EMV Forces Hackers Online

Thursday, June 04, 2015

EMV acceptance is well underway as many U.S. businesses prep for the October 2015 liability shift. Sigh of relief for card data security, right? Not so fast…

Long lauded as the solution to counterfeit fraud at the POS, EMV won’t be putting hackers out of work anytime soon. They will simply move their business from card-present fraud to the weaker link in the payments chain—online or card-not-present (CNP) fraud, which accounts for nearly 10 percent of retail sales.

The transition to replace magnetic stripe payment cards with more secure chip cards is good news given the increasing volume of major systems breaches. According to the Identity Theft Resource Center, there were 761 breaches and 83,176,279 records exposed in 2014, which is up an incredible 27.5 percent over the number reported in 2013.

While EMV has been proven to make it more difficult for hackers to attack card-present transactions (the U.K. has seen a 63 percent reduction since implementing chip cards), it does not extend itself to CNP environments. Furthermore, EMV does not address other pressing security issues afflicting merchants—like POS intrusions.

Aite Group
predicts that CNP fraud will jump $3.3 billion to $6.4 billion by 2018.

The prediction played out in other countries that switched to EMV years ago. The U.K. reported a 79 percent increase in CNP fraud, and Canada reported a 133 percent increase following the implementation of EMV.

Apparently these numbers could have been worse. What these countries had going for them at the time was that hackers could simply cross into the magnetic stripe-reliant U.S. to commit counterfeit fraud. Being a latecomer to the EMV game, the U.S. does not have that luxury.

Even more unfortunate is that online sales in the U.S. are skyrocketing and expected to top $334 billion this year and hit $480 billion by 2019, according to Forrester Research. This growth will in turn drive a large increase in CNP fraud.

So now what?

E-commerce businesses will need to raise their game in fraud prevention. According to the EMV Migration Forum, a pro-EMV industry group, there are several precautions designed to deal with the expected onslaught of CNP fraud, including:

  • Authentication methods: Device authentication, one-time password, randomized PIN pads and biometrics

  • Fraud tools: Proprietary and transactional data used for fraud analysis and risk management, and validation services

  • 3-D Secure: messaging protocol that enables real-time cardholder authentication during an online transaction

  • Tokenization: Replaces card data with a “token,” which has no value outside a specific merchant or transaction


As a leader in data security, Heartland developed SecureSubmit with tokenization to help reduce CNP fraud by eliminating sensitive cardholder data from your customer’s application.

It’s simple to integrate. SecureSubmit is a jQuery plugin that requires minimal initialization code. And it works seamlessly with all major browsers. You can refine the payment submission process through several configuration options. In addition, Heartland can perform basic (AVS, CVV) and advanced fraud screening against every order.

So if you think EMV was going to put the fraudsters out of work, think again. It’s only a piece of the data security puzzle. The best protection against the redirection of card fraud from in-store to the card-not-present channel is to create a multilayered approach.

Click here to learn more about Heartland’s SecureSubmit with tokenization