With all of the discussion about credit card fraud, and how cards with EMV chips might have prevented much of the Target credit card breach, it’s easy to assume that those chips solve all credit card fraud. But they aren’t a panacea. In fact, more secure credit cards could mean an increase in other types of credit fraud.
Experience in Canada, the U.K. and Europe has shown that once EMV-equipped cards that require PINs are widespread in an area, certain types of credit card fraud drop dramatically.
Everything depends on who is holding the card when a transaction is attempted.
In situations where the credit card is physically present, such as when you’re using the actual card in a transaction where there’s a card reader, then the chip and PIN system virtually eliminates the use of lost, stolen or counterfeit credit cards.
Because of the way the embedded microprocessor in the credit card works, creating a fake card is impossible. And using a lost or stolen card means you have to also know the PIN.
But there’s a rapidly growing segment of commerce in which the card is never presented to the merchant, including when you’re buying something online. You’ve probably noticed that you have to enter your credit card information into a form when you’re buying something from Amazon, for example.
When the card isn’t physically available to an online merchant such as Amazon, it’s impossible to use the chip and PIN method of verification. This is the area where credit card fraud has surged, because thieves want a place to use stolen numbers once the ability to use then in stores dries up.
To validate the use of a credit card for e-commerce, you will need to verify a card number, the expiration date, and something called a credit card verification number (CCV), which will either be those three numbers on the back of your card, or the four numbers printed on the front of an American Express card. Those numbers aren’t supposed to be available on the cards mag stripe, but rather are verified when the card is approved with the credit card issuer.
“I’m not convinced that the CCV works,” said Tim Russo, fraud team leader for the Chicago office of Cleverbridge, an e-commerce provider and processor for online merchants. Russo said that some earlier versions of the CCV are captured on the mag stripe of some credit cards.
EMV Chip Adoption Will Push Scammers Into Other Types of Credit Fraud
He also noted that some merchants actually enter the number in a transaction where the card is present, and store it in their records, which opens it up for fraudulent use if the merchant’s computer records are compromised.
In addition, Russo noted that in many cases the CCV isn’t passed along to the e-commerce provider even if the customer provides it, since it may go straight to the financial institution. Because of this he said that e-commerce providers need to conduct additional verifications to confirm that a card being used for payment is actually legitimate.
Accomplishing the necessary verification requires that the merchant, or the e-commerce provider, check a variety of details about the card being presented and about the user. For example, he said that it’s important to make sure that the purchaser is actually located where they say they are, so if a purchaser ostensibly located in the United States has an IP address for China, there’s probably a problem.
But it’s also important that the merchant pay attention to details. For example, if a credit card number and its related details such as the expiration date, or CCV number don’t match, it’s a good idea to ask for further confirmation that the purchaser is legitimate, or even to decline the charge.
Russo said that some merchants are reluctant to use verification such as CCV checking because they feel that it gets in the way of the sale. However, there will be a liability shift in the credit card industry in October 2015 in which merchants who don’t use available security measures, including chip and PIN, and CCV confirmation for online sales, will be held responsible for fraudulent charges, rather than the banks as it is now.
This means that online merchants will need to take all available steps, including the proper use of CCV numbers as well as other means of identity confirmation, to avoid being held responsible for fraud. This in turn means that the online merchant’s employees need to be aware of the increased risk of fraud.
To accomplish all of that requires education and training. “You have to train your people,” Russo said. “You have to empower them to make decisions.” Those decisions may include declining to accept a suspicious charge, even if it annoys a customer. It is, after all, for the customer’s protection in addition to yours.