Lost and stolen credit and debit cards equipped with EMV chips may become the bane of e-commerce merchants. As the U.S. payment-card industry begins its gargantuan migration to smart cards, counterfeit fraud at the point of sale should decrease. But fraud in other places very likely will increase.
That’s just one note of caution e-retailers heard Tuesday at the CardNotPresent.com annual conference and expo in Orlando, Fla.
These other types of fraud may include unauthorized transactions on lost and stolen cards, which can be especially vulnerable and problematic for online merchants. Though credit and debit issuers are staggering their chip card issuance, there remains a risk that criminals could intercept these mailings and use the cards to commit fraud, said Jackie Barwell, director of fraud product management at ACI Worldwide Inc., a Naples, Fla.-based vendor of online payment security services.
One major concern of hers is that in the United States, EMV chip cards are active when mailed to cardholders, making them vulnerable to criminals who might steal them from mailboxes. “Will they be targeted?” Barwell asked.
The potential for misdeeds is exacerbated because most U.S. credit card issuers will use signature as the cardholder verification method, Barwell said. Anyone who can get a hold of a card can sign the back of it. The chip does not authenticate the cardholder, just the card. With PIN-based verification, the cardholder must know the PIN to use the card.
“The challenge that comes with EMV moving forward, especially for card-not-present, is that fraud will dramatically increase,” said Terry Dooley, executive vice president and chief information officer for Johnston, Iowa-based Shazam Inc., a regional PIN-debit network.
Instead of criminals walking into a store to attempt to make a fraudulent transaction, they’ll go online, Dooley said. “You will become the primary targets.”
Related issues for card-not-present merchants include the inevitable move of criminals toward what they perceive as easier targets, said George Peabody, an analyst at Menlo Park, Calif.-based consultancy Glenbrook Partners. “While all the big retailers have done a good job about securing their networks, there’s tons of card numbers to harvest,” Peabody said. “And there will be for years to come. Hackers aren’t retiring just because EMV showed up.”
So what can online retailers do to reduce this risk? One tactic is to adopt 3D Secure technology. Operated as Visa Inc.’s Verified by Visa and MasterCard Inc.’s SecureCode, 3D Secure systems try to replicate the point-of-sale experience by prompting cardholders to enter a secret code in a pop-up window when checking out from a retailer’s site. The measure is meant to reduce fraudulent online transactions.
“Only 3% of merchants use 3D Secure,” said Tricia Lines Hill, senior vice president of business development and marketing communications at First Atlantic Commerce, a Bermuda-based payment processor. “This has to change when EMV rolls out.”
Many merchants balked at using the technology because they viewed it as disruptive to the checkout process, and not enough of their shoppers had payment cards that supported the technology. A new standard is in development that will take away the static password, and will use one-time passwords or biometrics for authentication, Hill said.
In January, EMVCo, the EMV standards body backed by the major global card brands, took over development of the 3D Secure standard and expects to release the EMV 3DS 2.0 specification in 2016, with the intent of making the technology easier to use.