Every day, millions of people make credit card purchases without swiping a card through a reader.In some cases, without even taking a card out of their wallet. By some accounts, card not present (CNP) transactions — those transactions made without a physical credit card — account for as many as two thirds of all credit card transactions. With so many people shopping online, and the explosive growth of mobile shopping applications, those numbers are only expected to increase in the coming years.
Unfortunately, what’s also expected to increase isn’t such good news. Some experts are predicting that there will be a significant increase in credit card fraud among card not present transactions over the next twelve months. The reason for this increase can only be described as ironic: The introduction of EMV, or chip and PIN credit cards, to increase security.
EMV Cards and Security
Over the last few years, there has been a marked increase in the number of large scale data breaches in the U.S. Criminals have targeted major retailers, including Target, Home Depot, Nordstrom’s, and others, and stolen personal and financial data from millions of consumers.One reason that hackers have been able to steal so much information is that American credit card processors transmit a great deal of transaction information via the processing networks.
An experienced hacker with the right tools can intercept and decrypt account numbers and other information contained on the card’s magnetic strip, and then use that information to make duplicate, counterfeit cards.
EMV cards are designed to better protect customer and account information. A small chip inside the card allows the transaction information to be converted into a one-time use, encrypted code that’s transmitted to the processor — and only after the purchaser enters a PIN. Unlike the credit cards we’re all used to using, it’s far more difficult for a criminal to create a counterfeit card, thereby reducing the likelihood of fraud.
Except in the case of card not present transactions. Because the EMV cards require special readers in order to work as intended, the extra security that they offer in-person transactions isn’t possible for online or phone purchases. As a result, fraud in card not present transactions is expected to increase. In fact, there is already evidence of this in Europe, where EMV has been the standard since 2012.
In the first year of the EMV standard, CNP fraud increased 21 percent in Europe. While not all of the blame can be placed on the chipped credit cards, experts agree that at least a major portion of the increase was due to criminals turning their efforts toward online, mail order, and telephone fraud, rather than continue with counterfeit cards.
The increase in CNP fraud post-EMV introduction has some U.S. security experts concerned. Currently, CNP fraud makes up about 16 percent of all U.S. credit card fraud, with losses totaling more than $5 billion every year. Given that ecommerce transactions are expected to top $400 billion in 2017, and CNP losses account for 1 percent of that total, the potential for such fraud to affect small businesses is real — and those losses could prove devastating.
Protecting Against CNP Fraud
Since refusing CNP transactions altogether isn’t practical for online businesses, how can they protect themselves and their customers from costly fraud? In many ways, it simply requires maintaining the same level of vigilance as before the introduction of EMV. These measures include
- Full compliance with PCI data security and protection requirements. Work with a payment processor who maintains compliance and implements the latest security measures for all transactions.
- Utilizing address verification systems, and confirming card security codes.
- Implementing card issuer security and verification tools. Like the Verified by Visa program, which requests additional information from customers to confirm legitimate transactions.
- Monitoring shipping information. Confirming unusually large or small orders, confirming unusual orders for existing customers, cross-checking unusual order shipping addresses with IP addresses, confirming requests for expedited shipping, and confirming requests for special shipping instructions.
Fraud involving CNP transactions is nothing new under the sun, but with the new roadblocks to other types of fraud, it only makes sense that merchants can expect an uptick in that type of fraud. In Europe, there are devices available that consumers can use for EMV transactions on their computers, but they haven’t been widely adopted, and aren’t available in the U.S. yet. Therefore, until there is technology that allows for chip and PIN transactions for CNP purchases, both merchants and consumers need to be vigilant and take precautions to protect themselves from theft and fraud.