PIN they must either visit their bank to have the PIN reset or go to an ATM. The latter option obviously requires an ATM that is capable of modifying a chip card, meaning that all of the ATMs in the US will need upgraded to give them that capability. And that is going to take some time.

What all of that adds up to is an annoying layer of uncertainty for the US fraud outlook following EMV, for both the CP and CNP environments. But as the cliché goes, the best defense is a good offense. No single security mechanism will protect against all possible fraud scenarios, so most experts recommend a systematic, multi-layered approach using a variety of tools that can work together in concert.

"It's safe to assume that we'll see an increase in attempts of card-not-present attacks," said Brad Brodigan, VP of omnichannel at PayPal. "So merchants need to utilize all of the technology available to them to decrease those chances."

For most online merchants, whatever payment processing technology they are using will likely contain out-of-the-box security and authentication protocols.

According to Brodigan, PayPal has developed complex end-to-end encryption to help protect consumers and merchants with their payment information -- a process he admits takes "a fair degree of effort."

Still, that doesn't absolve online merchants of all burden. The best approach is to stay informed of security best practices and to know exactly how a chosen processing provider is implementing them. Right now there are at least a dozen security options available for e-commerce transactions, such as tokenization and 3-D Secure. A helpful resource from the EMV Migration Forum explaining these technologies can be found here.

Read more on EMV:

Editorial standards