Online Fraud has increased 137% post-EMV – Are you Protected?

Online Fraud has increased 137% post-EMV – Are you Protected?

According to a new white paper from BRP, fraudsters have become more sophisticated and retailers need to adapt new security tactics to protect their customers’ payment card and personal data. The Payment Security Update: What’s Next After EMV white paper provides retailers practical tips on how to improve payment and data security across all channels.

“While EMV has received most of the attention in the last few years, there are several other critical security strategies that play a much greater role in protecting sensitive payment card and personal information,” said Perry Kramer, vice president and practice lead at BRP. “It is imperative that retailers have the right strategies and controls in place to thwart the ever-increasing advances made by fraudsters.”

EMV doesn’t really offer data security functionality, for that, retailers need to look to end-to-end encryption (E2EE) and tokenization. BRP’s 2017 POS/Customer Engagement Survey recently found that 68% of retailers have implemented E2EE and 48% have implemented tokenization of payment data. Increasingly, retailers realize that simply meeting PCI compliance standards is no longer sufficient to protect customer data.

“Hackers are becoming increasingly sophisticated, requiring organizations to re-analyze and revamp their current security protocols to adequately protect their customers’ payment and personal data,” said Ryan Grogman, vice president at BRP. “Retailers who have not implemented these technologies are at high risk, as the likelihood of being targeted by hackers increases every day.”

This white paper provides insights on the following topics:

  • Baseline Payment Security Measures
  • A Multi-Tiered Security Approach
  • The Rapid Growth of Omni-Channel Transactions’ Impact on Tokens
  • The Shift to Online Fraud
  • Increased Mobile Transactions Create Additional Security Complexities
  • Quick Wins to Beat Online Fraud
  • Quick Hit Protective Tactics

I encourage you to download and read the complete white paper:

Payment Security Update: What’s Next After EMV?

I appreciate your opinions and insights on this topic.  Please share your comments below.

Is the rocky road to EMV retail adoption getting smoother?

CIO – There was plenty of confusion to go around in October 2015, with only a small percentage of retailers ready to roll when the deadline passed for them to become EMV-compliant by installing new EMV-capable credit card readers and acquiring certifications from various payment networks.

Now that over a year, and two holiday seasons, have passed by, the question is: Where does retail stand with EMV? The answer, says experts, is that it’s been a rocky road, but there have been improvements in adoption and an ongoing evolution in implementation.

The good news is, consumers are starting to adapt to the new normal — their first instinct now is to insert a chip, not swipe. In addition, Visa and Mastercard implemented new quick-chip technology last summer, to make the processing time faster for consumers.

“One of the biggest complaints off the bat was that EMV was too slow, taking 10-15 seconds,” says Perry Kramer, vice president and practice lead at Boston Retail Partners. “Now the EMV transactions have really gone back to the same speed as what it used to be with swipe transaction — from the consumer point of view, it has sped up dramatically.”

Retailers, on the other hand, have struggled to get up to speed with EMV and have dealt with a variety of challenges, particularly due to vendor delays and the liability shift that has left them on the hook for chargebacks. “Those that weren’t ready really got thrown into panic mode,” Kramer says. “The amount of chargebacks, in terms of dollars and quantity, far exceeded anyone’s expectations.”
Read Full Article: Is the rocky road to EMV retail adoption getting smoother?

Mobile Payments in the C-Store

PMAA Journal – Americans don’t mind paying for the things they want, but they are increasingly insisting on deciding how they pay for them.

There are two underlying criteria c-store retailers want in a payment system: first, something that is convenient for both the customers and retailer; second, a payment method that does not unfairly add cost to the retailers,” explained Steven J. Montgomery, president of b2b Solutions, LLC in Lake Forest, Illinois.

Retailers don’t mind paying credit card and debit card fees, Montgomery has found. “They mind the fact the fees are seen as too high. The only reason the noise regarding this has calmed down some recently is because the cost of fuel has dropped and margins have increased. It is still a big issue for the industry.”

“A convenient and frictionless mobile payment experience is going to be a differentiator with increased significance in the c-store and petroleum space over the next two to three years,” said Perry Kramer, vice president and practice lead for Boston Retail Partners. “In this highly competitive space, Apple Pay, Android Pay, Chase Pay, Samsung Pay and the many other emerging mobile wallets are going to significantly continue to grow in usage and reach a tipping point for customers in a space were margins are tight and price is often differentiated by 2 to 3 cents.”

