Adoption of Chip-Based Credit Cards Pushes up E-Commerce Fraud

Having replaced the magnetic stripes over the past decade in virtually all developed countries except the U.S., the EMV technology powering all chip-based bank cards has now been standard in these places for several years. Finally, following a decision by Visa to make it mandatory for U.S. payment processors to ensure support for EMV by April 1, 2013, we too are set to begin the shift to EMV, although it is very unlikely that we will see anything like a full-scale replacement of the mag-stripes anytime soon. Still, that’s a step in the right direction.

And so there has been a constant stream of announcements of U.S. banks issuing EMV cards. Bank of America has now become the latest big issuer to do so, following similar moves by rivals JPMorgan Chase, Citigroup and Wells Fargo. But EMV, even when fully implemented, is no panacea. In most countries, which have already adopted the new technology, the overall fraud losses on card transactions have fallen substantially. However, that has not always been the case for card-not-present transactions, whose fraud rate has invariably risen following the shift and in some countries is yet to fall to pre-EMV-implementation levels. That is true for France and a new report indicates that it is also true for Australia. Let’s take a look.

The British and French Experience

Let’s first focus our attention on the two countries, which were the first to adopt EMV: the U.K. and France. Here is how the overall card fraud loss rate in the U.K. has been affected by the EMV adoption:

So the EMV effect has clearly been a beneficial one. However, while card-present fraud has indeed decreased dramatically, card-not-present fraud has gone the other way in the years immediately following the event and, although it has been decreasing since 2008, it is yet to fall to its pre-EMV level. Here is the card-present chart:

And now here is the card-not-present chart:

However, the French experience has been quite different. Overall fraud losses have increased in every year since the shift to EMV took place in 2004:

Similarly to the U.K., face-to-face fraud losses have decreased, although not as steeply:

However, fraud losses from card-not-present transactions have shot up and, in contrast to the British experience, kept rising:

The Australian Experience

A new report from the Australian Payments Clearing Association (APCA) tells a story that has more similarities with the French experience than with the British one, but with its own twist. Here are the main findings for 2011, as compared to 2010:

• Total fraud (cheque and payment cards) rates have risen from 11.4 cents to 16.2 cents in every $1000 transacted. The incidence has increased from 16.6 to 21.3 in every 100 000 transactions.
• Cheque fraud rates fell from 1.3 cents to less than one cent (0.7) in every $1000 issued. The incidence fell to around 1 in 300 000 transactions.
• Proprietary debit card fraud fell significantly from 7.9 cents to 4.9 cents in every $1000 transacted. The incidence has also decreased to 2.5 from 1.3 in every 100 000 transactions.
• Scheme credit, debit and charge card fraud increased from 67.2 cents to 96 cents in every $1000 transacted. The incidence has risen from 38.4 to 51.7 in every 100 000 transactions.

One of the report’s authors also notes that EMV (chip-and-PIN, as he calls it) has reduced the “skimming and counterfeiting of cards”, which must mean that face-to-face fraud has fallen. So the overall rise of card fraud must be the result of a spike in card-not-present fraud.

The Takeaway

The reason card-not-present fraud tends to spike following EMV adoption is that fewer fake cards are produced and used in fraudulent face-to-face transactions. However, in an e-commerce environment you do not need a counterfeit card, whatever the technology behind it. All you need is the account’s information: cardholder name, card number and expiration date, security code (not all merchants ask for it), etc. And so the upshot is that, as criminals are finding it more difficult to penetrate the face-to-face market, they are doubling up on its card-not-present segment. So the lesson for U.S. e-commerce businesses should be to get ready for the EMV-induced fraud explosion.

Image credit: Simplypr.net.