Dealing With Heightened Online Risks After Implementation of EMV-Chip Cards

Oct. 1, 2015 brought with it a major shift in the credit card industry. On this date, almost all major credit card issuers’ policies changed with respect to liability.

Prior to this change, credit card issuers were responsible for fraudulent transactions, but now merchants bear the liability for fraudulent transactions when magnetic credit card stripes are swiped at a card reader that is not EMV-chip enabled. The card companies implementing these policy changes include: Accel, American Express, China UnionPay, Discover, MasterCard, NYCE Payments Network, SHZAM Network, Star Network, and Visa.

As a result of these widespread changes, new EMV chip cards have been arriving in mailboxes across the United States over the last few months, and retailers around the country have been following suit by implementing EMV chip-readers.

EMV-Chip Cards: The Pros and Cons

The question for many businesses and consumers is the purpose of the cards and the type of fraud it is meant to protect. EMV-chip cards are widely used in other countries, and their recent implementation in the U.S. is expected to prevent fraud by creating a singular authorization code each time the card is used, rather than a card using the same code for each transaction.

But consumers and businesses should be wary because EMV-chip cards do not prevent all types of credit card fraud, or even the majority of fraud.

The main advantage of EMV-chip cards is to counteract the approximately 30 to 40 percent of credit card fraud committed in-person, but this new technology would not protect against fraudulent online transactions or transactions made over the phone where a card is not present.

According to the research company Aite Group, “card not present” fraud accounted for approximately 45 percent of U.S. credit card fraud in 2014.

When EMV-chip cards are used in person, the chip creates a one-time transaction code to be used in that sale alone. The EMV chip’s ability to recreate authorization codes is said to prevent the re-use of account information in a subsequent data breach, thwarting fraudsters from duplicating magnetic strips and card numbers to use for their own purposes.

Security experts believe it will be challenging, if not impossible, to create counterfeit EMV chip cards because after one use, the account code is essentially worthless.

In contrast, a consumer making an online or over-the-phone purchase is only required to provide a credit card number, and sometimes the security code on the back of the card. During these purchases, no EMV chip is read to create an authorization code, and so the chip security does not apply. This gap leaves online transactions ripe for abuse.

It appears evident, and experts agree, that once one type of fraud is eliminated, fraudsters will seek out other avenues to commit fraud. As of now, the most likely avenue for fraud appears to be Internet fraud.

Other countries that have switched to EMV cards have also seen fraud increase in “card not present” transactions. According to the Aite Group, after implementation of EMV chip cards in the United Kingdom, “card not present” fraud increased by 79 percent in the first three years. In Australia and Canada, fraud increased more than 100 percent following implementation of these cards.

An increase in fraud in the United States would only add to the already high-percentage of online credit card fraud that occurs here.

In 2015, retailers lost more than one-percent of their revenue from fraud; that’s more than twice the rate from previous years. The increase in online sales coupled with the changeover to EMV credit cards is likely only to increase these numbers in the years to come.

To make sure they do not fall victim to what appears to be an inevitable increase in “card not present” fraud, companies should look to adjust their online security practices.

Companies with high-dollar sales should be particularly wary, as they will likely be the first targeted by online fraudsters. Over the next few years, it is likely that banks and card companies will increase security in the cards themselves to combat fraud, but there are some current practices online businesses can use to increase verification and prevent exploitation.

Many retailers currently require cardholders to provide the card verification value (CVV) or the security code on the back of credit cards. While this practice increases security, fraudsters can overcome this hurdle if they obtain the security codes through phishing attacks or malware.

Phishing attacks are often in the form of e-mails sent to consumers that appear to be from reputable companies, including banking institutions, asking for account information or security codes. If consumers are tricked into providing this information, their security codes become useless.

Additionally, if enterprising fraudsters are able to install malware via a consumer’s computer, tablet, smartphone, or even an unsecured consumer website, they can record the victim’s personal credit card information. While the use of security codes is a start, they clearly are not sufficient protection from online fraud.

Ways to Prevent Online Fraud

One way to combat online fraud is to implement additional authentication methods, such as: device authentication, a one-time password, PIN-enabled debit or credit cards, or biometric factors.

Device authentication verifies the user by examining the type of device (computer, tablet, smartphone, etc.), the IP address, and/or the operating system. Generally, this is done only the first time a device is used for payment and will be automatically identified with future uses.

Another form of authentication is a one-time password sent to users via text message, e-mail, or the use of tokens. These one-time passwords can be time-limited to prevent users without the password from re-using them outside the time limit and prevents fraud by requiring another piece of information to make a transaction.

PIN-enabled debit or credit cards allow users to enter a PIN tied to their credit card.

When using these PIN-cards, a keypad appears on the user’s screen. Using a mouse or some other device, the user will click on the keypad, and the keypad stores the coordinates where the user clicks.

The actual number is not stored by the keypad, and the coordinates are encrypted prior to storage. Again, the use of a separate PIN number provides another method to verify identities of users.

Finally, another layer of security can be added through the use of biometrics. With biometric authentication, personal information can be used to verify the identity of the user, such as facial, voice, or fingerprint recognition.

Biometric information is very sensitive, so any businesses using biometrics for identification purposes should ensure these storage methods are secure.

Other techniques for combatting credit card fraud include behavioral analytics, tokenization, and 3-D Secure.

Many consumers are familiar with the use of behavior analytics in banking, where irregular expenses are flagged or accounts are put on hold until it can be confirmed that the card use was by the owner of the account. Behavioral analysis tools are also available for online retailers who can monitor suspicious patterns of behavior or activities during shopping or check out.

While there may be concerns regarding false positives, it can alert online retailers to suspicious behaviors and potentially require increased authentication by the user.

Tokenization is also a useful tool for online businesses by using a different data stream than the actual account number, like an EMV-chip card would. Tokenization substitutes the account number on a consumer’s credit card and in the retailer’s database with a string of letters and numbers.

This string serves a proxy for the actual card information. If the token database is hacked, this information is useless to fraudsters attempting to reuse the data for their own purposes, but the information is still traceable by the merchant for processing, returns, and other purposes.

Yet another option for merchants to increase authentication in online payments is 3-D Secure, or the underlying technology behind Verified by Visa, MasterCard SecureCode, JCB International’s J/Secure, and American Express SafeKey.

Essentially, 3-D Secure redirects online consumers to the bank that issued the card used to separately authenticate and authorize the transaction. These separate authentications may take the form of another password tied with the card or a one-time generated password sent via text or e-mail.

The use of one-time generated passwords increases security by preventing hackers from using previous passwords in future purchases. With 3-D Secure, businesses can decide when and if they want to use this additional layer of security, and may only choose to do so for high-risk transactions or transactions flagged by other security systems.

Ultimately, it is up to each business to decide what method of security fits their needs and budget, but online retailers should be aware of the anticipated spike in fraud. Staying ahead of fraudsters will allow businesses to keep losses from fraud to a minimum, and prevent widespread data breaches like those that have occurred recently at Target and Home Depot.

While fraudsters will always find new ways to adapt with changing technology, the only way to keep them at bay is to keep up with the changes in security technology.