Have the credit and debit cards in your wallet been upgraded to chip cards yet? If not, they probably will be soon.
The implementation of EMV protocol for secure credit- and debit-card processing in the U.S. is already underway. Banks and card issuers have begun putting chip cards in the hands of their cardholders, and experts predict that 90 to 95% of all payment cards in the U.S. will be EMV-ready by 2016. EMV’s momentum is being fueled by the upcoming October 2015 liability shift, when merchants will start assuming liability for fraudulent transactions if they don’t support EMV processing.
While EMV chip cards look just like standard magnetic stripe cards, they contain a microprocessor, or chip, that enables every transaction they initiate to carry a unique cryptogram. That cryptogram is validated by the issuer, and it’s difficult for criminals to break it and steal card information or create counterfeit cards. Additionally, to complete an EMV transaction, the cardholder must be present to enter a personal identification number (PIN) or signature.
So what exactly does this mean for e-commerce? It’s clear that much of the added security that EMV provides is dependent upon the shopper having physical possession of the card. And in e-commerce, that’s not a possibility. As payments at the point-of-sale become more secure via EMV, how can e-commerce merchants better protect online transactions? This is where advanced fraud-prevention tools and security measures become even more important.
Below are some fraud-prevention measures e-commerce businesses can take to protect both their businesses and its customers.
Tokenization removes sensitive cardholder information from merchants’ systems by substituting a credit, debit, prepaid or checking account number with a string of numbers known as a token. Each token is specific to that business and useless to anyone else who might try to use it.
Tokenization can also reduce the scope of merchants’ systems that fall under PCI DSS (Payment Card Industry Data Security Standard) compliance requirements, thereby reducing the costs and man-hours associated with the auditing process. This can extend beyond production systems to include failover systems, disaster recovery (“backup”) systems and testing environments.
End-to-End (E2E) Data Encryption
End-to-end encryption masks full credit-card data while it’s in transmission from checkout to the authorization network and back. This encryption substitutes the full credit-card number with meaningless characters so the real card data is never visible and can never be used for fraud.
Advanced Fraud Detection
Advanced fraud-detection techniques, including device fingerprinting, IP proxy piercing and IP geolocation, can help provide more decision points for accepting or declining card payments based on past suspicious activity. Here’s a closer look at each of these techniques:
- Device Fingerprinting: Device profiling technology gathers device attributes from every user interaction. These attributes might include browser information, screen size, software versions, etc., all of which are unique to that device. This information can be used to detect anomalies common to fraud by flagging behavior that deviates from the unique fingerprint and reputation of each device.
- IP Proxy Piercing: Fraudsters often try to conceal their true origin by routing their browsing through an IP proxy or VPN. This makes it hard to distinguish good-faith visitors from those who are cloaking their identity and intentions. IP proxy piercing technology exposes the true IP address of every transaction.
- IP Geolocation: Determining each transaction’s precise origin is an essential part of fraud detection. IP geolocation combines with IP proxy piercing to identify the customer’s true location.
EMV has long been in place in other parts of the world and has significantly reduced card-present fraud in those regions. However, research shows that the decline in card-present fraud was often accompanied by a substantial uptick in card-not-present fraud. What will this look like in the U.S.? Only time will tell. In the meantime, merchants should consider all security tools at their disposal to provide the best protection for their e-commerce customers.
For more information about how EMV affects e-commerce, contact Mercury®. To see if your business is ready for the shift to EMV, check out Intuit’s EMV quiz. If you feel like you’re ready for the move, see the Step-by-Step Guide to EMV Migration or the EMV migration infographic.