U.S. merchants are in for a rude awakening if they do not prepare for the spike in e-commerce fraud that will likely follow the shift to EMV-chip cards at the point of sale.
"If they don't get the POS and online secure at the same time, they are just hurting themselves," says Jeremy Gumbley, chief technology officer for U.K.-based EMV technology provider CreditCall.
Though most merchants have until October 2015 to accept EMV cards to avoid a liability shift in fraud, fraudsters may not wait that long to change their habits.
"Some merchants will wait until six months before the liability shift, then realize that everyone else has jumped over the fence and already done it," Gumbley says.
Fraudsters will flock to e-commerce as soon as the lion's share of transactions at U.S. payment terminals will come from the chip-based cards common throughout the rest of the world, he says.
Merchants who have brick-and-mortar locations and complementary online shopping sites roll the dice if they aren't on board with EMV quicker, Gumbley says.
U.S. merchants should support EMV security online if issuers support it, Gumbley says. MasterCard's Chip Authentication Program, or CAP, enables consumers to use EMV chip-based cards when shopping online. The Visa version of the same technology is called Dynamic Passcode Authentication, or DPA. They are used as part of a two-factor authentication process with the cardholder's PIN.
When a bank customer opens an account, the issuing bank could provide a CAP or DPA reader as part of the "welcome pack" in addition to a new smart card, Gumbley says.
A handheld card reader is about the size of a pocket calculator and has a smart-card slot, a decimal keypad, and a display window for at least 12 characters. Consumers making online purchases would place their card in the reader to obtain a one-time, eight-digit cryptograph code to use when making the online purchase, Gumbley says.
Because the codes are of MasterCard or Visa standards, they are interoperable and the issuer of the card will be able to authenticate the cardholder in a card-not-present setting, he adds.
Widespread use of CAP or DPA would provide "great security" for online consumers and merchants in the U.S., but such measures always face issues with adoption, says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a Stamford, Conn.-based market research company.
"It may not be a positive experience for consumers to hook it up and punch in the numbers," Litan says. "People are just used to only using a password."
Ultimately, developers will be looking to a smartphone application that might provide the same security, Litan says. But even that type of technology has some roadblocks in the U.S., she adds.
"It's just not that simple right now," Litan says. "There are so many players in payments and a lot of turf wars with the phone companies in this space."
In addition to the CAP or DPA authentication technology, acquirers and processors should also encourage merchants to examine RSA's SecurID one-time token passwords or Visa's 3D Secure and other layers of online security that have been available for years, Gumbley says.
Gumbley is echoing what fraud experts from Aite Group earlier this year noted when saying 3D Secure, in particular, has made significant advancements that provide better online security while not frustrating customers into abandoning their transactions.
Similarly, Javelin Strategy & Research analysts have encouraged merchants to fortify their online sites when EMV is a standard in the U.S.
In general, the payments industry is developing more e-commerce security methods that incorporate mobile devices to provide faster authentication.
"Some of the security methods used to have time limits and if someone was slow on the keyboard, they could never get an online transaction completed," Gumbley says.
Last year, CreditCall established U.S. headquarters in New York City with plans to offer expertise in EMV migration. CreditCall said it could shave several months off their EMV conversion projects.
EMV represents "a necessary building block to future payments," Gumbley adds. "It paves the way for contactless and Near Field Communication."
Merchants who fear a newer technology could surpass EMV before the U.S. migration is complete aren't grasping the full payments picture, Gumbley says. No matter what is coming next, the payments industry has to have fundamental parts in place that build a strong foundation, "and EMV does that," Gumbley adds.
"Someone can say EMV is dated, and yes, it is incredibly mature, but it's also incredibly reliable and incredibly secure," he says.