Can we blame EMV for rising online fraud?
Business Team Investment Entrepreneur Trading Concept
One of the most hotly contested topics in payments in recent years has been whether the introduction of EMV chip card security at the point of sale would cause a fraud spike across Card Not Present (CNP) channels, which see no benefit from EMV. Retail associations argued that EMV could only result in a “balloon squeezing” effect for fraud activity, moving it to CNP channels rather than eliminating it altogether.

It has now been two years since the EMV fraud liability shift took effect in the U.S. for most companies. This is enough time to evaluate the EMV migration's effect on fraud, and whether it can be blamed for anything happening in digital channels.
Chart: CNP fraud rocketed in 2016
According to data from Javelin Strategy & Research, 2016 was a strong year for CNP fraud, rocketing from 2.4% of consumers to 3.4% of consumers, a staggering 40% year-on-year increase. Was this caused by EMV?

“Criminals aren’t moving that quickly from POS to CNP, but they don’t necessarily have to,” says Al Pascual, SVP, research director at Javelin. “Online fraud can occur much more frequently than in person (consider the impact of bots) — so there is a force multiplier effect when fraudsters go online. I suspect the curve will become even steeper.”
Chart: CNP fraud growing in the U.S.
The bad news is that all types of card fraud are set to get worse.

According to forecast data from Aite Group, CNP fraud will grow from $4 billion in 2017 to nearly $6 billion in 2020. This will be in tandem with similar growth rates seen in application fraud and account takeover fraud. Bear in mind that this forecast was made prior to the Equifax data breach — the fraud curve could be much steeper now that a fresh crop of Social Security numbers is on the market.

“CNP fraud will grow because of the rapid rate of growth of e-commerce in general, but in a number of countries we’re seeing CNP fraud growing faster than the rate of e-commerce itself,” says Julie Conroy, research director at Aite. “As the U.S. EMV migration picks up pace, we’re not going to see the organized crime rings content to take a $4B hit to their P&L. We’re already seeing the migration impact application fraud and [account takeover], and my discussions with e-commerce merchants indicate that we’re seeing losses rising there as well.”

But is the U.S. experiencing CNP fraud at levels that are greater than other countries?
Chart: CNP fraud highest in U.S.
According to the U.S. Payments Forum, the U.S. ranks highest in a list of countries for CNP fraud rates, with 0.72% of e-commerce transactions being fraudulent. But the U.S. is not significantly higher. Belgium, France and Germany all register higher than the 0.53% global average for CNP fraud rates, and these countries have had EMV for well over a decade.
Chart: Merchants see more mobile revenue
As consumer shopping habits change, we can expect fraud to follow these changes. Recent data from Kount details the shift in revenue for online retailers from desktop to mobile. An increasing proportion of revenues are now coming via the mobile channel — highest levels of growth were in the 10% to 30% range of revenue from 2016 to 2017.

The same survey highlights that fraud over mobile is also shifting and that the most vulnerable areas were the browser and mobile app. Nearly 60% of online retailers considered the mobile browser to be the most vulnerable area for attack and nearly a quarter considered mobile apps to be a vulnerable channel.

Consequently, many of the tools being used to combat mobile payment fraud have some pedigree in the online payments realm.
Chart: Merchant fraud countermeasures
Merchants are increasingly applying tools from the online arsenal to the mobile channel, with significant growth in the usage of CVV and AVS checks, as well as a reemergence of 3D Secure as a means of countering CNP fraud.

But, back to the core question — did EMV cause the CNP fraud spike?
Chart: Misuse of EMV and mag stripe
Considering the relatively slow transition to EMV in the U.S. from both issuers and merchants, the difference between EMV card fraud and mag stripe card fraud is much the same.

“Consumers who had an EMV card misused were considerably more likely to be victims of CNP fraud, but in an even bigger issue did not necessarily experience that much lower a rate of POS fraud,” says Al Pascual, senior vice president and research director at Javelin.

So it's not a simple cause-and-effect of EMV leading to more fraud on CNP channels. With consumer habits shifting online, the evidence points to CNP fraud occurring irrespective of EMV, not because of it.

According to a fraud expert who requested to remain anonymous, fraud has shifted in-channel, with Mobile Wallets, Account Takeover and Fraud Apps being the channels to watch for growth.

“In terms of CNP/mobile fraud, we do see a ton of fraud there. Most of it is new (it simply didn’t exist previously) and it frequently aligns with the changing shopping habits of consumers, and this is often attributable to Account Takeover, First Party and growth in various mobile wallets. Did EMV influence that? No, there are no signals that EMV has suffocated counterfeit, it only changed which players are now exposed, both on the compromised merchants and the banks who are still issuing mag-only cards.”

Even the largest card network agrees with the EMV shift not being causal in CNP fraud rates.

“It’s true that fraud dollars from CNP are growing, but it’s not increasing as a percent of total sales,” said Stephanie Ericksen, vice president of risk products at Visa, in a panel discussion at SourceMedia's 2017 Card Forum.