As we discussed in MasterCard’s Security Matters, conventional wisdom indicates that card not present fraud will skyrocket as the United States shifts to EMV over the course of the next few years. Typically, this analysis is accompanied by analogies to balloons – as one end of the fraud “balloon” is squeezed, the rest expands. While this commentary correctly predicts the direction of Card Not Present (CNP) fraud, it mistakenly treats fraud as a homogenous mass and assumes that criminals can simply switch between different fraud types as the mood suits them. Point-of-sale (POS) card fraud and CNP fraud each have a notably different modus operandi and require different sets of skills, contributing along with other factors to an evolution of card fraud that will be more gradual in some respects and nuanced than many stakeholders anticipate.
Conducting fraud at the point of sale obviously requires accessing a physical location with a physical card. This could be the original payment card, obtained through loss or theft, or it could be a blank card encoded with track data from a compromised mag stripe card. To get any payoff, down-on-their-luck members of society are often relied upon to purchase goods from physical stores, and then the group must consequently fence the goods or try to return them for cash. This tends to mean that point of sale fraud rings have more knowledge of the physical streets than electronic avenues of fraud.
Nonetheless, as the United States transitions to EMV, POS card fraud will become progressively less lucrative. Card counterfeiting will border on impossible, given the inherent security of EMV chip-cards and the use of dynamic data to authenticate POS transactions. Additionally, merchants who use encryption or tokenization would effectively render data gained from compromised terminals useless for future POS transactions. These factors will largely restrict POS card fraud to lost or stolen cards. Since lost and stolen cards, along with cards obtained through fraudulent applications and account takeovers, are significantly more difficult to acquire and are more likely to be cancelled shortly after compromise, fraudsters at brick and mortar stores face a closing window of opportunity.
Still, POS fraudsters won’t be closing up shop any time soon. The long tail of EMV reterminalization and the inclusion of the mag stripe on US EMV cards means that the opportunity for POS card fraud will continue to exist for several years. By 2018, POS card fraud is only expected to decline to just under $5 Billion, from $6 Billion in total-related losses in 2013. With large retailers among the first adopters of EMV, they become less attractive targets for account data compromise and card fraud. Conversely, smaller businesses which may be less aware of the security implications surrounding EMV, such as local single-shop retailers, restaurants, or hotels, or unattended terminals including ATMs and gas station pumps, are expected to lag in implementation. This makes them prime repositories for mag-stripe data to compromise and prime targets for card fraud.
Further still, newly-issued chip cards will still retain the magnetic stripe to allow the card to be used at non-EMV enabled terminals and merchants equipped with chip readers will retain the ability to accept mag-stripe cards to prevent losing potential customers. Even at merchants who have fully reterminalized, mag-stripe data will be usable as a fallback if the chip and terminal are unable to communicate for any of a variety of reasons. If encryption is not used, any mag-stripe track data from attempted transactions will be just as vulnerable to breach—and subsequent counterfeiting—as before the migration.
Instead of growing because fraudsters shift their focus, CNP fraud will continue to rise in tandem with total U.S. e-commerce expenditures as was experienced in other major markets, according to Javelin’s Fixing CNP Fraud study. In fact, Javelin analysis of CNP fraud trends found that the transition to EMV will have a negligible effect on the volume of fraudulent e-commerce in the in the United States through 2018. The total value of fraudulent e-commerce transactions is expected to nearly double from $10 billion in 2014 to nearly $19 billion in 2018, making CNP the dominant card fraud type in the United States.
The “balloon analogy” is too simple to explain how card fraud will change over the next several years, but it is clear that EMV cannot bear the brunt of the blame for the coming growth in CNP fraud. Criminals will adapt to succeed, albeit slowly. Payment stakeholders that can effectively anticipate how fraud will change will be the most successful, bolstering their fraud prevention capabilities quickly and enacting aggressive steps to get ahead of the curve, including rapid reterminalization, stronger account authentication, and improved due diligence during account origination.
Forget the analogy. Don’t just squeeze the balloon. Pop it.