EMV Chip Cards Shifting Retailers’ Risk to Online Commerce

By October 1, most U.S. debit and credit cards will have been reissued with microchip technology to a more secure global payment system known as EMV.

While this change will significantly reduce risk for fraudulent activity for in-store transactions, retailers should now be prepared to take additional security measures for online transactions.

Recently, media attention has focused on major security breaches like those at retailers like Target, Home Depot and Neiman Marcus – instances where data thieves stole credit card information from in-store transactions; leading some security experts to deem shopping online safer than shopping in-store. While this may be true from a consumer perspective, from a retailer’s fraud management perspective, the card-not-present space presents some unique challenges.

Retailers’ in-store sales have been consistently targeted by data thieves because cards’ magstripes, when swiped, in most cases leave behind a lot of unencrypted account data that is very valuable to data thieves and card counterfeiters. Now however, with microprocessor chips embedded in the cards that generate dynamic data for each transaction, these transactions are less vulnerable to fraud.

While the shift to EMV will help alleviate a lot of retailers’ in-store payment risk when it comes to counterfeit credit cards, the new chip-card standard will likely push fraudsters online. This phenomenon has already been observed globally in other markets that have made the transition to EMV cards. In the U.K., which implemented chip-and-PIN nationwide in 2006, the value of card-not-present fraud increased 79% between 2005 and 2008 according to the UK Payments Association. The same phenomenon was observed in Canada, France and other major markets.

Over the last six to twelve months, stores have been gradually upgrading their systems to accommodate for the new chip cards. As more and more of those implementations go live, fraudsters will be less successful using fraudulent credit cards in stores, making online transactions an easier target and a mounting risk factor – especially for retailers who specialize in selling in big-ticket merchandise.

With a remote transaction, the seller can’t see the customer, check their identification, or verify that the customer’s method of payment is even truly in his or her name. Now that brick-and-mortar retail uses chip cards, the disparity is even wider between the certainty that in-store purchases are bona fide and the uncertainty associated with online purchases. EMV chips cannot be read or verified for online shopping. The new standard ostensibly creates more risk for ecommerce, and provides no clear solution to address this risk while placing the burden of further enhancing fraud prevention services into the laps of online retailers.

The shift to an increased threat online has already happened and will only gain momentum as brick-and-mortar continues to adopt EMV transactions. To safe-guard themselves against online credit card fraud, eTailers need to ensure that they are using automated fraud screening and keep their systems analytics up-to-date. Fraud tactics and trends tend to change quickly, so having a reliable arsenal of flexible and robust tools is important. In addition, manual review processes should also use data sources that provide a high degree of confidence that each order is approved properly. And for those retailers who give the option of in-store pick up for items bought online, customers should always be asked to present identification and display the payment card used to make the online purchase when they come to pick up their purchase.

Dave Fish is the Fraud Prevention Manager for Blueport Commerce