Business Team Investment Entrepreneur Trading Concept
There’s a widely held belief that clamping down on fraud in one area will lead to it popping up somewhere else. There is some truth to this — fraudsters favor the points of least resistance. But there are also major exceptions.
This "balloon squeezing" effect was behind much of the reluctance of the merchant community to move to EMV in 2015. The issue is that EMV-chip cards' anti-counterfeiting measures affect only the physical point of sale, and provide no added security to card-not-present environments.
However, as data demonstrates, the growth pattern of card-not-present fraud has proven to be independent of the effect of EMV, and is instead driven by the explosive growth of e-commerce, the Internet of Things — and, unfortunately, data breaches.
The U.K. is an oft-cited example of how EMV can shift fraud patterns. In 2004, fraud at the POS had hit a staggering $304 million. With the introduction of EMV in 2005, fraud at the checkout shrunk, reaching just $100 million by 2006.
Conversely, card-not-present fraud skyrocketed in the same time frame, reaching $253 million in 2008. Clear evidence of the “balloon squeezing” effect of fraud? Not exactly.
After the introduction of EMV in 2005, there was a short-lived rise in card-not-present fraud. By 2008, this was on a downward trajectory, finally resting at around 0.36%. Card-present fraud dropped to around 0.03% of card payments.
There were several reasons for the drop in card-not-present fraud as a percentage of transactions. Retailers were getting savvy to online fraud schemes and were introducing more stringent checks and balances such as the Address Verification System and the security codes printed on the backs of cards. Also, fraudsters didn’t suddenly discover card-not-present fraud with the introduction of EMV — they had always been there. And finally, yes, card-not-present fraud was growing, but so was e-commerce.
So, where are we today?
Card-not-present fraud is expected to grow unabated over the next few years, with Aite Group forecasting that it will reach nearly $6 billion in fraud losses by 2020. That is more than double any other category of fraud.
However account takeover and application fraud are also set to rise, and the growth curve on these could be steeper than anticipated based on some of the massive data breaches of recent years, including the jaw-dropping 143 million records exposed in the Equifax breach of 2017.
It is also notable that Social Security numbers are exposed in data breaches at a rate that is almost double that of card data.
The ID Theft Resource Center found that 52.7% of data breaches in 2017 exposed SSNs, compared to just 19.1% that exposed cards. However, from a business standpoint, the value of card data remains unsurpassed in its ability to be sold, globally distributed and then misused for CNP fraud or counterfeiting. However, new account fraud is diversifying, moving from card applications to mobile phone accounts, car loans and mortgages — indicators that fraudsters are capitalizing on the PII that is now easily accessible on the black market.
As with SSNs, card data is likely to remain static for the foreseeable future, and with that, card-not-present fraud will continue largely unabated.
However, fraud will continue to evolve and while e-commerce still provides ample opportunity for card-not-present fraud to occur, growth in mobile usage also provides increasingly fertile hunting grounds.
In a survey by Kount, mobile browser and mobile apps were seen as the most risky means of payment for fraud. With card-on-file being ever more pervasive and with card credentials becoming embedded in networked devices, fraudsters will have no shortage of opportunities to test new schemes.