Articles

Are you prepared for the indirect effects of EMV on eCommerce?

September 20, 2015 – There are two tasks that need to be on every eCommerce merchants’ to-do lists to prepare now for the shift to EMV in the United States this October.  The first is simply to understand the what,” “why,” and the “so what,” of the EMV standard in the context of eCommerce payments. There’s a great deal of talk on the topic, so it’s imperative that they grasp what’s truly relevant to them.

Online merchants often ask if they need to do something differently to accept these new cards. The bottom line is that for card-not-present-only merchants, the consumer experience when paying with a chip card will not be any different, nor will payment acceptance – thus there are no direct effects.

The second task is to realize, however, that there will be two substantial indirect effects of EMV adoption on CNP transactions – more fraud and massive card reissuance – that warrant the attention and preparedness of eCommerce merchants, as outlined below.

More Fraud
Based on what occurred in other countries when EMV was implemented, experts fully anticipate a sharp uptick in online fraud rates as EMV makes it more difficult to use lost, stolen, and counterfeit payment cards at point-of-sale (POS) terminals. Due to this increased difficulty, there will be a number of fraudsters looking to pivot their exploits to the more attractive eCommerce channels.

More fraud
Source: frbatlanta.org

Massive Card Reissuance
When issuing banks replace existing cards with their chip card successors, many will also change the card number and/or the expiration dates. For eCommerce merchants offering a saved card-on-file (e.g., recurring services), this can spell trouble in the form of broken subscriptions and increased customer attrition – both bad for business.

While there are companies, including Vantiv, that offer services to address these indirect effects, the most important thing for merchants to do is to ensure they’ve implemented an effective strategy to address these issues.  A question we’re frequently asked is, “If U.S. adoption of EMV had already occurred, would it have prevented all the high-profile retail data breaches of the past 18 months?”

The short answer is no.

EMV prevents counterfeit card fraud by adding a unique signature to the primary account number (PAN) in a card transaction, allowing the issuing bank to confirm that the card being used is authentic.  

This additional data element does nothing to encrypt or secure the PAN, so that data would still flow through a merchant’s systems, and could easily fall prey to malware. Products like point-to-point encryption and tokenization serve to protect data in transit or at rest. These are the types of technologies that would have foiled the fraudsters that perpetrated those major breaches. 

Impact of EMV

It’s important to note that the October 2015 EMV shift does not apply to eCommerce merchants. That is, there is nothing that CNP merchants need to do to comply. At the same time, there is a softer imperative for these merchants to address the indirect effects of EMV adoption before the consequences become untenable.

Specifically, eCommerce merchants would be wise to ensure their fraud prevention and account update strategies are in order. That way, they can keep the cost of payment fraud down and maximize customer lifetime value, respectively. 

So, will eCommerce merchants be ready to counter these indirect effects of EMV adoption? Experience tells us that the answer varies by merchant size. The larger the merchant, the more prepared they are. This isn’t unexpected, although the degree to which smaller merchants have put off readiness has been a bit surprising. There are a few key reasons for this. For one, some merchants simply don’t want to deal with solving for an uptick in fraud and card reissuance until they materialize. Second, other merchants have had limited success either building their own home-grown solutions or navigating a complex and overwhelming landscape of solution providers. Finally, others simply hope their smaller stature will render them invisible to impact.  

EMV and Fraud Rates in the U.S.

Ultimately, it will come down to the speed with which brick-and-mortar merchants and financial institutions adopt the EMV standard. In broad strokes, however, we fully expect what played out abroad to repeat itself here in the United States. The proportion may not be the same, but we’ll likely see a reduction in POS fraud while eCommerce fraud increases. Once again, that’s nothing surprising. After all, fraudsters are very good at rapidly identifying the most vulnerable targets and quickly adapting their attacks. 

Still, we suspect that the smaller eCommerce merchants will bear the brunt of the uptick in payment fraud attacks. It’s becoming clear that larger merchants are going into the EMV adoption phase with their eyes wide open and fortified for the anticipated fraud onslaught. Conversely, many of their down-market counterparts are taking a riskier approach, as discussed above. Unfortunately, it’s a gamble that we don’t see paying off, as fraudsters will quickly identify this gap and exploit it until detected and stopped. 

The emerging scenario in my mind is that the shift in fraud will be more than a lateral move from POS to eCommerce, but rather a shift of over and down – something we all better be prepared for.

+++

Neeraj Gupta is senior product manager at Vantiv and has worked in different parts of the payments ecosystem for more than 10 years. Previously, he built payment systems and fraud detection software on the merchant side as part of the IT organizations at AOL and Comcast.