
EMV standards have helped reduce fraudulent transactions considerably, but this has forced fraudsters to move online. As chip migration for card fraud accelerated across major markets, criminals adapted quickly rather than stepping back. In the year 2016, fraud in the online space increased by 30% (Source: Radial's eCommerce Fraud Technology Lab). Also, in the first quarter of 2017, credit card testing increased by 200%.
Credit card testing actually is the bigger problem. It allows criminals to identify which stolen credit cards are still active, enabling them to process fraudulent transactions. The biggest online fraud cases in 2016 involved entertainment, jewelry, and sporting goods, which can be easily resold. Most merchants operate in the less secure card-not-present environment, and they are susceptible to high-value credit card fraud. What makes EMV card fraud online particularly difficult to contain is that the same chip technology that secured the physical point of sale offers zero protection in a card-not-present environment.
Fraudsters buy stolen credit card numbers in thousands from sources on the dark web. The first thing they do after that is identify the active cards by running credit card tests, as the window of opportunity is short before customers block their cards.
Many fraudsters invest in high-end server farms and hire skilled developers to automate credit card payment testing. These scripts can attempt large numbers of small-value transactions on thousands of accounts in a quick blitz and track the active cards. Those active cards are then used to make high-value purchases. The EMV online fraud shift has essentially handed organized fraud operations a new environment to work in, one where speed and automation make detection difficult by the time the damage is done.
What makes this a direct consequence of chip migration in card fraud is that closing off the physical point of sale did not reduce overall fraud activity. It redirected it. Fraudsters who previously relied on counterfeit cards at terminals moved their operations online, where the barriers to entry are lower and the volumes they can process are far higher.
If merchants do not run a fraud-prevention program, they will be liable for high-value transactions that customers later contest. However, if they are overly aggressive in their fraud prevention program, they risk rejecting legitimate transactions. The moment legitimate transactions are rejected, the brand's value is hit by word-of-mouth publicity from dissatisfied customers.
This combination is difficult for merchants to manage. They need to find a way to reduce customer friction while preventing fraud and chargebacks. EMV fraud migration has made this harder because fraud patterns in the online space are less predictable than those for counterfeit card fraud at the point of sale. A stolen card used at a chip terminal fails at the authentication step. The same stolen card number used via an automated script on a checkout page faces far fewer barriers, and the merchant often has no way to tell in real time whether a transaction is legitimate or made with the stolen card number.
The merchant should have a way to check whether card testing is occurring in their environment. That means that the security system should be tuned to identify patterns and flag problems for human intervention. Some of the things they ought to look for include small-value transactions, a large number of transactions over a short period, many transactions from different payment brands, and an unusually high number of authorization failures. Catching these patterns early can significantly reduce exposure to fraud before it escalates into a chargeback problem.
However, you can use simpler ways to avoid this testing by asking users to complete the CAPTCHA box without creating friction in the sales process. Also, you can opt for two-factor authentication, as they do in India for all card-not-present transactions, where an OTP is sent to the registered mobile number, or you can enter the predefined card verification code. There are reports that sophisticated fraudsters can also spoof the OTP. To counter this, payment brands are now implementing biometric-based secondary authentication to process transactions.
For merchants processing high volumes, blanket fraud rules can create as many problems as they solve. It could block too broad and legitimate customers in the filter. Risk scoring takes a different approach by evaluating each transaction on its own signals and applying friction only where something looks off. It is a more practical middle ground between letting fraud through and turning away good customers.
To protect card-not-present transactions, Visa developed the 3DS 1.0 specifications. Although it resolved problems for merchants regarding web transactions, 3DS 1.0 offered no support for mobile transactions. Additionally, it added significant friction for customers during checkout, leading to abandoned transactions and lost revenue for merchants.
To address the challenges faced by customers and merchants in 3DS 1.0, EMVCo introduced 3DS 2.0, which enabled transactions on both web and mobile interfaces. It also provided several options for frictionless authentication and transactions for customers, such as biometrics or one-time passwords. For lower-risk transactions, the customer moves straight through checkout without any additional steps. For higher-risk ones, a challenge is triggered. 3DS 2.0 is becoming a global standard, enabling merchants to authenticate cards across all payment brands easily.
The broader adoption of 3DS 2.0 is one of the more practical industry responses to EMV fraud migration. As chip migration secured the physical point of sale, the payments industry needed a comparable layer of protection for online channels. 3DS 2.0 is the closest thing to that, and markets that have pushed its adoption are already seeing the benefit in lower card-not-present fraud rates.
The fraudsters did not stop when chip migration picked up. They adjusted. For merchants, EMV compliance at the point of sale is necessary but not enough on its own. Card-not-present fraud requires a separate set of controls, and the merchants who build those controls now will be better positioned as online transaction volumes continue to grow.