EMV Leads to Increased Digital Risks This Holiday Shopping Season

Posted on by Alisdair Faulkner

The deadline for U.S. retailers and credit card processors to adopt the Europay-MasterCard-Visa (EMV) global standard chip cards passed in October, and those who have yet to adopt the technology will now be liable for any point-of-sale (POS) fraud losses. Given the high-profile retail data breaches in recent years—including Home Depot, Michael’s, Neiman Marcus and Sally Beauty—all of which were the result of POS fraud, traditional magnetic stripe cards have proven to be effective no more.

EMV fraudEMV technology eliminates many security risks associated with traditional magnetic stripe cards, making it much more difficult for cybercriminals to compromise in-store transactions. In 2014, U.S. retailers lost about $32 billion to fraud, up from $23 billion just a year earlier— much of it due to the weak security of credit and debit cards. Retail attacks show no signs of slowing down—in Q3 2015, ThreatMetrix detected approximately 45 million e-commerce attacks, a 25 percent increase over the previous quarter.

While EMV cards will certainly cut down on in-store fraud, the countries that have already adopted EMV have seen a significant increase in online fraud, and the U.S. is not expected to be an exception. In fact, online fraud increased 21 percent in Europe in 2012— including on e-commerce and online banking websites— in part due to the introduction of EMV cards.

Cybercrime threatens the digital holiday season

The National Retail Federation has dubbed this year’s the “digital holiday season,” as nearly half of all holiday shopping will be done online, and the percentage of those purchases that will come from mobile devices will be the highest since the 2011 shopping season. As EMV pushes cybercriminals to shift from in-store to online fraud, they are using bots (a software application that runs automated tasks) to increase the efficiency of attacks on breached data, such as login and payment details. Stealthy Bots that use ‘low-and-slow’ techniques to evade brute-force protections make attacks harder to detect and prevent, so consumers must stay diligent about where they shop and where they store their credit card details online.

Given the shift to online fraud and the use of bots for more sophisticated attacks, businesses must implement additional security measures to protect consumers during the holiday season—and year-round. These include:

Assess digital identities: Businesses need to put online security in place that cuts down on fraud without having a negative impact on the customer experience. Organizations looking to operate successfully online in an era of high-profile data breaches must have a 360-degree view of the related identities, behaviors and threats associated with a user’s device to have a more complete view of whether they are a valuable customer or a cybercriminal. Along with cutting-edge fraud and security analytics, such technology gives an incredibly accurate portrait of a consumer’s cross-device and cross-channel history and interactions. Understanding consumers’ digital identities decreases fraud losses by up to 90 percent, and lowers operational costs related to fraud up to 50 percent, by decreasing reliance on costly step-up authentication and manual reviews.

Leverage anonymized shared intelligence: A global network of shared intelligence correlates seemingly disconnected security incidents in real-time to establish a user’s true digital identity, which is continuously evaluated in the context of each and every interaction. Much progress has been made on automating intelligence about malware threats, but the greatest advancement against cyberthreats will not happen until we have shared intelligence about identity abuse in the wake of data breaches and associated digital debris.

From a consumer perspective, the shift to EMV is good news, as it will make it more difficult to counterfeit credit cards and make fraudulent purchases in stores. However, from an e-commerce website and banking perspective, fraud is shifting to online channels, meaning businesses also need to shift their online security strategies to protect consumers this holiday season.

Alisdair Faulkner

Chief Product Officer, ThreatMetrix


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs