EMV, and the Rise of Card-Not-Present Fraud

It’s been nearly two years since the EMV liability shift in the US, where electronic chip cards replaced magnetic stripe cards. Despite the initial confusion, customers slowly embraced their new “chip cards” and, soon after, credit card fraud started to decline. EMV had seemingly achieved its intended purpose.

What is EMV?

EMV (EuroPay, MasterCard, and Visa) is a global standard for electronic chip cards and the technology used to process their transactions. With the old “mag stripe” cards, data was permanently encoded in the magnetic stripe. Criminals could easily intercept the data and clone the credit card without the owner’s knowledge.

Today, however, any transaction completed with an EMV card generates a unique code that prevents the card to be used more than once. Any duplicate card will, therefore, be declined because the stolen transaction number won’t be usable again.

When fraudsters stole and used old mag stripe cards, the card issuing bank would typically carry the burden of paying either the customer or the merchant for money lost. With the EMV liability shift, a retailer that fails to install an EMV-ready POS system would be fully liable for the fraudulent charges.

Card-Not-Present Fraud

Because of the unique code generated from each transaction, EMV makes it much harder for criminals to duplicated cards and ring up fraudulent charges. However, the technology provides little protection when transmitting payment information. When a card is swiped in an EMV-ready terminal, the cardholder data has to be delivered to the payment processor. If this process is compromised through malware, memory scrapers or other covert operations, criminals can acquire all the payment data they need from unsuspecting customers for use in card-not-present (CNP) transactions.

So, while EMV makes it harder to duplicate a card, stealing cardholder data opens the option for fraudulent online transactions, where EMV doesn’t come into play.

Remedying the situation

Unsurprisingly, EMV has led to fewer cases of fraud at physical points of sale, and a surge in CNP fraud.It’s therefore paramount that Internet-based merchants implement appropriate security strategies. These include elaborate authentication such as AVS (Address Verification System) and CVV (Card Verification Value) checks, 3D Secure, robust end-to-end encryption, and tokenization. Such measures plug the various gaps in typical online transactions.

Most payment processing companies offer fraud protection services to online merchants, which can be very useful in mitigating CNP fraud. Some, like eMerchantBroker, even go a step further to ensure that retailers get informed of chargebacks and retrievals when they happen, so they can take immediate measures to protect their revenue.

What Now

EMV sure has its positives but, if you’re an online merchant, it’s not the answer to your problems. Managing card-not-present fraud requires constant vigilance, innovation, and execution of the best payment practices to stay ahead of the criminals.