The importance of speed, ease of payment, and convenience at the pump and in the store are going to increase in the c-store area faster than many other retail formats. Much of this, Kramer explained, is driven by the significant number of under-35-year-old customers in this retail segment. “This demographic is on the go, and in almost all cases, the fuel purchase is a mandatory purchase, not a discretionary one. This consumer demographic expects convenienceand rewards for their loyalty.”

Any time one of these mobile wallets can be tied to a cash-back or loyalty program, while remaining frictionless, it significantly increases the chance that the consumer will remain loyal to that brand, he noted further. “Once we get them hooked with faster checkout and compelling rewards, they are more likely to increase both the number of visits and the spend per visit.”

Read Full Article: Mobile Payments in the C-Store

The Chip-Card Ninjas Weaning America Off Swiping

Bloomberg News – Getting the U.S. off magnetic stripes isn’t easy and could take years. There are long waitlists of merchants trying to get their terminals certified, and the hardware and software—as well as communication hand-offs to processors and banks—don’t always work perfectly together. Almost a year after the official switch to chip cards, only a third of U.S. merchant locations accept them, according to MasterCard Inc. An additional third are somewhere in the process of switching over, according to payment expert Crone Consulting LLC. Thousands of stores around the U.S. currently have their terminals’ chip-card slot taped up as they try to achieve certification.

For smaller merchants, it’s easier to outsource the process. That’s where Creditcall, and other companies like it, come in.

There are now dozens of such firms, part of a huge new consulting industry that has grown up around helping companies implement EMV. Boston Retail Partners, for example, sends teams of consultants to retailers’ headquarters to assist their sales operations and training departments. Companies, such as Accenture PLC, help banks get their customers and merchants to use chip cards. And others, such as Creditcall, are helping merchants’ technology vendors get hold of pre-certified gear to accept chip cards.

Altogether, consultants and various helpers are booking $2.6 billion a year from helping merchants get EMV up and running, according to Crone Consulting. At Boston Retail Partners alone, EMV-related business has been doubling or tripling annually for the last two years, Perry Kramer, vice president and practice lead, said in an interview.

“It’s become a big business for a lot of firms. Because you really need expertise—because it’s very complicated—the rules are continuing to change, the vendors and banks are still figuring it out,” Kramer said. “It’s a full-time job, and merchants’ associates already have full-time jobs.”

Read full article: The Chip-Card Ninjas Weaning America Off Swiping

Life After EMV – No Rest for the Weary

EMV_Terminal2For many retailers, getting to EMV was a long and arduous task. Delays in certifications, long lead times for new payment terminals, and high competition for valuable software, payment terminal and banking resources meant 6 month projects often turned into 12 and 18 month projects. So if you are a retailer who has successfully implemented EMV, congratulations! But where do you go from here?

The first critical step will be to ensure that you are indeed no longer seeing any higher than usual chargebacks coming from the bank. If you are, then you need to investigate further to validate that your transaction messaging is correctly flagging transactions as being EMV and that the bank isn’t erroneously passing along any charges which should not be shifted to the merchant.

Finishing What you Started

The next step is to shore up additional security gaps from a store systems perspective. Many retailers who chose to focus their priority on EMV did so at the expense of implementing end-to-end encryption (E2EE) or tokenization.  Whereas EMV is critical for limiting the use of lost or stolen cards in your stores, it does nothing to protect the card information itself once it gets into your store and back-office systems. E2EE helps to ensure that the card data is encrypted immediately upon swipe and will remain locked down and protected until it is outside of your network at the gateway or processor.  And implementing a tokenization solution, which stores a non-sensitive token in lieu of the credit card number in your system, helps to ensure that there is no critical information to be obtained in a breach event. The combination of EMV, E2EE and tokenization is the best defense for securing your store environment.

Improving Online Payment Security

HackerAs retailers continue to secure their in-store retail systems, many fraudsters are turning their attention to online systems. An additional recommendation is to extend tokenization solutions to online and mobile systems to ensure payment security while still being able to support advances in cross-channel business processes through the use of an omni-token.

As a result, retailers who have e-commerce solutions need to ensure they are securing these systems as well. From validating the secure transport of card data to processors to the ongoing tweaking and configuration of the rules within an advanced fraud management system, there are additional steps which retailers can take to address the already-present rise in online fraud.

