Securing the Digital World

Does EMV Make Online eCommerce Transactions Safer?

Jan 11, 2016 | by Angel Grant, CISSP |

Ok, let's get this quickly out of the way: EMV, the non-swipe chip-embedded credit cards are sturdy barriers against (in-person) credit card fraud. However, when it comes to card-not-present eCommerce transactions (e.g. online ecommerce) where EMV is not a factor and where cybersecurity threats continue to proliferate, shouldn't the customer experience be as secure and convenient in the cybersphere as it is in brick and mortar stores?

Perhaps unsurprisingly as the opportunity for face-to-face fraud diminishes, online fraud is projected to dramatically increase. In fact, according to data developed by Javelin Strategy and Research, card-not-present fraud is expected to be nearly four times greater than point-of-sale card fraud by 2018, eclipsing an astonishing $19 billion in online losses.

Research developed for RSA by the Aite Group found there were a wide variety of solutions available to merchants as well as issuers to secure the CNP environment, resulting in a layered approach to their respective defenses.

Card not present

For Issuers:

  • Invest in risk-based authentication for CNP transactions. CNP fraud is not just a merchant problem anymore. Thanks to the growing U.S. adoption of 3-D Secure, as well as the competitive pressure to ensure a consistent cardholder experience, effective CNP risk assessment is a shared burden. Issuers will see increasing volume of 3-D Secure transactions along with any resulting fraud liability. Risk-based authentication will help issuers to better assess transaction risk with few false positives and minimal impact to the customer experience.
  • Embrace tokenization. Merchant data breaches aren't going away. The best way to create a secure card environment is to remove the sensitive data from the merchant's system, so when the inevitable breach does occur, your cardholders will be protected.

For Merchants:

  • Invest in behavioral analytics. Behavioral analytics within the online and mobile channels are transparent to the end user, and provide a great way to detect the patterns indicative of attacks that are either imminent or underway.
  • Take advantage of fraud scoring systems. Such tools, useful in online sales, can be implemented to essentially "rate" each sale to determine its level of risk. Fraud scoring tools, which conflate metrics and data points to include IP filtering, geographic location, proxy detection, sales thresholds and more, are useful in helping businesses to identify and avoid high risk and often fraudulent sales.
  • Embrace tokenization. In light of the current threat environment, you have to assume that the bad guys are going to get into your systems sooner or later. The best way to stay out of the headlines is to make sure that when they do get in, they don't get any valuable data
  • Plan for 3DS 2.0. As the industry "marches" toward the complete and total eradication of static passwords continues into 2016, the traditional 3DS standard is becoming, in the not too distant future, "3DS 2.0." This 2.0 version, which is developing in concert with key industry stakeholders, will incorporate requirements for a more frictionless user experience with advanced intelligent risk based authentication.

Ultimately, there is a trade-off between usability and security. Balancing security with convenience for end users to ensure the rewards outweigh the risks is an individual decision, and one that's true whether you shop online or prefer to conduct your retail transactions in actual stores. For businesses that want to protect customers using either channel, technology today can not only ensure your customers' online or brick and mortar transactions are secure, but are also convenient and trustworthy enough to keep them coming back for more.

To learn more about RSA Fraud and Risk Intelligence solutions follow us at @RSAFraud