When it comes to EMV (Europay, MasterCard and Visa) security chip adoption, the United States is the clear laggard.
According to EMVCo, only 7.2% of “card present” transactions in the U.S. between July 2015 and June 2016 were secured using a computer chip. This stands in sharp contrast to the 97% for Europe, 89% in Africa and the Middle East, and 88.81% in Canada, Latin America and the Caribbean.
But we are getting there. If your plastic payment card is not already secured using a computer chip on the face, it will shortly. One factor that has driven US adoption is that the responsibility for fraud shifted as of Oct 2015 from the bank to the party that didn’t upgrade to the new chip technology. This “who’s responsible” liability factor has been a driving force in both the banks issuing new chipped cards, as well as the merchants upgrading their POS terminals.
The other factor driving adoption is the success of the technology. EMV cards use an integrated circuit combined with a magnetic strip to make counterfeiting almost impossible. In Canada, counterfeit card fraud declined by 54% over a five-year period from 2008-2013 as EMV was adopted by the nation. Similar results have been obtained by other adopters of the standard.
Even U.S. merchants are seeing similar reductions in fraud after adoption. Counterfeit card fraud decreased 27% (January 2016 compared to January 2015) for U.S. merchants who purchased terminals equipped to process EMV cards. Among these, big retailers saw even greater results—enjoying a 39% decrease in fraud involving purchases using plastic payment cards.
Unfortunately, stopping fraud at one point of access usually drives them to explore another. EMV is no different. In countries adopting EMV, they experienced a corresponding spike in fraud involving digital and online purchases that don’t require a plastic card or “card not present” fraud. The Aite Group predicts CNP fraud alone will cost businesses $7.2 billion in the U.S. by 2020.
In other regions, experts see a clear correlation: the higher the EMV adoption rate, the more incidences of online fraud. For example, Africa has 89% EMV adoption and the highest online fraud rate at 4.3%, while Europe and Asia both have high EMV adoption and are tied for second highest rate of online fraud at 3.6%. The United States, meanwhile, has the lowest online fraud rate of 1.6% and the lowest EMV adoption of any measured region.
Shutting down a growing problem
Based on these facts, make no mistake, it’s clear the U.S. will experience a similar spike in online fraud when EMV starts hitting critical mass unless something is done to prevent it.
The best security protocol to stop this impending explosion in online fraud is through the use of multi-factor authentication (MFA), a method of confirming a user’s claimed identity by using a combination of different components—either something the user knows, possesses, or an attribute that is inseparable from the user’s identity. When a users’ identity can be established in this manner, businesses can then make an accurate risk assessment before engaging in a transaction with the person online.
Authentication solutions for customers using a browser or their mobile phone to shop, bank or transact with businesses need to be in place, technology with strong device IDs. A device ID acts as a unique identifier for users, and can be formed based on wide range of data attributes gathered from the user’s device including such items as location, time, plug-ins IP addresses and more. In fact, now time and location are being considered separate factors by many, creating even stronger multifactor authentication intelligence.
Mobile devices have tremendous potential in the MFA equation to bolster security. Because of their internal architecture, individual mobile devices contain within them thousands of identifying characteristics, including location, operating system, and others. These identifiers can be combined together to form a unique permanent device identifier for use in MFA authentication. If done right, this permanent ID can survive an app uninstall/reinstall and operating system upgrades and cannot be spoofed.
When a unique permanent device identifier is tied together with another identifying attribute, such as a standard login procedure, it creates a secure MFA environment that locks out the fraudsters. Best of all, this system works with no added friction for users.
Based on the well-documented connection between increased EMV adoption and increased CNP fraud, the question is, what will organizations do about it? And when will they do it?
Knowing what is to come, it makes sense to prepare and adopt an effective MFA protocol to protect your browser and mobile transactions in order to stem the fraud tidal wave before it arrives.