The Rise of Online Card Not Present Fraud in a Post-EMV World

Payments Leader

Posted on June 16, 2016

CNP Fraud with EMV

Encouraging a Healthier Balance between Security and Convenience

Commercial delivery models are evolving with ever increasing speed. As we migrate to a world of real-time fulfillment and digital downloads, the response time to respond to fraud attacks is shrinking. Scams and swindles are becoming more sophisticated with card payment fraudsters elevating their game and empowered by technology. Our recent article on Friendly Fraud highlighted some of the issues faced by Main Street retailers (card present, or CP) during the transition to EMV, but the online (card not present, or CNP) world faces a massive rise in fraud attacks over the coming years.

Inevitable Spike in Online Fraud

The U.S. online card payment market is bracing itself for a period of persistent fraud attacks. CNP fraud is expected to grow by at least 100 percent by 2018 with significant consequences for small and medium businesses as well as enterprises. Companies need to urgently shore up their payment origination processes in order to stem the tide.

Compliance with EMV has addressed many of the security issues for counterfeit CP fraud, but as EMV shuts down one avenue, the fraudsters increasingly go online where rich pickings are easier. CNP fraud already represents almost half of the total card fraud in the U.S. The reduction in counterfeit fraud that EMV brought is certainly good news for the issuers that have been enduring rapidly rising fraud rates, but criminals will not idly sit by and just absorb this hit to their bottom line. Every other country that has adopted EMV has seen a precipitous increase in attacks on the CNP channels, up to 300 percent rises in Europe, and the United States will be no exception.

The uncomfortable truth is that card credentials are readily available to those that want them; the card information is already out there due to data breaches and any number of other reasons. And since EMV, it is easier to initiate fraudulent online transactions than risk a CP attack on Main Street.

Giving Up Security for Convenience

A variety of online authentication solutions for eCommerce have been available for over two decades; so why aren’t they ubiquitous? Inevitably, some merchants just do not understand the risks of conducting business online, but many others see occasional fraudulent transactions as a necessary evil of operating in the online environment. Main Street retailers typically accept that there will be a small percentage of customers who shoplift, but they still take extensive precautions to protect themselves. The reality is that merchants strive to streamline customers’ online sales experience as much as possible; additional security steps in the process are perceived to put the transaction at risk with many customers abandoning their shopping carts or backing out of the payment at the last minute. For merchants, the buying experience must be seamless, ideally with just one click. Any additional security steps to authenticate the cardholder are perceived as too cumbersome and have a direct impact on sales.

In an adaptation of Benjamin Franklin famous line that he who gives up freedom for safety deserves neither, are the merchants who give up security in the interests of freedom equally foolish? Some merchants are knowingly taking a hit on some fraudulent cardholders in order to provide a smoother buying experience, but given many merchants’ lack of self-protection, are they making it all too easy for the swindlers?

What about incentivizing cardholders to use more secure channels? Could the networks or merchants do more? Currently, cardholders are at little or no risk when making online purchase, or even having card credentials stolen – the card networks and issuers protect them. Consumer protection is a good thing of course, but this results in customers having no reason to do anything extra to prevent fraud by stringently validating who they are at the POS. However, consumers are now beginning to wonder about the underlying safety of their transactions.

Solution Rejection

The good news is that merchants can implement an array of technologies that have evolved and matured in order to blunt the impact of the rising tide of threats. But given the technology-rich environment online eCommerce operates in, and the availability of powerful security and identity authentication mechanism, why don’t more Internet merchants apply the solution?

Tokenization is a great complement to EMV; it essentially picks up where EMV leaves off in the card security continuum. EMV secures the communication between the card and the POS terminal, using dynamic data to effectively prevent counterfeit fraud. Behavioral analysis tools detect fraud by monitoring the user session and transactions to detect suspicious activities or patterns. Behavior analysis technologies can also highlight anomalies indicative of suspicious activity. 3-D Secure is a protocol designed to add an additional layer of authentication to CNP transactions form Visa, MasterCard and American Express. A key value driver for merchants is that when they invoke 3-D Secure for CNP transactions, the fraud liability shifts to the issuer, even if the issuer does not have the corresponding Access Control Server infrastructure on its side. Address verification systems offer a basic level of security that confirms postal addresses associated with cards, but can be easily overcome depending on how fraudster got the card credentials. Biometrics has been touted as a simple way to authenticate cardholders, but end-user hardware inconsistency hampers more widespread usage. Card networks have attempted multiple opt-in schemes where cardholders enroll in a program and are given a unique PIN/password for entering at the POS for secure authentication. But pre-registering is an inconvenience for cardholders who see little incentive to go to the trouble of registering given that they are not the ones at risk. Multi-facto authentication is more certainly more secure, but the process cumbersome and often consumers forget their password and leave without purchasing.

Even some basic validation such as an email to the cardholder to confirm the transaction is deemed too intrusive. It seems any friction that may lead a customer to abandon a purchase causes some merchants to never even opt in.

There’s No Denying the Inevitability

Card fraud is rapidly escalating at the POS and in CNP channels. The arrival of EMV will certainly help quell counterfeit fraud, but the experience of other countries shows that the arrival of EMV will do nothing to stop database breaches, and CNP fraud will rise precipitously unless preventative measures such as tokenization, behavioral analytics and 3-D Secure are adopted.

We know more CNP fraud is coming to the U.S. We know how to reduce it. And we also know that CNP fraud is always evolving, so our anti-fraud practices must always evolve, too. Merchants and other players in the U.S. payments system need to stay alert, batten down the hatches and remain vigilant as the fraud landscape undergoes big changes over the next several years.


  • Could the networks and/or merchants do more to incentivize cardholders to use stronger authentication at POS?
  • What measures can merchants realistically take to encourage cardholders to accept that extra security will require an additional click in the buying process?
  • Will a liability shift towards merchants be the only way to oblige better security for online commerce?


Leave a Reply

Payments Leader

Payments Leader from FIS provides insights on credit, loyalty, fraud and emerging payments strategies through blog posts from our industry experienced authors.