The EMV chip card standard has been rapidly gaining market share in the U.S. since its adoption began in earnest in the third quarter of 2015. While only 300,000 merchants accepted chip-enabled cards in September of that year, the number has since surged, according to a report from Visa, to over two million today.
It’s clear the security standard, which stores card data on a chip embedded in a payment card, is taking hold. Merchants and financial institutions are hoping the technology will be as effective here as it has been in other countries. According to the UK Cards Association, EMV technology in the UK and Canada reduced plastic card fraud by 67 percent.
Unfortunately, it’s also true when one patches a hole in a dam, it’s likely a leak will spring up elsewhere. And that’s what is happening here. Although EMV is an effective countermeasure against counterfeit and stolen cards, it does not hamper card-not-present (CNP) fraud. Fraudsters are now turning to this avenue and plying their trade in the digital arena.
This migration of fraud to digital potentially has big ramifications in the United States. A late adopter of the EMV chip card standard, the US is also the leading e-commerce country in the world. A 2017 report from US Payments Forum states that a full 77 percent of U.S.-based merchants sell their wares online.
Currently, the percentage of CNP fraud in the U.S. is low compared to other countries but that figure will surely change as fraudsters, shut out of the physical payment ecosystem, migrate to digital. CNP fraud is, in fact, the most prevalent type of fraud in countries that have migrated to EMV, according to a white paper from US Payments Forum, and it is expected the U.S. will not be different.
This migration to digital fraud is already underway. A report by Forter and PYMNTS found that the fraud attack rate more than tripled in the U.S. between Q1 2015 and Q4 2015. Aite Group predicts online fraud will grow from $2.8 billion in 2014 to $7.2 billion in 2020.
Is there a way for merchants to head off this surge before it arrives? At first glance, it would appear the only way to reduce or prevent online fraud would be to slow down transactions to subject them to a more thorough review. This is, obviously, a move merchants loathe to make as it both reduces revenue and negatively affects the customer experience.
Further, the process is slow enough already. According to the US Payments Forum, 11 percent of online orders are subjected to manual review before shipping. This use of a manual review is a poor fit for operating in the immediacy of the digital realm.
Fortunately, there is a way of reducing fraudulent orders that does not slow down the ordering process. It is through the use of multi-factor authentication (MFA).
MFA is a security method of establishing a person’s claimed identity through the presentation of two or more different attributes—either something the user knows (for example, a PIN number or password), possesses (ex. a mobile device or laptop), or something intrinsic to their person (ex. a biometric like their fingerprint). Once a person presents at least two of these attributes, they can be authorized to perform transactions.
MFA is the accepted security protocol to reduce fraud but merchants are, on a whole, reluctant to add authentication steps that may impede the customer. However, there is a way to deploy a MFA security strategy that does not introduce friction to the transaction—by using the device the customer is using as an identifying attribute.
Individual devices, whether it is a mobile device, laptop, or desktop computer, contain within them many identifying attributes, including location, operating system, and others. Software now exists that can combine these components to form a unique device identifier. This identifier can then be used by merchants to meet the “something the user possesses” requirement of MFA.
The use of a device ID and device intelligence in handling online transactions accomplishes two goals: it allows real-time risk analysis to be performed, but it does so in a way that does not inconvenience the customer. In the MFA scenario, anti-fraud processes can happen “under the hood.”
Given that a surge of online fraud is inevitable with the growing rate of EMV adoption, U.S.-based companies would be wise to get ahead of the fraud curve by adding device authentication and intelligence solutions as part of their e-commerce strategy.
About the Author: Michael Lynch is InAuth’s Chief Strategy Officer and is responsible for developing and leading the company’s new products strategy, as well as developing key US and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.