EMV: What About Card-Not-Present Fraud?Fiserv's Patrick Davie on Mitigating the Risks
In the wake of recent retail breaches at Target Corp., P.F. Chang's and other merchants, stakeholders are calling for the U.S. to expedite its transition from magnetic-stripe payment cards to chip-based cards that conform to the EMV, the Europay, MasterCard, Visa, standard.
It's widely acknowledged, based on global experience, that once face-to-face transactions become more difficult to compromise, because of the EMV chip, attackers will move to the next most profitable outlet. And one of the places fraud will grow is in the card-not-present, or e-commerce realm, says Davie, who oversees card risk at Fiserv, an electronic payments and core banking services provider.
"Fraudsters are always going to look for the soft spot," Davie says. "We can take our cues from portions of the world that have already migrated to EMV. If you look at the U.K., parts of the E.U. [European Union], or even Canada, you can see that there is a pretty material increase in new types of fraud - specifically card-not-present fraud - once the migration to EMV is complete."
Besides, card-not-present transactions are already becoming prime fraud targets because consumers are buying more online, Davie adds. Within five years, e-commerce transactions are expected to exceed 200 billion.
What can institutions do to prepare for upticks in so-called CNP fraud?
Davie says institutions are likely to have the most success by implementing prevention and detection programs that involve the customer - something many issuers until recently have been reluctant to do.
Cardholder controls are effective, Davie says. "An institution offers through a mobility app or online banking application a tool that allows a cardholder to create rules that notify him when online transactions are initiated," he says.
Once notified, the transaction can be required to go through an extra authentication step, Davie explains. The process puts more onus on the cardholder, but can have a significant impact on reducing fraud long-term, he says.
Tokenization, which removes the card number from the transactions, is getting more attention. But with so many questions surrounding how tokens should actually be used and deployed, Davie says it will be years before the industry successful implements token solutions that are widely used.
Card networks and companies like Fiserv also are exploring ways to implement a chip authentication program, which would add an additional authentication layer for online transactions. But until EMV is fully rolled out in the U.S., that program will only have a limited impact.
During this interview, Davie also discusses:
- How internal risk systems and neural scoring can help mitigate CNP fraud risks;
- Why cardholder programs, such as 3D Secure, have not been widely adopted;
- Questions card issuers should be asking their service providers about necessary security enhancements.
Before taking the position of general manager within Fiserv's Card Services Risk Solutions business, Davie worked within Fiserv's Financial Crime Risk Management and Data & Analytics business units. Prior to joining Fiserv, he held leadership positions with credit-reporting businesses Cortera and Equifax.