The United States is the one of the final holdouts of EMV payment cards – the chip-based debit and credit cards currently used in Europe and much of the world. Come 2015, that will begin to change as Europay, Mastercard and Visa (hence the name EMV) pressure merchants and acquirers into making the switch en masse.
Why the push for a change in card payment method? The United States is ripe with fraud from stolen and counterfeit magnetic stripe cards. According to Nilson Report, businesses lost $11.27 billion to card fraud in 2012 and the US accounted for 47% of all global fraud while only processing 24% of payments by volume.
The computerized chip technology within EMV cards increases security and mitigates fraud significantly because each transaction involves a unique cryptogram that’s too difficult or expensive to fake. Brick-and-mortar retailers who use chip-and-PIN terminals can quickly legitimize purchases in store making the whole process much more secure.
The benefits are obvious for offline retailers, but what about ecommerce stores who rely on card-not-present (CNP) transactions?
Two New Security Options
Currently online retailers use very simplistic methods of payment verification, such as requesting the multi-digit CVV on the back of a card or a billing address. These requests may prevent basic fraudulent transactions, but more sophisticated operations easily surpass this level of security.
The computerized nature of EMV payment cards, however, does enable greater security options and authentication methods. Two of the most utilized and promising ones are as follows:
One-time passwords (OTP)
One-time passwords work just as they sound. A user receives a password, typically via SMS, a token or display card, and enters the password into the website along with a username. Since the password is random and only valid for a single use, it prevents intruders from abusing a card and is far more secure than a static, long-term password. OTP is often used in conjunction with 3-D Secure protocols (Mastercard SecureCode or Verified by Visa) to create a powerful two-part protection.
Personal card readers
Mastercard’s CAP (Chip Authentication Program) is a payment method involving the use of a handheld reader. The user inserts the card, types in the PIN, receives a one-time password, and enters it the password at the checkout page. Visa followed in suit with its own DPA (Dynamic Passcode Authentication) system. While CAP and DPA are very secure methods of payment, they are mainly used by tech-savvy consumers who are actively seeking additional security.
What You Can Do
Usage of either security option would ensure that the real card user is indeed the intended person behind the device making the transaction. The challenge is that in the initial years of the switchover, most EMV chip cardholders in the US will not be utilizing any of these security methods. So what can you do in the meantime?
- Be patient – Ecommerce companies should expect the same challenges, and a growing number of online fraud transactions, for the near term until adoption rate of EMV cards and these security features increases.
- Get on board with EMV – If you have a brick-and-mortar store, implement the EMV chip card capabilities sooner rather than later; if not to prevent fraud, then to prevent the monetary liability that will soon be placed on your shoulders by Visa and Mastercard. You’ll also be seen as progressive to tech-savvy consumers who visit your store.
- Inform your customers – Rather than sit back and wait for change, the best thing you can do now is encourage and support this initiative by informing your customers. Place a sign near your register in stores and/or put a message on your website homepage that provides or links to information about EMV and the security options. The more customers understand its importance, the quicker the changes will occur.
What are your thoughts on the new EMV chip cards? Do you have any other ideas about what ecommerce companies can do? We’d love to hear your opinions below in the comment section!