We fielded your questions during last week’s webinar – Eight Months of EMV: Early Fraud Shifts and Trajectory – and here are the answers.
We absolutely love it when our webinar audiences are energized, engaged, and bursting with well-crafted questions. During our recent webinar with Julie Conroy of Aite Group and iovation’s Michael Thelander, you raised some excellent points. Below, Julie and Michael explore the answers.
I am a merchant. I sell digital goods (subscriptions). My competitors’ websites are one click away. What is the most important thing I need to focus on without worsening User Experience?
Referring to slide 25 of the webinar presentation, virtually any of the controls marked “low friction” would be a good bet. Passive authentication methods, those which are effectively transparent to the end user, provide assurance without reducing usability: device fingerprinting, behavioral analytics, and tools that run in the background like malware scanners.
Is there a way to account for the overall growth in eCommerce sales contributing to fraud? How much fraud is growth v. impact of EMV?
Great question, and one where the answer varies by time and by country. As Julie pointed out in the webinar, there was a period of time when Australia’s growth in CNP fraud actually outstripped the country’s growth in digital ecommerce. But most countries don’t track these numbers as well as Australia. (As an aside: It’s unlikely, at this point, that any growth we see in online fraud is directly attributable to EMV, but this research suggests we’ll see it soon.) According to InternetRetailer, ecommerce in the U.S. continues its healthy growth, with 14.6% last year, or six consecutive years at or near 15%. By comparison, the projected growth in CNP fraud for 2016 alone (from the presentation on slide 19) is about 20%. However, the overall amount of fraud is just a sliver of the total value of the channel, so the fraud is clearly not enough to offset the overall benefits. But it’s certainly enough to eat away already slim profit margins.
What are your recommended solutions for addressing CNP and ATO fraud?
Any of the “low friction” methods and controls highlighted by Julie in her research (slide 25 of the webinar presentation) is a great places to start. We like device fingerprinting because it’s getting stronger and stronger, is relatively easy to implement and has a minimal cap ex component. We especially like it when it’s coupled with other low-friction methods: behavioral, malware detection.
Follow up Question: When you consider decrease in counterfeit fraud and increases in CNP/ATO fraud, what do you foresee as the net impact?
In many cases, the net difference will be zero: the reduction in counterfeit fraud will, over time, shift over to CN and ATO fraud. Some of the data collected in the report reflect this. But the outcome will vary from region to region, and even from issuer to issuer depending on their willingness to implement new controls.
When can we expect cards to stop being issued with magstripes?
Because most card issuers need their cards to work in many different countries and regions – some of which have different regulations, timelines, and user expectations – the magstripes may be present for up to 10 years before disappearing completely.
Do issuers have the liberty to issue a Chip and PIN card? Target cards are Chip and PIN while most other issuers have Chip and Signature cards.
The short answer is yes. The U.S. is one of the only markets to give issuers a choice of card verification mechanism. Single-store cards, those that are only use within one organization like Target cards or JC Penney cards, have elected to be Chip and PIN because the cardholder has a compelling reason to use the store’s card, in the form of rewards. The competition is much fiercer for general issuance cards, so most issuers have opted for the easier chip-and-sig experience, rather than risk the consumer forgetting the PIN and sending that card to back of wallet in favor of another card that employs chip-and-sig.
What does Julie think about the future of biometrics? I hear that it does not really work and adoption is low.
Biometric solutions have a very bright future. But the individual methods, like all technologies, will need to mature. And at the end of the day, biometrics are a static data element and introduce friction, so they need to be invoked as part of a layered fraud prevention strategy.
What steps can Merchants take to minimize CNP fraudulent transactions?
Think seriously about layered authentication, using digital fingerprinting and device-based authentication methods. These are affordable, highly reliable, and most importantly don’t reduce usability of your property or app.
Do you have a slide showing the % of fraud relative to the growth of the CNP channel?
See Slide 19 in the deck—this should illustrate the data numbers you’re looking for.
Can the chip information be captured from tapping the wallet or purse that contains the card? Our Compliance Officer is making this statement in training sessions, but I have not heard this from any webinars that I have attended.
While some chip-enabled cards may also support contactless payments using near-field communication protocol, or NFC, very few U.S. issuers have chosen to issue contactless cards. This tap-to-pay functionality works similar to the way you’d pay with Apple Pay or Google Wallet on a smartphone. The reality is that skimming contactless cards is not a scalable form of fraud—criminals get much bigger bang for their buck via data breaches and putting skimming devices at the POS and in ATMs. As I speak with European issuers, none of them have seen any notable losses from NFC skimming.
What is the difference between Device Fingerprinting and Device Binding? Also, how does Mobile Operator Data help in "Layered Authentication?”
“Device Fingerprinting” is the overall process that uses a number of specific attributes to create unique ID that can be used as an authentication factor. “Device binding” is a step within that process, the act of pairing a device ID to a specific account or a transaction.
In the U.S., do issuers have the choice to issue a Chip and PIN card?
Technically, yes they do. But because of the competitive nature of the U.S. market, in which concern over customer attrition is high and lost and stolen fraud is low (the only type for fraud the PIN helps with), the majority of issuers have opted for Chip-and-Sig.
Register Now for Our Next Authentication Webinar
We wholeheartedly thank everyone who attended the webinar and contributed to the discussion!
Next up, we’re holding another webinar that’s sure to be an equally-riveting discussion: AuthentiThings: The Pitfalls and Promises of Authentication in the IoT. So don’t miss it. Register now to secure your spot.