This October, the much-discussed Payment Networks’ EVM Liability shift with EuroPay, MasterCard, and Visa (EMV) is due to take effect in the US. What does this mean for online merchants who don’t have a brick-and-mortar presence? It could result in higher costs due to increased fraudulent purchase attempts. However, taking preemptive measures can save you and your company a pretty penny in the long run.
“The Liability Shift”
The October 1 2015, date denotes what is commonly called, “the liability shift.” After this date, when credit card fraud takes place, liability for the costs falls on the entity using the lesser technology. In 2015, the liability for credit card fraud in the US is estimated to total more than $15 billion.
After the shift occurs, if a merchant is still using the swipe and signature method, and the customer has a “smart card” (a credit card with the EMV chip technology in it) then the merchant is liable. If the merchant is using the chip and PIN technology which will become the new standard for the terminals, but the bank hasn’t upgraded to the smart card chip, then the bank is liable. However, this technology is only denoted to be used by brick-and-mortar merchants, this increase in physical security has no effect on CNP transactions.
How The Liability Shift Affects Online Merchants
Now, you might be thinking that, “I don’t have a retail store, so I won’t have to worry about this effecting my business, since all of my transactions take place online or via mobile.” Well, it is true, that the liability shift does not effect online merchants, you won’t have to worry about having a card reader that can utilize the new security features. But, this also now makes online purchases the path of least resistance for counterfeit purchases and credit card fraud. In a study conducted in 2014, CNP (card not present) fraud made up 45% of total US card fraud.
EMV will not result in the elimination of counterfeit fraud, nor will EMV spell an end to database breaches; it will merely force criminals to adjust their tactics and targets. In Canada, when they performed the EMV shift, counterfeit and lost/stolen fraud had a 54% decline from 2008 to 2013, while CNP saw a corresponding increase, jumping 133% over the same period.
Canada, wasn’t alone in this jump. In the UK, CNP fraud rose by 79% when they performed the liability shift back in 2005. Development of more sophisticated fraud analytics by issuers and merchants and an increase in use of 3-D secure technology (explained below) has helped to rein in CNP fraud, soft targets such as call centers has caused this form of fraud to start rise again.
The good news is that there are a wide variety of solutions available to secure the CNP environment; as with any type of fraud prevention, no single point solution will suffice. Instead, merchants should take a layered approach to their defenses. Here are a few different security tactics that you can use to secure your data further.
Behavioral analytics are a key technology for merchants seeking to bring their fraud-mitigation technologies down to the transaction level. Behavioral analysis tools detect fraud by monitoring the user session and transactions to detect suspicious activities and patterns associated with possibly counterfeit cards. However, as with any tool, you do have a certain level of false positives. To minimize the level of false positives, it is good to have a stepped-up authentication process that includes the end user.
Tokenization is a great compliment to EMV; it essentially picks up where EMV leaves off in the card security process. EMV secures the communication between the card and the POS terminal, but does nothing to encrypt the data, between the merchant and the issuer. This is where Tokenization takes over and replaces the card data with a secure token.
Tokenization removies the account number on the payment card from merchants’ databases and replaces it with a string of letters and numbers that serve as a proxy for the true cardholder data. Which can be used by the merchant to facilitate settlement, recurring payment, chargebacks, etc., but is useless to criminals if the merchant’s system is compromised.
Finally, there is the 3-D secure protocol which adds an additional layer of authentication in CNP transactions. You know these as Verified by Visa, MasterCard SecureCode, and AMEX SafeKey. One of the key value driver for this level of security is that when they use 3-D Secure, for CNP transactions, the fraud liability shifts to the issuer, even if the issuer doesn’t have the corresponding Access Control Server infrastructure to support a 3-D Secure request.
Card fraud is rapidly escalating at POS and in CNP channels. The arrival of EMV will certainly help stamp out counterfeit fraud, but the experiences of other countries shows that the arrival of EMV will do nothing to stop database breaches, and CNP fraud will rise precipitously unless preventative measures are taking preemptively. With the clock quickly ticking away to the October 2015 liability shift. Merchants should begin to implement the above security methods to guard themselves from this incoming rise in attacks once the shift happens.