Mercator Blog

U.S. Merchants Strike Back Against Card-Not-Present Fraud in Online Transactions
Date: December 9, 2016
Raymond Pucci
Associate Director, Research Services
With the transition to EMV chip cards in the United States beginning in October 2015, most merchants believed they would gain strength in the battle against payment card fraud. While counterfeit card rates in the U.S. have historically been low, observers anticipated that counterfeit card fraud at the point of sale (POS) would decrease even further with the shift to EMV chip cards. MasterCard reports that from April 2015 to April 2016, counterfeit fraud costs dropped 54% at U.S. retailers who had completed or are close to completing EMV adoption. But card fraud is becoming a tale of two channels now because online fraud attempts are rising.

Welcome to the world of card-not-present (CNP) fraud. The phenomenon is new in the United States but not in other world markets that made the transition to EMV earlier. Mercator Advisory Group and many other U.S. observers have watched how international markets dealt with CNP fraud for some time. Watching must now lead to action as the incidence of CNP fraud is rising in the United States.

Forter, the fraud management vendor, reports that its network saw a 27% increase in online fraud attacks from fourth quarter 2015 to first quarter 2016, the beginning of migration to EMV in the U.S. Although the likelihood of fraudsters’ transitioning to online attacks was anticipated, U.S. payments providers and their stakeholders are now asking: What can we do about it? In response, an industry of vendors providing technology to detect and deter CNP fraud has arisen and is giving merchants the means to strike back.

Card-not-present fraud has existed since the early days of the credit card. There is risk in any transaction where the plastic cannot be physically presented. Mail orders and telephones orders (MOTOs) qualify in this regard, and merchants experienced CNP fraud before the advent of the Internet. Fraudsters typically use information stolen from credit card records that they have either hacked or purchased on the so-called Dark Web. The pipeline of stolen records is filled from data breaches that occur with alarming regularity. The nonprofit Identity Theft Resource Center reports 687 data breaches in the United States exposing 28.8 million card records from January through September 2016. While the vast majority of CNP fraud would not occur without online transactions, the EMV transition has driven fraudsters to take advantage of a lucrative window of opportunity.

For more information, the Mercator Advisory Group research report, Card-Not-Present Fraud: The Merchant Empire Strikes Back, delves into the current state of CNP fraud and where e-commerce merchants should go from here.