Point-of-sale payment card fraud will be easing off thanks largely to the introduction of EMV chip card payments to the United States in the next few years. But fraudsters, according to a new report from Javelin Strategy & Research, will be back in stores armed with cards using stolen credentials from account takeovers.
Meanwhile, Pleasanton, Calif.-based Javelin is predicting a big increase—90%—in card-not-present fraud. CNP fraud losses totaled $10 billion in 2014, but they’ll jump to $19 billion in 2018, the report says.
Javelin’s figures are compiled in its “2015 Data Breach Fraud Impact Report” released last week. The report is based on responses from a random sample of 5,000 U.S. adults about their fraud experiences. One of the study’s goals is to learn how data breaches affect actual incidents of fraud.
“This year, breaches at the [point of sale] have driven considerable counterfeit card fraud, which is proving to be a major challenge for financial institutions as they struggle with not only fraud losses but also costs related to re-issuance and servicing,” report author Al Pascual, Javelin’s director of fraud and security, tells Digital Transactions News by email. “CNP fraud is expected to grow considerably over the next few years, motivated by transaction growth through the channel and a gradual shift in fraud from the POS. There will also be strong growth in both account-takeover and application fraud as criminals attempt to get their hands on cards to misuse at the POS—basically replacing the card data being taken out of the market by EMV.”
The study estimates that POS fraud will decline by only $1 billion, or 17%, to $5 billion by 2018 from an estimated $6 billion last year. EMV chip cards are much harder to counterfeit than the magnetic-stripe credit and debit cards they’re now replacing in the United States. But the considerable time it will take merchants to deploy EMV card terminals and issuers to replace their portfolios of mag-stripe-only cards, as well as different tactics by criminals to use plastic in physical transactions, will keep POS fraud alive.
“We are not projecting broad-based adoption of EMV cards and terminals until 2018 as replacing 1.2 billion cards is no easy feat and there [is] a long tail of smaller merchants or locations, including restaurants, hotels, and unattended terminals, which are going to take a while to re-terminalize,” says Pascual. “All along the way, criminals will be getting their hands on EMV cards from existing accounts via account takeovers, which are represented in the POS card fraud figure as well. They are not additive [or] mutually exclusive.”
In other words, criminals will be hunting even harder than they do now for Social Security numbers, account numbers, and other personal data that will enable them to create new card or financial accounts in someone else’s name, or take over existing accounts, and thereby fool POS terminals into approving card transactions. Javelin estimates that account-takeover and new-account fraud will jump 60%, from $5 billion last year to $8 billion in 2018.
To keep such fraud under control, banks and card issuers “will need to improve authentication across both the mobile and call-center channels, and they should be making those investments now before it is too late,” says Pascual.
The fraud increases are coming even though the rate of fraud suffered by people whose personal information has been compromised in data breaches fell to 13.7% in 2014, which Pascual says “represents a significant decline” from earlier years. He says the massive volumes of data for sale in underground markets from the many data breaches in recent years, and mass re-issuance of cards, have “exerted considerable downward pressure on fraud rates.” Criminals, he explains, cannot use all the stolen data before cards are reissued or alerts are placed to monitor suspicious activity.
Meanwhile, Javelin says relatively little of the big predicted increase in card-not-present fraud will result from criminals concentrating on CNP channels because POS fraud will become more difficult.
“The bulk of CNP fraud will be driven by secular growth in the e-commerce and m-commerce channels,” Pascual says. “In fact, we projected that the overall CNP fraud loss in 2018 would have been negligibly different if EMV was not to come to pass in the U.S.”