As the U.S. slowly creeps toward EMV acceptance — make that very slowly — predictions have been consistent that it would translate into a sharp spike in e-commerce fraud. That's logical enough, given that EMV makes it far more difficult fora cyberthief to engage in his favorite in-store technique: card cloning. But it looks like fraudsters didn't bother to wait for meaningful implementation before shifting.
According to new stats released last week from a study by Pymnts.com and Forter, "In just the last four quarters, fraud attacks (for all retail channels) have jumped by 137 percent, affecting over $7.30 out of every $100 made in retail sales." Let's put that $7.30 for 2016 into context. In last year's third quarter, it was $3.10. In last year's fourth quarter (when the all-crucial holiday sales sends all activity soaring), it was only $2.50, the study reported. So, yeah, $7.30 is a bit alarming. When the report isolated its examination to solely digital goods, that fraud went up to $10.80 for every $100.
The report also drilled into some of those numbers. Digital goods — which are overwhelmingly online-only — lead the way at an increase of 186%. Let's call that the EMV effect or, more precisely, the effect of the fear of imminent EMV.
Once on The Dick Van Show, two characters were furiously cleaning ahead of the arrival of a new maid. One character says, "We don't need a maid around here. We just need the threat of a maid." The U.S. may not need EMV as much as the threat of EMV.
We've talked a lot in this blog about the various EMV implementation struggles, including security headaches and how attempts by Visa and Mastercard to accelerate EMV payments may backfire. The FBI even got into the EMV problems action.
But we've talked less about the EMV fraud impact, and that's arguably where things get the most interesting. That's because, when it comes to security, EMV takes with one hand and gives with the other. The chip verification certainly beats magstripe, but it's initial reliance on signature versus PIN is a step backwards. It's particularly frustrating when we see signature authentication — which is about as pointless a thing as exists in our solar system — layered on top of a biometric mobile authentication.
But the report's drilldown into fraud activity, while noting that digital fraud jumped 186%, also found that apparel fraud dropped 19%. That presumably reflects how apparel purchases still dominate in-store, given the desire to touch fabrics and try on clothes prior to purchasing.
Food/beverage was the second-largest spike, at an increase of 116%. Much of that is because of the high percentage of franchisees in that segment, a group that deploys card swipes and POS systems — which is where EMV upgrades have to happen — independently. Hence, restaurants and especially fast-food establishments will be among the last to aggressively embrace EMV.
Electronics fraud increased a modest 21%, and luxury goods jumped slightly more, at 38%.
In the least surprising detail from the report, it saw these fraud spikes as mostly coming from outside the U.S., primarily from Europe. This was to be expected, since EMV is overwhelmingly deployed in Europe. Therefore, card-cloning efforts must come to the U.S. to make money. Put another way, cloners must accelerate their efforts into the U.S. to squeeze out as many clone dollars they can before EMV deployment accelerates.
It's critical to remember that although EMV is excellent at stopping card fraud, it's much less effective at other fraud tactics. The good news for retailers is that card cloning is the most popular in-store fraud tactic — for the professional thief at least — so if EMV is only going to attack one tactic, it's the best one to choose.
But because EMV does nothing to improve online security — unless someone pushes a way to dip EMV cards into phones or desktop computers, which would be almost impossible to deliver profitably — that leaves e-commerce players defenseless until they embrace mobile authentication or other tactics.