Is a Tidal Wave of Online Credit Card Fraud on the Horizon?

The U.S. has a serious credit card fraud problem. In fact, a Nilson report (as cited by the Wall Street Journal) estimated that for every $100 spent using a credit card, 13 cents is lost to fraud. That may not sound like much, but when multiple by thousands of such transactions and spread across millions (or billions) of dollars, the impact is significant. But here’s the kicker: outside of the U.S., only 4 cents is claimed to fraud (three times less than in the U.S.).

The difference has generally been attributed to less secure credit cards in the States. Until this year, banks were resistant to using chip and pin technology, which provides more protection (and has been the standard in Europe for over 10 years). Now, the U.S. is going part way, at least: the newest cards are embedded with chip technology (but are without PIN, notably). This is expected to help decrease fraud in the States and bring the number back closer to the rest of the world.

However, some experts see a new wrinkle in the changeover. Chip technology only makes “card present” transactions more secure. Naturally, since a merchant’s card reader needs the actual credit card to read the chip, that’s the only way they can control fraud from a point-of-sale transaction. The problem, critics say, is what happens during “card-not-present” transactions.

In a commentary piece for DarkReading.com, Ben Jackson writes that a “fraud tsunami” is headed to the shared economy – via “card-not-present fraud.” As head of risk management and fraud prevention for PromisePay, Jackson warns that due to the clampdown on fraud through chip technology, fraudsters are likely to simply take more of their business online:

Fraud in the online world is about to increase dramatically over the next 12 months. With the introduction of Europay, MasterCard, Visa (EMV) chip technology in the United States, card-not-present fraud (CNP) will show a substantial increase, and if the results of EMV adoption in the UK and Australia are any indication, CNP fraud could rise anywhere between 10- to 20%. A recent LexisNexis report outlines how merchants are left liable to online fraudulent activity - with them paying out $3.08 for each dollar lost to fraud.

Jackson follows that up with an illustrative comparison:

Think of fraud as water running downhill – it will always follow the path that allows it to flow in the easiest way possible.  

This could mean big trouble for banks, who have are already inundated with fraud claims and subsequent investigations, and also merchants who now bear a greater share of risk overall in credit card transactions.

So what can your clients to be better protected as fraudsters shift gears and take more of their business to the Internet? Five things, according Jackson:

  • Educate. “Knowledge is power. Learning about the latest fraud trends is essential.”
  • Verify data: “This can incorporate IP identification and proxy piercing, device fingerprinting, and more basic level user data such as email/mobile/social media.”
  • Employ a rules engine. “The rules engine is a middleware application that allows you to create rules when tracking and managing fraud. You can perform pre- and post-authorization tests and rules, as well as rules to handle the return results from authorization. This is a must-have for any medium- to large-sized merchant.”
  • Use chargeback reporting. “The final rung of the ladder against fraud is at the chargebacks layer. It is commonly accepted that up to 1 out of every 100 transactions will result in a chargeback, and 86 percent of these chargebacks are fraudulent. It is also accepted that there is a 1 in 10 chance of the merchant winning the chargebacks – clearly a costly situation for the merchant. Chargeback reporting is so important because they show the merchant what they’ve missed, and allow them to analyze the event, and so better protect against it in the future by implementing risk-based controls.”

The idea that fraud may become worse after new protection methods are employed is not what anyone (other than fraudsters) wants to hear. But as every fraud investigator knows, con artists and other criminals adapt to 1) follow the money, and 2) find the path of least resistance. Right now, the Internet provides both of those elements. It is up to businesses and their security personnel to find a way to thwart them.