With black Friday come and gone, merchants should take a moment away from their merriment about floods of customers and brace themselves for a different kind of flood - chargebacks. Two trends converge to make this holiday season excruciating for merchants. First, EMV disrupts comfortable patterns at the point of sale, especially for merchants who decided to wait to activate EMV terminals until after the holiday rush. Second, the ongoing growth of legitimate and fraudulent e-commerce continues to challenge online merchants.
For many physical point-of-sale merchants, the US has just enough EMV to be dangerous. The number of chip-enabled cards (and chip-competent customers) is still low enough that some merchants have decided to wait to turn on their chip terminals at a point when they don’t risk alienating hordes of shoppers. Under the pre-October liability rules, these businesses had the ability to reverse most chargebacks for transactions that occur at their physical stores. For card-present transactions, proper authorization and a signed receipt would solve practically any fraud-related chargeback. Now, any merchant without EMV is left holding the bill for cards misused at their store.
Merchants also need to know that fraud rings do not accidentally stumble up to their terminals. Fraudsters’ choice of which merchants to target is influenced by potential gains and the risk of detection. Point-of-sale fraud rings are certain to know which merchants in their domain are chip-capable and which are still operating on legacy magnetic-stripe readers. Since these “EMV laggards” are still vulnerable to traditional counterfeit card fraud, they become increasingly attractive targets as other merchants upgrade their terminals.
The second trend is the continuing growth of e-commerce fraud. With a wealth of cardholder data available from breaches, online merchants who rely solely on verifying static data points such as CVV and billing address are in the same boat as the merchant relying on mag-stripe cards. While card networks have changed compelling evidence rules to admit e-commerce history, email, and IP addresses as indications that a transaction is legitimate, merchants still have a difficult time successfully disputing CNP chargebacks.
With high volumes of online purchases during the holiday season, fraudsters have plenty of legitimate customers to hide amongst. And ordinary shopping patterns change during the holidays to make it that much more difficult to separate the real from the fake. That customer in LA who just shipped a camera to New York – are they a fraudster monetizing a stolen card or an innocent customer buying a present for their grandkid?
Both areas of risk are especially great for small merchants who exist on small numbers of high-value transactions, e.g. jewelry or exercise equipment stores. Small merchants are significantly less likely to have reterminalized than their larger counterparts, but their wares are just as easy for fraudsters to resell at high value. A few large chargebacks and the Grinch just stole Christmas.
So what are merchants to do? Taking advantage of existing security measures such as EMV at physical terminals and 3D Secure tools like MasterCard SecureCode and Verified by Visa for online purchases is a necessary first step. Networks, issuers, and acquirers all have a role in continuing to educate merchants on both the opportunities for collaboration in preventing fraud and the risks of writing off fraud as someone else’s problem. This holiday season; let’s keep the coal in the fraudster’s stockings.