From The Editor | February 17, 2015

EMV And CNP Fraud: Fool Us Twice, Shame On Us

Matt Pillar

By Matt Pillar, chief editor

As the U.S. retail industry tools up for the EMV (Europay, MasterCard, and Visa) chip card security standard this year, there’s a lot of speculation about the impact the new POS security standard will have on CNP (card-not-present) fraud.

Many fear that the resources associated with securing the POS via EMV will equate to plugging one leak in a severely compromised dam. In sealing up the physical payments environment, pressure will build on innovative fraudsters to find a new crack in the concrete, much like water behind a barrier seeks the path of least resistance to freedom.  This fear is merited by observation of the countries that have already traveled the path to EMV:

  • The Canadian Banker’s Association reports that EMV migration resulted in a 54 percent decline in counterfeit and lost/stolen card fraud from the beginning of Canada’s EMV migration in 2008 through 2013. Meanwhile, CNP fraud in Canada spiked 133 percent during the same time period.
  • In the U.K., card-present fraud has dropped 80 percent since implementing EMV, while CNP fraud spiked 79 percent between 2005 and 2008, directly on the heels of the liability shift there.

In real dollar terms, Canada reduced physical card fraud to about $111 million in 2013 from about $245 million in 2008, while watching CNP fraud rise from $128 million to nearly $300 million in the same timeframe.

That the same phenomenon is to be expected here in the states is a safe assumption. It’s not, however, an excuse to ignore another stark fact: retailers in the U.S. have suffered a 47 percent increase in card-present fraud since EMV was implemented in the U.K. Many experts peg the total cost of card fraud in the U.S., which includes both direct losses and the cost of cleaning up after those losses—at close to a staggering $10 billion annually. It’s true that when POS systems on Broad Street and throughout Canada were locked down via EMV, fraudsters moved on to easier-to-breach e-commerce payments. It’s also true that they moved into U.S. brick-and-mortar retail, the last great global opportunity for credit card counterfeit fraud. It’s criminology 101; fraudsters are an opportunistic breed, and combatting them requires a holistic and anticipatory strategy.

While our late-adopter status has cost us in the short term, it can also benefit us as we move forward. We can learn from the sufferings of our predecessors, and we can commit to taking the steps necessary to avoid their mistakes. To merely follow the same path is to commit an egregious error of ignorance. Yes, we know that resources must be allocated to the EMV liability shift. But, if we’ve learned anything from the countries that preceded us, it’s that resources must also—and simultaneously—be allocated to the tokenization and encryption of CNP payments data, and to the adoption of and adherence to authentication methods for CNP payment acceptance. To approach physical and online payment security initiatives separately is to invite the same result we’ve seen elsewhere—major wins in brick-and-mortar security all but wiped out by major losses in that of digital commerce.