The road not token: How fraudsters beating EMV could hit a dead end in 2017
EMV has been a much-discussed payments topic in recent years. And when the EMV liability shift occurred in 2015, millions of mag-stripe debit and credit cards were traded in for chip-enabled cards. The goal: to prevent consumer data theft and tighten security at point-of-sale terminals.
Despite some slow rollouts of EMV-capable retail terminals, the shift to more secure chip cards has indeed slowed counterfeit card fraud. In September 2016, Visa announced that fraud among retailers who adopted EMV protocols had dropped 47 percent. That compares to an 11 percent increase in fraud among retailers that had not embraced the new standard.
However, criminals are adaptive creatures. Making theft more difficult in one arena only pushes crime to a more vulnerable one: in this case, card-not-present transactions. In its 2016 Holiday Fraud Index, the omnichannel commerce and technology provider Radial reported a 30 percent increase in online fraud attacks across all market segments since the launch of EMV.
So how do banks close the fraud gap EMV leaves? Some of the most promising development comes from biometric identifiers, dynamic security information and tokenization; each protects a particular vulnerability in card security. Already finding use in the financial industry, these technological advancements can better protect cards and digital wallets, while also providing a more secure environment to foster the growth of e-commerce.
Chipping in: A trio of fraud protections to bolster EMV
Biometric identification, once the domain of science fiction movies, is one of the most promising authentication methods. Using sensors in mobile phones, consumers verify their identity through their fingerprints, eyes or even facial recognition. The advantage to biometrics is that most markers are unique to each individual. And since the biometric is not a knowledge-based question, thieves cannot deduce an answer or use a brute-force decryption to figure out a password. However, resourceful criminals have shown that it is possible to spoof biometrics given a high-enough quality scan of a fingerprint or eye print. But this only helps thieves who target specific victims and is not yet practical for mass fraud attacks.
For consumers who use e-commerce websites, another promising development is the creation of a more dynamic card verification code: CVV2. Cards with a dynamic CVV will have a computerized screen on the back that displays the CVV2 number and changes it every 60 minutes, giving fraudsters a minimal amount of time to hack and then use that particular card.
But the most promising area of fraud protection–and arguably the strongest defense – is tokenization. By creating a unique token and replacing the static card number on a credit or debit card, tokenization establishes a method to create an encrypted dynamic transaction number, keeping the valuable account data secret from the merchant and eventually the consumer as well.
Tokenization as a tool: a stronger e-commerce ecosystem
As a secure payments tool, tokenization also opens the door to expanded digital commerce opportunities. For example, Amazon recently began testing Amazon Go, a checkout experience that completely transforms the way consumers shop. Through artificial intelligence, machine learning, computer vision and sensor vision, consumers will no longer have to wait in lines and can simply walk out of a physical store with merchandise without having to even initiate the payment process. If it is faster, better and easier, consumers will adopt the more convenient experience.
Tokenization makes transactions like this possible by using a digital token that is useless outside of the physical (or digital) store for which it is issued. Location-based geotags and digital wallets combine to make the shopping experience quick and easy.
Tokenization will also drive the future commercialization of the Internet of Things. Certain items such as refrigerators with TV screens can automatically update and manage grocery lists and food freshness. Soon consumers will be able to shop for their groceries through their refrigerators, TVs or cars. Since each transaction is linked to a digital wallet–secured by a token–all these devices have the potential to become a store.
But these innovations are only as useful as they are safe. By incorporating these new methods of fraud protection, financial institutions can provide the trust needed to ensure that card-not-present transactions become just as safe as chip-card transactions.
Criminals will not quit. But if the methods of theft and using valuable personal information prove too difficult or expensive to yield a profit, fraud can be pushed out of the card space.
Meanwhile, as tokenization and other protections reach critical mass, what will happen to the banks and merchants that fail to keep pace? Rather than try to predict a fearful future, it’s better to embrace proactive present. Don’t be the one left with a wide-open network.
Matt Herren is the product manager for payment analytics at Computer Services, Inc. (CSI). At CSI, Matt is responsible for product management of card operations, payment channels and data analytics with a focus on industry analysis, emerging technologies, profitability, and risk mitigation.