Why EMV cards won’t stop CNP fraud.

Posted by

Why EMV cards won’t stop CNP fraud.

As U.S. banks deploy chip-enabled EMV debit and credit cards, most articles on the subject imply the new cards will dramatically reduce fraud. According to a 2014 report by Aite Group, 37% of all U.S. credit card fraud involved theft of credit card numbers and reproducing them on fake magnetic stripe cards. Because EMV card technology utilizes a unique one-time code created by the chip for each transaction, it is unlikely fraudsters will be able to produce counterfeit cards which mimic the original, meaning fake cards will essentially disappear. Is it time to celebrate?

Not quite. While EMV technology will make it more difficult to produce a counterfeit card, expect a surge in online purchases using stolen card numbers. Online purchases are known as “card not present” (CNP) transactions and they do not utilize the benefits of EMV technology. Other countries which migrated to EMV saw substantial increases in CNP fraud including the United Kingdom, France, Canada and Australia. For more information, download the “Card Not Present Fraud” whitepaper from the Smart Card Alliance.

To combat this method of fraud, institutions will likely have success involving the customer through mobile or online notification rules associated with CNP transactions. While many issuers have been reluctant to involve the customer, these types of prevention and detection programs are gaining interest.

A unique solution to the CNP fraud issue was recently announced by Oberthur Technologies  of France. Oberthur has created a card which includes a miniature screen on the back that displays the CVV security code. Unlike printing a CVV onto the card, this “Dynamic Security Code Card” automatically refreshes with a new CVV every hour. As a result, it would be nearly impossible to steal the card information and use it for fraudulent online transactions. This type of passive security also overcomes concerns regarding secondary customer notifications and approvals.

Full deployment and acceptance of EMV will take many months – if not years – following the October 2015 startup. It will be interesting to see how the industry responds as fraudsters put more strain on the still-vulnerable Card Not Present online transaction.