An unmistakable red flag went up when retailers in Australia, the United Kingdom and other countries began their EMV migrations at the beginning of this decade. Over a four-year period of chip-based credit and debit card adoption, card-not-present (CNP) fraud—originating via digital channels—jumped by 70% to 73%
With EMV chip-based cards limiting the ability to steal at physical point-of-sale (POS) locations, it was clear that fraudsters had sought out the next weak link in merchants’ armor: The anonymous transactions of online commerce.
In the U.S., two years have passed since the EMV liability shift went into effect, putting merchants on the hook for any losses to online fraud. But new data from Javelin Strategy & Research and Vesta Corp., combined with benchmarked data pre-EMV migration, suggest that the ecommerce fraud headaches for American retailers will be far worse than anything their foreign counterparts could have imagined.
The Scope of the Challenge
Data from 2016 and 2017 reveal that post-EMV, American merchants are struggling with significantly greater fraud losses and are having to devote more resources than ever to fighting fraud.
- Fraud losses now consume 8% of the average ecommerce retailer’s revenue stream, up five percent over 2016 losses
- Fraud management eats up 21% of their operational costs, up nearly 17% over 2016 losses
- These losses and costs are far more burdensome for digital goods merchants, who sell instantly downloadable goods like tickets and eBooks: their fraud spend increased by 42% year-over-year
- Perhaps most revealing, 74% of the budget dedicated to fighting fraud actually goes to overhead items such as technology, personnel and administration, rather than directly to fraud prevention
One of the big drivers behind the spike in the threat levels is that fraudsters targeting American retailers today are the beneficiaries of years of tactical and technological innovation and CNP fraud learnings that have accumulated since previous EMV migrations. On any given day, digital criminals can be caught exploiting merchants’ buy online pickup in store (BOPIS) options, abusing the security gaps in digital wallets, overtaking customer retailer accounts to send goods to the wrong locations, and more.
Since some of these technologies or options didn’t even exist just a few short years ago, these tactics didn’t necessarily register as notable fraud threats once the shift to EMV began. Unfortunately, this all amounts to an early warning sign that the breadth and depth of risk from criminals will only rise as ecommerce continues to grow.
Adjusting Course…or Veering off Course?
But retailers’ fraud-fighting adjustments and responses have been disorganized at best. Per 2017 data from Javelin and Vesta, ecommerce retail respondents indicated that they plan to utilize at least 14 different security techniques in the next 12 months. At the same time, nearly one third of merchant executive respondents reported frequently abandoning advanced fraud fighting tools such as customer identity verification or quiz challenge questions.
This represents both a lack of clear strategic direction for establishing an effective defense and a growing cost center since every new technology requires evaluation, integration and testing before deciding whether to implement or abandon it.
In another survey of retail finance executives by CFO Research, 56% of respondents expected their fraud detection and assessment strategies to change in the next two years. The constant shuffling and incomplete adoption of fraud-fighting tactics carries serious hidden costs for retailers and suggests a lack of confidence when it comes to fighting fraud in the digital age. It also creates gaps in existing defenses, creating new opportunities for digital criminals.
As if fraudsters weren’t causing enough chaos for retailers, legitimate consumers aren’t making things any easier. The growing demand for quick, frictionless checkout experiences too often outweighs security concerns and compromises merchants’ ability to implement additional security tools or customer authentication tactics. Between a swelling audience of millennials that have grown up in a world of on-demand access and a growing segment of older consumers that will now reach for a device before running out to a store, this pressure will only continue to grow.
This leaves U.S. merchants facing a difficult conundrum. Ask for too much customer information to verify a purchase and risk losing the business to a competitor that requires fewer steps to check out. Ask for too little information at checkout and risk opening the floodgates for fraudsters patiently waiting to circumvent weak controls and steal retailers’ goods.
Fraudulent ecommerce attempts aren’t likely to decelerate any time soon. With ecommerce projected to represent a larger share of total U.S. retail spend each year, criminals will continue to invent new tactics and strategies. According to CFO Research, more than eight in 10 retail finance executives—and five in 10 from ecommerce-focused organizations—confirmed that fraud risk has:
- Interfered with corporate efforts to develop new products or services
- Inhibited revenue projections
- Caused business model changes
At a certain point, retailers need to take a step back and ask, “Did I get into retailing to fight fraud? Or did I start my business to innovate, grow and satisfy my customers?”
Retailers should monitor their efforts – including the deployment of tools, processes, and personnel – to determine which are most effective in addressing this growing and evolving threat. Sacrificing over 20% of operational costs to fraud management should not be the norm, especially in an incredibly competitive environment that demands constant innovation and growth.
Tom Byrnes is Chief Marketing Officer at Vesta Corp.