Monitoring EMV Issues and Trends

Finally, it will be important to monitor coming trends and shifts related to EMV.  The longer authentication timeframe is causing headaches for many speed-of-service focused retailers, and the card issuers are working to implement “Quick EMV” fixes to speed up the precious seconds which have been incrementally added to a credit card transaction using EMV chip technology. Even though these should not result in additional development or projects for retailers, it will be important to understand how these impact the checkout process before deciding to implement.  Additionally, there has been an ongoing debate around the initial implementation of chip-and-signature for EMV vs. the more secure chip-and-PIN implementation.  If the momentum continues to shift towards chip-and-PIN, there will be additional steps required to ensure a successful implementation.

EMV compliance is a tremendous step towards avoiding additional liability stemming from fraudulent transactions as well as reducing the ability for customers to use fraudulent cards in your stores. But payment security is an ongoing process, not just a project. And to keep up, following many of the steps above will continue to help secure your customer’s information and your payment processing.

As always, I appreciate your opinions and insights on this topic. Please share your comments below.



More Chip-Card Headaches, This Time for Merchants

Wall Street Journal – For millions of merchants that haven’t yet met the credit-card industry’s deadline for accepting more secure plastic, the bill is coming due.

As of last October, retailers who didn’t make the transition to chip cards are on the hook for counterfeit transactions that used to be covered by card-issuing banks. The costs of the fraud, known in the industry as chargebacks, are starting to stack up.


Chargebacks among small and medium-size merchants rose 15% in the fourth quarter from a year earlier, according to a recent survey by The Strawhecker Group, a payments consulting firm. The industry believes the volume of chargebacks has likely risen since then, because the fourth quarter included only a few weeks under the new rules and it often takes a while for the costs to flow through to merchants.


Financial institutions have been issuing the new cards to customers for more than a year, but just 22% of retailers are able to process them, according to a survey released last month by Boston Retail Partners. Another 53% of the merchants in the survey planned to install the systems within the next 12 months.

Read full article: More Chip-Card Headaches, This Time for Merchants

Merchants Without Chip Readers On The Hook For Tens Of Millions Of Dollars In Fraudulent Purchases

International Business Times – Your new bank card with the fancy, more secure chip might just be sticking your favorite store with a nasty bill, the Wall Street Journal reported.

In the past, when purchases were made using counterfeit cards, the bank picked up the tab, leaving the merchant and cardholder protected from the wiles of ne’er-do-wells.

But since October, U.S. retailers have been the ones who have to cover the cost of fraudulent purchases, not banks. October was the deadline for all U.S. merchants to be able to process payments made by chip cards; the banks backing the cards no longer make merchants whole if the store can’t process chip card payments.

That’s led to tens of millions of dollars in lost revenue for small- and medium-sized stores.

Although the credit card industry’s deadline was six months ago, only 22 percent of merchants actually are processing payments using the chip, the Journal said, citing a report from consulting firm Boston Retail Partners. The other 78 percent’s reasons for not having pulled the chip trigger yet vary from seasonal worries (not wanting to disrupt the holiday shopping season), to the new payment terminals not working correctly, to not being able to have their payment systems certified.

Read Full Article: Merchants Without Chip Readers On The Hook For Tens Of Millions Of Dollars In Fraudulent Purchases

How can retailers mitigate the risk of the rise in online fraud?

Last October, following the EMV liability shift BRP published a blog post outlining the increased security risk to card-not-present transactions and warning retailers of potential increased online fraud. Our warning was not without precedent, citing a publication by Trustev that reported increased fraud in Europe following the introduction of EMV there. In this blog post, we will follow-up on our October publication with an update on reported online fraud in 2015.

Online Fraud Doubled in 2015

HackerMultiple industry sources all show that, with a few exceptions, online fraud increased in 2015. Digital goods, luxury goods and clothing all saw significant increases in online fraud. Further, according to Forester and’s recent report, retailers lost an estimated 1.3% of revenue due to online fraud in 2015 –  double the rate of 2014. Fraud’s harm doesn’t stop with “bad” transactions, as up to 25% of transactions declined due to suspected fraud were actually legitimate transactions.

Interestingly, that same report showed that electronics and food/beverage saw a decrease in online fraud, 17% and 36% respectively. What do these contrasts mean for online fraud in general? Different retail verticals are at higher risk for fraud as their goods have higher after-market value. For instance, fraudsters may be taking digital goods (such as DVDs), where fraud is up 304%, and reselling the content. Further, while electronics saw a decrease in fraud and represented 4% of fraudulent transactions they represented 19% of fraudulent transaction dollars due to the high price of products. A deeper dive into the statistics offer greater insights and a fuller picture of the critical areas to address.

The Forester/PYMT.som report does not break out gift card sales from merchandise sales. However, our findings and client data make it very clear that one of the highest risk sales, both online and in-store, is gift cards. If retailers have not adjusted their fraud profiles to include gift card sales in their highest risk category, they should do so as soon as possible.

Hopefully, the pace of the upward trend of online fraud will begin to slow in 2016. However, it would be foolish to expect it to decrease. As EMV penetration increases, counterfeit cards have less and less value in brick and mortar stores, effectively increasingly their value in online transactions. Additionally, fraudsters have large amounts of stolen credit card inventory that they want to take advantage of before the cards expire or are replaced. For these reasons, online retailers need to expect 2015’s fraud rates to be the new normal and prepare accordingly. Retailers must utilize rules-based fraud detection tools allowing them to audit suspect transactions and authorize legitimate ones.

Recommendations to Mitigate Online Fraud

Differentiating between legitimate and illegitimate transactions can be difficult, but with robust tools and processes retailers can achieve high proficiency. The list of risk mitigation opportunities continues to be expanded and enhanced:

  • Customer Profiles – Profile your existing customers and leverage their existing data. This will allow you to understand which customers were legitimate in the past and identify common attributes.
  • Seasonal Adjustments – Season specific policies allow retailers to tailor their programs throughout the year. Fraudsters are very adept at flooding the market at peak times, when retailers’ processes are already overloaded, such as back to school, seasonal changes and holiday periods.
  • Impact of Accelerated Deliveries – Adapt your payment policies to support, or anticipate supporting, the growing trend of increased same-day and next-day deliveries.
  • Secondary Security Services – Expand your tools to include secondary services such as fraud guarantee services for higher risk transactions.
  • Budget for Financial Impact – Review and possibly update your internal organizational model to account for the increased financial impact that on line fraud is having on the overall corporate bottom line.
  • Continuous Monitoring and Adjustments – Retailers must monitor activity to identify trends and analyze what worked in the past and what didn’t. As a result of this continuous monitoring and hindsight, retailers should update and tweak their rules and parameters. By implementing a comprehensive fraud detection process can thwart fraudsters and meet their customers’ expectations.

With online fraud on the rise, retailers are making it a high priority. Unfortunately, retailers already have a full plate of payment security initiatives, especially those that haven’t implemented EMV yet.  Fraudsters are savvy and retailers need to stay one step ahead by implementing comprehensive security strategies.

For more tips on mitigating payment security risk, check out this white paper:

Beyond EMV: Best Practices for Payment Security

As always, I appreciate your opinions on this topic. Please share your comments below.


VIDEO: Tokenization and Encryption are Key Components of Payment Security

According to the 2016 POS/Customer Engagement Survey, only 22% of retailers support EMV transactions. Why has the adoption of EMV been so slow? For payment security, many retailers have focused their attention on tokenization and encryption to help prevent payment card breaches, which can cost a retailer far more than the chargebacks as a result of not deploying EMV.

Watch this video blog post to hear Perry Kramer, Vice President and Practice Lead, Boston Retail Partners, share his thoughts on tokenization and encryption and why retailers are making this a higher priority than EMV.

Tokenization and Encryption are Key Components of Payment Security

Visit our BRP Videos page to watch videos on other topics.

As always, I appreciate you thoughts on this topic. Please enter your thoughts and comments below.


Only 22 percent of retailers support EMV

The Paypers – A Boston Retail Partners survey has revealed that 22% of retailers support EMV, with another 53% planning to do so within the next 12 months.

The survey’s results also show that 16% of respondents say they have no plans ever to support EMV.

Ryan Grogman, Boston Retail Partners vice president, said the problem is that POS systems in the U.S. are relatively complex, making the EMV upgrade process more challenging than it might otherwise be. He cited long lead times for new payment terminals and certification, a limited set of payment switch development resources and payment provider support resources, and a scarcity of POS developers as factors contributing to a big backlog in EMV implementations.

EMV is not a panacea for payment fraud, according to Grogman, which notes that Trustev has predicted that online fraud will increase by 106% over the next three years in response to the shift to EMV. Online retail fraud surged by 100% in Canada and Australia, and by 89% in the UK, after those countries switched to EMV.

Read full article: Only 22 percent of retailers support EMV