Fraud heads list of retailers’ top payment-related challenges
Retailers have gotten little in the way of relief since the switch three years ago to new chip-based credit and debit cards.
That’s according to a study released on Wednesday by the National Retail Federation and Forrester, which found that fraud was the top payment-related challenge faced by retailers, cited by 55% of respondents, as criminals move their activities online.
“The implementation of EMV chip cards and chip card readers was supposed to dramatically reduce credit and debit card fraud,” the State of Retail Payments report said. “So why is fraud still the top concern for merchants?”
The reason is that Europay-MasterCard-Visa chip cards have moved payment card fraud away from stores and toward online transactions, the report said, citing a Forter study showing a 13% increase in online fraud last year. A Federal Reserve study said online fraud rose from $3.4 billion in 2015 – the first year retailers were required to accept chip cards or face an increase in fraud liability – to $4.6 billion in 2016 and was an “increasing concern.”
The second-biggest payment concern was the cost of accepting payment cards, including the swipe fees banks charge to process transactions, cited by 45%. While the survey found 49% of retailers have taken advantage of routing options required as part of a cap on debit card swipe fees passed by Congress in 2010, rising swipe fees for credit cards remain the subject of litigation between retailers and the card industry.
Chargebacks of disputed purchases, which increased after implementation of EMV for some retailers, were the third-biggest concern, cited by 35%.
To help fight fraud, the report found that retailers want better authentication of purchases no matter where they take place. Thirty-three percent have implemented 3-D Secure, a system marketed as Verified by Visa or MasterCard SecureCode that is intended to help authenticate online purchases.
For in-person purchases, 51% of merchants said biometrics would be the best way to verify transactions, and 53% expressed interest in implementing forms such as the fingerprint and facial recognition available on smartphones. But with that technology limited to phones rather than cards, 46% said personal identification numbers would be the best currently available way to approve card transactions.
For purchases made with cards, 95% of retailers said requiring PINs would improve security and 92% would implement it if it were available. While EMV cards in other countries are chip-and-PIN, virtually all EMV credit cards issued by U.S. banks have been chip-and-signature with PIN available only on debit cards. And the major credit card companies stopped requiring a signature last year.
“The chip in an EMV card makes it very difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is the legitimate cardholder,” NRF senior VP and general counsel Stephanie Martz said. “If we want to stop card fraud, we need a better way of authenticating users and it should be one that’s affordable, easy and safe. Someday the answer might be biometrics or technology that has yet to be invented but, in the meantime, we know PIN can stop criminals dead in their tracks. With no signatures, no PIN and no biometrics, what we have right now is no authentication at all.”
NRF has long argued that PIN is important because the chip in EMV cards only prevents the use of counterfeit cards while not stopping lost or stolen cards, and a PIN can also provide a backup for cases where the chip malfunctions or is tampered with.
“Eliminating fraud and improving authentication are clearly top priorities for retailers,” Brendan Miller, principal analyst at Forrester, said. “As the answers to these challenges are found, the key will be finding ways to implement the solutions in a way that provides a frictionless experience for consumers.”
Fraud attempts expected to rise this holiday season
Consumers and merchants aren’t the only ones preparing for the busiest shopping season of the year.
Fraud attempts are projected to increase by 14% during the holiday season, which spans Thanksgiving to New Year’s Day, according to new data from ACI Worldwide, a provider of electronic payment and banking solutions.
According to the study, the volume of purchases is expected to increase by 18%, while the value of purchases is expected to increase by 19% between Thanksgiving Day and Cyber Monday, compared to the same period last year.
Similarly, the value of fraud attempts is expected to increase by 17% between Thanksgiving and Cyber Monday, compared to the same period in 2017. The attempted fraud average ticket price, or a merchant’s average size of individual sales by credit card, is expected to increase 3% from $236 to $243.
When looking at specific shopping days, the volume of transactions on Thanksgiving Day is expected to increase 23% in 2018, compared to 2017. Volume of fraud attempts on Thanksgiving Day is expected to be high at 1.80%.
On Black Friday, volume of transactions is expected to increase 19% compared to 2017. Volume of fraud attempts on Black Friday is expected to be 1.30%.
On Cyber Monday, volume of transactions is expected to increase 14% compared to last year, and volume of fraud attempts is expected to be 0.93%.
Cross-channel fraud also continues to grow. In addition to traditional online channels, buy online, pick up in-store and call centers will be areas of focus for fraudsters, the study said.
“The first step to fighting fraud is knowing what you’re up against,” said Erika Dietrich, global director, Payments Risk, ACI Worldwide.
“Fraudsters prepare for peak holiday season just as much as merchants and consumers do,” she added. “Fraudsters will keep an eye on items that have limited inventory as it gives them an additional opportunity to steal and sell those items on the black market for a higher price so consumers and merchants alike must be vigilant in such cases.”
A different kind of data breach hits Nordstrom
Another retailer was hit by a cyber-attack, but this one didn’t target customer information.
Nordstrom was hit by a data breach that targeted the personal data of current and past employees. Information that may have been exposed includes names, Social Security numbers, dates of birth, checking account and routing numbers, salaries, among other data, according to The Seattle Times, which first broke the story.
The breach, which occurred on Oct. 9, stemmed from “a contract worker [that] improperly handled some Nordstrom employee data. Customer data was not impacted,” according to a company statement.
The company’s information security team promptly discovered the incident, and immediately notified law enforcement to begin a comprehensive investigation. The contract worker no longer has access to Nordstrom’s systems, and the company has put additional measures in place to help prevent a similar situation from recurring.
While the company has no evidence that data was shared or used inappropriately, the company immediately notified employees “so they can take the appropriate steps to monitor for any potential unauthorized activity,” the statement reported, adding that Nordstrom is also offering impacted employees free identity protection services for 24 months.
“No one company is immune to cyber-attacks, but how a company responds will make all the difference in restoring trust with customers and employees and proving that they have taken all possible actions to inform and mitigate the damage during an event,” said Ryan Wilk, VP of customer success for NuData Security.
“Nordstrom’s response time to this data breach incident is laudable as well as their attempts at transparency. Online companies should do more to devalue personal information or PCI Data so if a breach does occur the data obtained by cyber attackers is less valuable.”
Wilk also encourages retailers to use technologies, such as passive biometrics and behavioral analytics “to detect and devalue the data when bad actors use it to commit account takeover at login or attempting to create new accounts such as credit cards and loads,” he added. “It will dissuade bad actors from attempting to steal the data in the first place.”
Other retailers targeted by cyber-thieves this year include Hudson’s Bay Co.’s Saks, Saks Off Fifth and Lord & Taylor brands, Best Buy, Panera Bread, Sears Holdings, and Under Armour.