The U.S. is a long way from widespread adoption of EMV, but security analysts say the boom in online shopping—plus a surge in consumers' use of mobile devices for holiday purchases—will make it easier for fraudsters to hide their moves as they redirect their efforts from retail to online channels.
E-commerce will drive about 17% of all retail sales during the last two months of 2015, up 6% to 8% over last year, according to the National Retail Federation. And e-commerce fraud rates will rise accordingly during the holidays, creating a convenient opportunity for fraudsters to rework their strategies around the new protections chip cards have introduced, said Cherian Abraham, mobile payments and banking adviser at Experian.
"As e-commerce transactions increase, fraudsters are taking advantage of the higher volume to hide in that traffic," Abraham said.
The question on security experts' minds is whether the U.S. will see a repeat of what happened after Europe's chip-card migration, when card-not-present fraud rates soared after EMV cards were introduced in 2004. The chips effectively blocked most counterfeit card fraud at the point of sale, and fraudsters quickly focused on the newer, less protected online shopping channels.
The U.S. liability shift for EMV cards went into effect Oct. 1, and it's still too early to see any significant effects in fraud trends, said Randy Vanderhoof, executive director of the Smart Card Alliance.
"I think in about two months we'll begin to see clues to whether EMV adoption is starting to cause a decrease in counterfeit card fraud at retail," Vanderhoof said. "The EMV landscape is changing dramatically week by week, as more merchants enable chip-card transactions."
The latest forecasts show that about 40% of merchants may be EMV-enabled by the end of the year, he said. Payments processor ACI Worldwide, which tracks fraud patterns globally, said it won't be until at least 90% of all U.S. point-of-sale transactions are conducted via EMV that a significant change in fraud patterns would be detectable.
No matter how long it takes for EMV to become the dominant standard for U.S. card transactions, fraudsters know the opportunity is fading for counterfeit card fraud at the point of sale, said Michael Graff, risk manager for eBay Enterprise, which provides broad services for e-commerce merchants, including fraud prevention.
EBay this month finalized its sale of eBay Enterprise, based in King of Prussia, Penn., to a group of buyers led by Permira and Sterling Partners.
"Fraudsters prefer the path of least resistance, and just the fact that EMV has been introduced at all means counterfeit card fraud at the POS is no longer a sure thing," he said. "We can be sure fraudsters are already working on the card-not-present channel, which is the next thing."
Comparing the modern-day U.S. to Europe in 2004 is like comparing "apples and oranges," according to Graff. E-commerce systems and fraud-prevention tools are infinitely more sophisticated now, though fraudsters have kept up their side of the arms race, he noted. The huge rise in consumers' use of tablets and smartphones for e-commerce is one of the ripest areas for new types of fraud, Graff said.
"Mobile devices at first were a bit more secure for online shopping because fraudsters were new at it, but now it's become a big area for fraudsters to exploit from a number of directions," said Graff.
Mobile devices also have a rich, growing toolbox of security controls ranging from biometrics to geolocation and device fingerprinting, though it's still relatively early in the development of more foolproof systems for mobile payments security, experts say.
The immediate future will be a risky time for card issuers and merchants before EMV takes hold and merchants get a clearer picture of where the next wave of fraud will come from, Graff said. "From what we've seen, fraudsters work nine to five like the rest of us and they're working right now on the next chapter of fraud in the era that comes after EMV," he warned.
Actually fraudsters start their workday even earlier; An internal study by eBay Enterprise shows fraud attacks peak each Wednesday at 8 a.m. EST, aiming for results by the end of the week.