EMV Adoption - Card Not Present Fraud is Going to Skyrocket

EMV Adoption - Card Not Present Fraud is Going to Skyrocket

As more and more businesses across the United States adopt EMV chip and pin , there is one arena not being discussed, Card Not Present (CNP) fraud. The actual chip provides no security when the card is not present for the transaction. However, Point of Sale systems will be much more secure in transactions, because the chip will be present to authenticate the transaction. CNP fraud is a reality without some type of authentication at the point of transaction. Once Europe adopted the standard, their CNP fraud DID skyrocket. Now, over 60% of the European companies require a consumer authentication at the point of transaction. Is CNP fraud going to skyrocket in the United States? What types of authentication solutions currently exist?

Fraud Liability Shift

In 2015, all Credit Card acceptance from Visa and MasterCard will need to be processed in EMV compliant card swipes. Any fraudulent activity on non-compliant machines will become the full responsibility of the merchant.

The credit card companies have promised to cover all fraud on compliant devices. This means all companies accepting credit card payments must update their hardware to remain compliant, at their own expense. Naturally, the next question should be, “How do these companies authenticate CNP transactions and what are the benefits?”

EMV is focused on authentication hardware at the point of transaction. but that still leaves the card vulnerable. Accepting payments in an omnichannel environment is just as dangerous with EMV. Hardware is easily hackable. FICO reports that 2013 was the all-time high for card fraud totaling just over $2.07 billion in Europe. The United Kingdom accounted for over $500 miilion in CNP losses. If EMV is supposed to eradicate fraud associated with CNP transactions, then we have a serious issue.

Are there Security Solutions for CNP?

Europe has led the way with consumer authentication technology. The goal was to create a more efficient way to authenticate the card at transaction with credit history, fraud history, etc. In Lehman’s terms, consumer authentication technology ties the authentication process to the card authorization process, where a PIN/password or other unique identifier acts as a ‘digital signature' that validates cardholder identity in a card-not-present (CNP) transaction. Data elements are then encrypted and transmitted through a PCI/DSS secured environment. The only drawback to encryption is decryption. You are still at risk.

According to Cardinal Commerce, “Merchants will also see a sales increase with a Consumer Authentication solution because there are fewer “false positives” that might ordinarily be declined, internally and externally. Merchants also enjoy a liability shift with fraudulent chargebacks on Cardinal Consumer Authentication transactions because the issuing banks will take risk if any transactions result in fraud.” Issuing banks better have a pretty good security solution to avoid paying for negligent processing.

Visa and MasterCard Fell Way Short in Authentication

Visa and Mastercard rolled out an authentication program in 2012 that required users to sign up with Visa and Mastercard in order to speed up the transaction process in an attempt to alleviate manual authorizations and chargebacks. The authentication process was designed to reduce further authorizations that cost time and labor. The program has not been very successful due to poor adoption State-side. Visa and MasterCard have developed a tokenization solution, which costs around $.52/transaction. How is that scalable for any company? Small security budgets will get crushed with that type of offering.

The main goal of authentication is to make it safe for the consumer and merchant, create less abandonment, and reduce labor involved at the time of transaction. The authentication process should be hyper fast and not affect the time of transaction. With less then 50% of US companies using some form of consumer authentication, we look to be in bad shape. $2 Billion worth of losses in Europe should have CIO’s & CTO’s sprinting for a legitimate solution.

ApplePay to save the Day?

Not quite. We applaud the effort to tokenize and secure data, but they fall short. The core technology to tokenize data being used is encryption and not true tokenization. Tokenization, by definition, is a non-mathematically related value, which cannot be reverse-engineered to obtain the original value. Apple is using format-preserving encryption, which can be broken like any other encryption. ApplePay creates a cross-domain issue where the tokens become credit cards and can be used as such.  Encryption on mobile devices is only as secure as the next attack that focuses on mobile devices and getting payment card data. To further the matter, MCX (Powerful group led by Wal-Mart, Best Buy, etc) has refused to accept ApplePay and the NFC devices (Near Field Communications) at any of their locations. Another roadblock. The only true way to lower risk and CNP fraud is cloud tokenization.

TokenEx Offers True Tokenization and Safe Transactions

With true cloud tokenization, Card Present or Card Not Present transactions are removed from your environment, lowering compliance and even if the data is breached, it is a meaningless value. No massive payouts, no destroyed reputations, and the most important factor, happy customers. TokenEx tokenizes the data at the point of transaction, reducing PCI compliance and risk up to 95%.

TokenEx has been tokenizing sensitive payment data for over 5 years, globally. Understanding the growth that organizations face in the new omnichannel marketplace, TokenEx is able to secure all of your devices and offer unlimited flexibility in how the payments are received. e-Commerce, Data Vaulting, Batch Processing, Web Services, Virtual Terminal Proxy, and Recurring Payments are a few of the acceptance channels offered.

Secure your  transactions before you become the next casualty. Learn more at TokenEx.com. Please follow us on Twitter and LinkedIn.


Topic(s): payments , data security , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog