To combat an expected increase in fraudulent online purchases, the credit card industry is rolling out new security measures -- but they are mostly invisible to the average Internet shopper.
While the experience of shopping online seems identical to what it was a decade ago, security experts say the simplicity of online shopping masks high-tech and behind-the-scenes efforts by retailers, banks and payment networks to stop fraud. Besides the information shoppers enter on their computers, the companies examine a trove of other data to ensure that purchases are legitimate.
"The overall trend is it is getting more sophisticated," says Justin McDonald, senior risk management consultant with The Fraud Practice, which advises banks on security issues. "There has been a shift to really rely more on different types of analytics, with advanced statistical models and behavioral models. It's more than you having the right password and username."
The focus on developing new strategies to stop online credit card fraud is expected to take on new importance as the U.S. shifts to cards with embedded security chips. Other countries that have made that switch have experienced surges in online fraud, as criminals seek easier ways to cash in on stolen card information.
Data analytics playing an ever bigger role
To verify online purchases, most retailers are taking a "layered approach" that combines the efforts of card networks, card issuers and even outside companies to provide information that can flag suspicious purchases, says Ben Knieff, a senior research analyst with Aite Group who specializes in cybercrime.
"The hope is that through all those layers, one of the layers is going to catch the bad guy," Knieff says.
In addition to a customer's card information and billing address, retailers routinely consider other factors, including IP address, location, shipping address, purchase history and device identity. It is pretty simple, for instance, to be suspicious about a middle-of-the-night electronics order from a computer located in Kazakhstan if the card's billing address is in Peoria.
Yet there are also more sophisticated techniques, enabled with the addition of data from card networks and banks. For instance, if a card network knows that shipments to a certain warehouse in Boston have been fraudulent purchases in the past, and a retailer submits a charge shipping to that same location, that purchase can sometimes be flagged before the merchandise is shipped. Or if there are a number of charges at the same time from a single card buying similar items at different retailers, the bank or card network might deem those suspicious.
"When you are in an online environment, there are these data points that are coming in from a lot of different angles," Knieff says. "In many respects, online shopping is actually safer than in-person shopping because of the kind of data that is available to the merchants and issuers."
In addition, Knieff says, merchants don't have to ship the goods immediately if they need more time to review a purchase. Some purchases that might appear questionable based on the data might be delayed for further review, or to authenticate that the purchase is valid.
"The product doesn't go and the money doesn't move until they are confident it is a good order," he says.
New anti-fraud technologies
Besides behind-the-scenes analytics, companies are developing a range of technologies and procedures to enhance the security of online purchases, though none has become widely adopted.
Those technologies could drastically reduce fraud, although banks and retailers want to ensure they do not make the process of buying online too time-consuming for consumers. Doing so would risk losing sales.
Some of those strategies include:
Additional password. Generally, analysts say one of the best ways to reduce online fraud is to have consumers enter additional information to confirm their identities -- such as an additional password or PIN associated with their card.
However, when Visa introduced such a program in some European countries about 15 years ago, known as 3-D Secure, it found that consumers abandoned about 17 percent of purchases when prompted to enter a password, says Mark Nelsen, Visa’s senior vice president of risk products and business intelligence. Merchants find that rate unacceptably high, he says.
Visa has been working to improve that service, now known as Verified by Visa, to make it less burdensome to consumers while drawing increasingly on data analysis. For instance, instead of requiring all customers to remember a password, the service can identify the small number of purchases that appear questionable and send those consumers a security code on their phones to enter online to confirm their identities."We can absolutely make transactions very, very secure, but it comes at a cost," Nelsen says. "Friction is a really big barrier. It truly is a fine balance between convenience and friction."
Dynamic CVV. A small number of companies are working on ways to modify the traditional plastic credit card to have it display a security code that changes at a specific interval. That way, the consumer must actually have the card when buying something online. Otherwise, the card information will be incorrect.
Philip Andreae, vice president of field marketing with digital security firm Oberthur Technologies, says banks and merchants are interested in the technology, which involves placing a small battery inside the credit card and having a small display similar to that of an e-reader, which shows the changing code.
"It changes on a pre-defined interval and can be authenticated by the issuer, without the merchant doing anything more than they do today," he says.
The cost to make the cards is naturally higher, but it can make sense to issue the cards to some high-spending customers initially, then count on the price to drop as the cards become mass-produced. Andreae says Oberthur is testing the product in conjunction with a handful of banks in Europe.
Tokenization. This approach involves replacing credit card numbers with a stand-in code of numbers and letters that only payment processors can decipher to link to a particular account or individual transaction. This makes a purchase more secure because the card numbers are less vulnerable to theft.
In some cases, companies could even prompt consumers via email or text to enter a one-time code for online purchases, instead of entering their card information.
Additionally, with more merchants storing these tokens in their databases instead of actual card numbers, card information will be more difficult to hack.
EMV can't protect online
As one of the last major countries to switch to EMV chip cards, the United States has had an outsized share of card fraud. In 2014, for instance, the U.S. accounted for an estimated 48 percent of worldwide fraud losses despite generating only 21 percent of all charges, according to The Nilson Report, an industry publication. Fraudulent charges in the U.S. accounted for nearly 13 cents per $100 charged -- triple the figure in the rest of the world.
In 2015, U.S. payment networks began implementing financial incentives for banks to switch from traditional magnetic stripe cards to cards with EMV chips and for merchants to accept such cards. Millions of EMV cards are now in circulation, though the process is far from complete.
If a retailer has a payment terminal configured for chip cards, the presence of the chips makes in-store fraud almost impossible. While criminals have a relatively simple time loading stolen card data onto fake cards with magnetic stripes, it is thought to be almost impossible to create counterfeit chip cards that work with EMV-ready payment terminals.
However, the EMV chips do nothing to help secure online payments. Even the Smart Card Alliance, an industry group that encourages the use of EMV cards, acknowledges that in other countries, the introduction of chip cards has led to "a migration to other types of fraud, namely card-not-present (CNP) fraud and cross-border counterfeit fraud."
In the United Kingdom, for instance, CNP fraud rose 79 percent in the first three years after its 2005 switch to chip cards, according to a report by Aite Group, a research firm.
An increase in online purchase volumes is expected to feed a spike in card-not-present fraud, too. Between 2013 and 2018, online fraud in the U.S. is expected to double, to nearly $19 billion annually, according to projections from Javelin Strategy & Research. By 2018, online fraud is expected to be four times greater than in-store fraud, due to rising e-commerce sales.
Knieff, with Aite Group, says online fraud in the U.S. might not increase as quickly as it did in other countries, because thieves will still have some success at stores. That's because the industry here opted to verify in-store transactions not with PINs but with a simple signature, out of concern that remembering a PIN would be too burdensome for consumers. So if a customer's chip card is stolen, a thief could still use it at a store before it is reported missing.