EMV Chip Cards Shifting Retailers’ Risk to Online Commerce

[Inga Goddijn <inga () riskbasedsecurity com>]

http://multichannelmerchant.com/ecommerce/emv-chip-cards-shifting-retailers-risk-to-online-commerce-06102015/

By October 1, most U.S. debit and credit cards will have been reissued with
microchip technology to a more secure global payment system known as EMV.

While this change will significantly reduce risk for fraudulent activity
for in-store transactions, retailers should now be prepared to take
additional security measures for online transactions.

Recently, media attention has focused on major security breaches like those
at retailers like Target, Home Depot and Neiman Marcus – instances where
data thieves stole credit card information from in-store transactions;
leading some security experts to deem shopping online safer than shopping
in-store. While this may be true from a consumer perspective, from a
retailer’s fraud management perspective, the card-not-present space
presents some unique challenges.

Retailers’ in-store sales have been consistently targeted by data thieves
because cards’ magstripes, when swiped, in most cases leave behind a lot of
unencrypted account data that is very valuable to data thieves and card
counterfeiters. Now however, with microprocessor chips embedded in the
cards that generate dynamic data for each transaction, these transactions
are less vulnerable to fraud.

While the shift to EMV will help alleviate a lot of retailers’ in-store
payment risk when it comes to counterfeit credit cards, the new chip-card
standard will likely push fraudsters online. This phenomenon has already
been observed globally in other markets that have made the transition to
EMV cards. In the U.K., which implemented chip-and-PIN nationwide in 2006,
the value of card-not-present fraud increased 79% between 2005 and 2008
according to the UK Payments Association. The same phenomenon was observed
in Canada, France and other major markets.

Over the last six to twelve months, stores have been gradually upgrading
their systems to accommodate for the new chip cards. As more and more of
those implementations go live, fraudsters will be less successful using
fraudulent credit cards in stores, making online transactions an easier
target and a mounting risk factor – especially for retailers who specialize
in selling in big-ticket merchandise.

With a remote transaction, the seller can’t see the customer, check their
identification, or verify that the customer’s method of payment is even
truly in his or her name. Now that brick-and-mortar retail uses chip cards,
the disparity is even wider between the certainty that in-store purchases
are bona fide and the uncertainty associated with online purchases. EMV
chips cannot be read or verified for online shopping. The new standard
ostensibly creates more risk for ecommerce, and provides no clear solution
to address this risk while placing the burden of further enhancing fraud
prevention services into the laps of online retailers.

The shift to an increased threat online has already happened and will only
gain momentum as brick-and-mortar continues to adopt EMV transactions. To
safe-guard themselves against online credit card fraud, eTailers need to
ensure that they are using automated fraud screening and keep their systems
analytics up-to-date. Fraud tactics and trends tend to change quickly, so
having a reliable arsenal of flexible and robust tools is important. In
addition, manual review processes should also use data sources that provide
a high degree of confidence that each order is approved properly. And for
those retailers who give the option of in-store pick up for items bought
online, customers should always be asked to present identification and
display the payment card used to make the online purchase when they come to
pick up their purchase.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!