Common knowledge was wrong: EMV didn't cause web fraud to spike, card brands say
The U.S. shift to EMV technology has dramatically reduced levels of counterfeit card fraud, but merchants and the card networks are divided on whether it caused the expected shift of fraud to digital channels.
The EMV-chip card standard is a counterfeit deterrent that only protects transactions at the point of sale. As a result, many observers expected fraudsters to simply move their attention to card-not-present transactions such as e-commerce, where EMV makes no difference. This shift appeared to take hold even before the EMV shift gained steam, but as any statistician will tell you, correlation is not the same as causation.
“It’s true that fraud dollars from CNP are growing, but it’s not increasing as a percent of total sales,” said Stephanie Ericksen, vice president of risk products at Visa, in a panel discussion at SourceMedia's Card Form this week in Austin.
Melanie Gluck, Mastercard’s vice president of mobile and e-commerce, agreed with Visa's conclusion. “We’re watching trends closely but we haven’t seen many spikes in CNP fraud," she said.
Gluck noted that tools to prevent CNP fraud are rapidly improving, allowing merchants to fight back against any e-commerce fraud they see, regardless of the cause.
"We're seeing the emergence of new tools to prevent online fraud, including 3-D Secure 2.0, due out later this year, and different risk-scoring methods, and these are all going to be very important for merchants using a multilayered approach to preventing fraud,” Gluck said.
Visa's Ericksen acknowledged there are “pain points” in the system for all parties, but urged merchants to do more to prevent fraud in all environments.
For example, in the wake of the EMV liability shift, the percent of fraud from “fallback” transactions—where the EMV transaction failed, prompting the merchant to authorize the payment using the magnetic stripe on the card—has gone up, according to Ericksen.
“Fallback fraud is only 2.6% of fraud, but it’s rising, and we’re advising merchants to be vigilant and watch for gaps where fraudsters are coming into the store and doing (fraudulent) fallback transactions five or six times in a row,” she said.
But Mark Horwedel, CEO of the Merchant Advisory Group (MAG), was unconvinced that there was no connection between EMV and online fraud.
“CNP fraud is rising, partly because the (e-commerce) channel has grown but it’s also because CNP fraud is the low-hanging fruit for fraudsters,” he said. “We’ve been through a period with a lot of data breaches, and we’ll emerge from all this with a less-than-adequate response."
Although the EMV shift is far from complete—more than half of U.S. merchant locations still aren't are chip-enabled—Visa and Mastercard claim the effort has been a success, pointing to key milestones since the EMV liability shift went into effect in October 2015.
Nearly 60% of Visa credit and debit cards circulating in the U.S. have a chip, and card fraud at chip-enabled merchants has declined 58% as of Dec. 1, 2016 compared with a year earlier, Ericksen said.
About 43% of all Visa transactions currently occur with chip cards at EMV-enabled terminals, and EMV-enabled debit cards now outnumber EMV credit cards, according to Ericksen.
Mastercard estimates that about 42% of all transactions are using a chip card, and 46% of those occur at a chip-enabled payment terminal.
But these rapid adoption rates stem from decisions made to ease the burden on consumers, such as not requiring the use of a PIN for authentication, Horwedel said. In other countries, the use of a PIN is so commonplace that EMV is most often called "chip and PIN."
MAG has long contended that opting for a signature-only verification process favored issuers, because the shift to EMV caused no interruption in routines for consumers who had never used a PIN for credit card transactions. Interchange rates for credit cards are a key revenue source for issuers supporting rewards cards.
“Let’s face it, Visa wanted to push signature verification [instead of requiring PIN] to offset losses from Durbin,” he said, referring to the Durbin Amendment, which capped debit card interchange.
Visa's Ericksen disagreed.
“I have a very different perspective on the use of PINs,” she said, noting that while PINs were a standard verification method in Europe it was because modern online verification methods didn’t exist at the time EMV was implemented overseas.
Further, PINs are risky because they’re subject to theft, she said.
“There’s been a whole lot of misreliance on PIN (as a secure verification method) which can be compromised and used to get cash from an account,” Ericksen said. “Today we have a lot more tools and information to prevent fraud that are better than PINs, such as predictive analytics and improved data.”
The argument for PINs also is undermined by the rise of EMV-based contactless payments, which now account for the majority of transactions in Australia and half of transactions in the U.K., with no rise in fraud at the point of sale, according to Ericksen said.
Contactless payments don’t work for high-ticket transactions that also are subject to fraud, and in many environments they will never catch on, Horwedel noted.
The best hope for merchants to get around the pain EMV causes may be to bypass acceptance of physical cards, Horwedel suggested.
“Some of the more sophisticated merchants see (the EMV liability shift) as an opportunity to change the whole shopping experience,” said Horwedel, alluding to proprietary merchant apps like Walmart Pay and Kohl’s Pay. “These apps are helping people move through the checkout line faster, or maybe not go through a checkout line at all, with an omnichannel view looking at payments from a much bigger perspective.”