For many e-commerce merchants, the migration to EMV-chip card security at the point of sale — and the expected shift of fraud to the Web — is akin to a message in a bottle that hasn't washed ashore. Too many simply don't know about it.
That may change in another four to six weeks when the first post-holiday chargeback numbers since the U.S. EMV shift roll in, said Tom Byrnes, chief revenue officer at fraud prevention provider Vesta Corp.
"Since the dawn of e-commerce, the card brands have gone out of their way to say it is safe to shop online and if a consumer's card gets ripped off, you are protected," Byrnes said. "But all of that pain is going to migrate into the laps of the e-commerce merchants now, and they are having a tough time as it is."
Fraud-prevention vendors spent the past year educating online merchants about the expected jolt in card-not-present fraud as a result of EMV technology deterring counterfeit card fraud in physical stores. But, just as with brick-and-mortar stores, many e-commerce sites remained oblivious to the trend.
Because of this ignorance, higher chargeback numbers are coming to merchants who may not be aware of what is causing the spike, Byrnes said.
Atlanta-based Vesta tried a different way to deliver the EMV warning last year, calling for e-commerce merchants to consider all of their chargeback costs and examine the effect on the company's overall budget. To avoid becoming part of a card brand's chargeback monitoring program, e-commerce merchants have to consider the cost of battling fraud in-house versus having a third party vendor monitor and manage the problem, the company said.
A new Vesta white paper providing advice for merchants to overcome a growing chargeback challenge cites industry research that says e-commerce sales will grow at a 10% compounded annual rate over the next five years to $480 billion.
"But we've also seen estimates that over the next two years, card-not-present fraud will jump to about $6 billion in 2018," Byrnes added. "In 2013, it was under $3 billion, so that's a geometric jump."
E-commerce merchants, on average, were spending between 13% and 20% of their total budgets on fraud prevention as of last year, Byrnes said. If those numbers go higher, many merchants will rightfully start asking whether they are in the business to sell goods or manage fraud, he added.
E-commerce merchants have some options to avoid liability on fraud, such as instituting the card brands' 3D Secure measures. But that's more popular in Europe and not widespread in the U.S., mainly out of fear that the added security burden on consumers would lead to cart abandonment.
Javelin Strategy & Research has forecasted higher card-not-present fraud numbers for the past two years, but did not blame EMV for the entirety of that prediction, said Al Pascual, research director and head of fraud and security for Javelin.
"We pinned it on the fact that fraud grows in tandem with transaction volume," Pascual said. "E-commerce transaction growth is accelerating, so that drives the fraud problem."
It's a trend that isn't going to go away.
"By 2018 or 2019, there may be no plastic cards, so criminals are going to have to find something else to do," Pascual warns.
The advancement of "buy buttons" for online transactions might ease some friction for consumers, and at least partly address the cart abandonment fears for e-commerce merchants. But it's a double-edged sword, especially if faster payments equates to faster fraud.
"We have a leading indicator in digital fraud against those who sell digital goods," Byrnes said. "It's an immediate download and fast transaction, so it can be faster fraud for those stealing digital gift cards or e-tickets. Buy an e-ticket for $100 with a fraudulent card and sell it for $50 very easily."
Two-thirds of merchants that sell physical goods say outsourcing fraud mitigation and chargeback management is cost effective, according to Vesta's findings. E-commerce merchants will likely agree after seeing their first chargeback numbers next month, Byrnes said.
Indeed, the past holiday season was considered a key testing ground for various fraud-prevention technologies, even though EMV was still a fresh addition at most stores.
"Everyone is really keyed in on this problem, and for good reason," Javelin's Pascual said. "Biometrics and behavior metrics in 2016 is kind of like the hot method that device fingerprinting was 10 years ago."
Ultimately, merchants will find out that keeping talented fraud-prevention employees on staff is an expensive proposition and they will have to turn to other providers to ease fraud and budget pain, Pascual said.
"They did not go into business to become fraud experts," he added.