EMV and the new avenues of fraud
It has nearly been a year since the 1 October 2015 US liability shift deadline for US credit card companies and merchants to switch to EMV cards. Despite concerns about costs and the challenges of roll out on such a huge scale. EMV adoption has rapidly increased. MasterCard has announced that 80% of its credit cards now have chips, while it has 1.7 million chip-active merchant locations on its network.
EMV seems to have been effective in reaching its aim of reducing fraud, MasterCard has seen a 60% reduction of counterfeit card fraud at its top 5 EMV-enabled merchants. EMV has been successful in reducing card present fraud wherever it has been introduced. In the UK, where it was introduced over 10 years ago, it was very successful in reducing card present fraud; in its first year fraud was reduced by 13%. These reductions have further continued with counterfeit card losses down from £129.7 million in 2004 to £47.8 million in 2014.
However, any time the security community closes one avenue of attack, hackers adapt and find another, and this is equally as true for card fraud. The introduction of EMV in the UK led fraudsters to move away from point-of-sale (POS) fraud to card-not-present (CNP) fraud. Between 2004, when EMV was first introduced in the UK, and 2014, CNP fraud increased by 120%. We are likely to witness a similar theme in the US, where CNP losses are expected to increase from $4bn currently to $7bn by 2020.
This should come as no surprise, EMV will not have defeated the efforts of fraudsters, it will have simply shifted their focus to new methods.
It is important that the US is prepared for this likely wave of fraud, taking precautions now, rather than attempting to play catch-up with highly sophisticated criminals after it is too late. Solutions such 3DS 2.0 will try to address this, as will other risk based solutions. Our own technology, which brings additional levels of security to CNP transactions, without inconveniencing the consumer, works as a preventive measure in order to defeat fraud before it occurs. The solution asks users to authenticate CNP by entering their cardholder PIN. This adds an additional layer of security, and one which is much more difficult for criminals to penetrate as access to cardholder PINs. By working together as an industry, we can protect our consumers by stopping fraudsters from succeeding.