Mobile Payments, EMV, and Fraud: A Chat with ETA’s Jason Oxman

If you’re a criminal looking to commit credit card fraud, the most popular way to successfully make that happen today is to create a counterfeit card and use it in an in-store purchase. Cha-ching. Free Stuff.

“Counterfeit cards are still the number one form of card fraud in stores in the U.S. today,” explains Jason Oxman, CEO of Electronic Transaction Association, the trade association of the payments industry. “These are fake cards that are created by criminals using stolen account numbers.”

But all of that is shifting, says Oxman, since recent technological innovations are making counterfeit cards harder and harder to use in person. “Criminals are going to have a much tougher time using fake plastic cards,” Oxman says. “But now that payments in stores are getting more secure,” he adds, “it’s opening a window for online fraud.”

Two reasons in-store payments are getting more secure

First of all, many retailers now accept payments from customers using mobile wallets—such as Apple Pay or Android Pay—when making an in-store purchase. “With a mobile payment transaction, there is no account number transmitted, and therefore nothing to steal and no way to make a counterfeit card,” says Oxman.

Mobile payments use tokenization technology, which transmits a cryptogram instead of an actual account number. “So even if a criminal were able to intercept a mobile payments transaction, they wouldn’t have an account number they could do anything with,” explains Oxman.

And besides, mobile payments are way better at identifying account holders. According to Oxman, signatures – the old school verification process used for in store credit card transactions – pale in comparison to mobile wallets’ use of biometrics, where account holder identities are verified using a fingerprint or other cutting-edge authentication technologies.

The second way in-store payments are becoming more secure is through the roll-out of chip or EMV technology, which began back in October 2015. “The EMV chip generates a unique or dynamic security code with each use,” Oxman explains, “That way, no one can produce a counterfeit card because they don’t know what security code to use on that card.”

Oxman thinks that once retailers start using chip technology across the board, it’s going to drastically reduce in-store fraud. “This is the most significant technology upgrade to the payment systems in decades. We have literally been using those plastic cards with magnetic stripes on the back for 40 years. It’s the same technology used in cassette tapes,” Oxman adds. “That’s how old it is.”

This radical change is affecting 1.2 billion cards in the market today and 8 million merchants. “It’s a lot of work to do the upgrades in the stores,” says Oxman, “but it’s important because we all share an interest in stopping crime.”

So, what do we do about online fraud?

But don’t get too excited, Oxman cautions. All this new security isn’t going to cut off criminals in their tracks. Oxman says fraudsters will likely turn their dirty work to online transactions, where an actual credit card isn’t needed.

“Historically, around the world, in markets that have migrated to chipped cards, there has been an increase in online fraud as criminals seek other outlets,” says Oxman. The problem is, through a variety of methods—including data breach and theft—criminals will continue to get access to credit card account numbers, and since they can’t make a counterfeit card, they’ll go shopping online with the stolen account number.

In order to stop online fraud, Oxman stresses, the focus has to be on making sure that criminals can’t collect credit card numbers in the first place. One way to prevent that is by making sure online retailers encrypt their transactions. “Encryption is a very good way to prevent online fraud, because it encrypts the transaction at the point of sale online,” says Oxman. “Recently the largest thefts of card numbers comes from data breaches at large retailers in the U.S., like Target and Home Depot. Those data breaches were possible because of a lack of encryption,” he says.

But even with more secure systems in place, Oxman acknowledges that one way or another there will always be criminals who get their hands on credit card numbers. So it’s going to become increasingly important for online retailers and other companies to up their game when it comes to security.

Online fraud currently accounts for 50% of all fraud in the U.S., and that number is likely to increase. Oxman says industry experts anticipate a decrease in in-store counterfeit cards by more than 50%, while card-not-present fraud will jump $3.3 billion to $6.4 billion by 2016.

So what else should retailers do? With the increased need for vigilance, retailers and other companies that do business online will be looking to apply new and innovative technologies to raise the bar on online security, says Oxman.

There are a number of different solutions out there, using a variety of approaches – from rules to machine learning – and each business should evaluate their unique needs and goals when choosing a fraud-prevention vendor. In the end, says Oxman, there is no mandate for security. “It’s going to be up to the individual outfit to decide what type of security update to employ.”