Skip to main content

EMV not a panacea for online fraud

Dan Berthiaume
10/9/2015

Here is the bottom line: EMV compliance protects against certain types of fraud but not all types.



Yes, EMV adoption will drive significant growth in online fraud. But in something that has received far less attention is the fact EMV-compliant technology can also actually help protect retailers against fraudulent e-commerce transactions.



“You can use a USB or attachment to a mobile device to authenticate online transactions with EMV cards,” said Ciske Van Oosten, global intelligence manager, PCI security practice, Verizon Enterprise Solutions, in a recent interview with Chain Store Age. “In addition, the issuer usually additionally authenticates online transactions beyond a certain amount.”



He further recommended retailers adopt 3-D Secure, an XML-based protocol offered by major credit card issuers including Visa, MasterCard and American Express. 3-D Secure redirects all online card transactions to the site of the card-issuing bank for an extra authentication step, such as a password.



Despite these potential safeguards, Van Oosten agreed that a large spike in card not present (CNP) online transaction fraud will occur in the U.S. In most other countries that have already shifted to EMV, he said CNP fraud more than doubled in the years after EMV adoption. He also cautioned that EMV is not a safeguard against all fraud occurring at the POS.



“EMV does protect against certain types of fraud, but not all types,” he stated.



In some good news, historical Verizon data suggests that EMV protects against certain types of fraud extremely well. For example, in the U.K., counterfeit card fraud dropped 67% and lost/stolen card fraud dropped 58% in the first five years following EMV adoption. Receipt fraud (mainly dealing with fraudulent returns) fell an even more drastic 91%.



Van Oosten also strongly advised that retailers make EMV one component of a broader payment security strategy, rather than rely on EMV alone. He discussed some of EMV’s limitations.



“EMV cards use a cryptogram,” said Van Oosten. “Data is not fully encrypted. Hackers are prohibited from recreating the transaction itself, but they can intercept some card data.”



In addition, Van Oosten said some information is still stored on the card’s magnetic stripe, and a typical credit card has the account number displayed in plain sight.



To bolster payment security, Van Oosten said retailer should also use security measures such as tokenization, or the replacement of consumer financial data with encrypted digital “tokens” that provide no useful information if hacked. Van Oosten also recommended retailers maximize their security against all types of data breaches by complying with the PCI 6.0 security protocol.



“POS is the highest attack target,” said Van Oosten. “It’s the pole position for breaches across the world. But retailers need better infrastructure protection. Of all the retailers who have had their systems breached in the past 10 years, Verizon has not found one that was PCI 6.0-compliant at the time of the incident.”


Related Topics

X
This ad will auto-close in 10 seconds