As more brick-and-mortar retailers transition to EMV chip-technology terminal devices for credit card and other card payments, fraudsters may turn their attention elsewhere: online purchases.
In other words, increased security in stores could shift the efforts of credit-card swindlers to online hacking.
It's what occurred in the United Kingdom with respect to online purchases, also known as card-not-present transactions. The UK's spike in online fraud occurred as EMV chip technology took hold a decade ago. (EMV is an acronym for Europay Mastercard Visa.)
So, even with innovative security upgrades, it's understandable to expect that networks of criminals focusing primarily on physical credit card number and identity theft will find their way to wherever the information is easily available and less protected.
“Hackers have figured out how to crack security certificates,” said Tom Tesmer, chief operating officer of JetPay Payment Services based in Dallas, which has large clients, including Apple Pay.
This means HTTPS portions (the beginning) of certain URLs are not necessarily safe and protected. Hackers never stop evolving their knowledge since security efforts are continually adapted and increased on both ends of the transaction: the Web host and payment processor.
Tesmer referenced PCI compliance as another layer of ongoing security efforts to prevent online credit card theft. PCI stands for payment card industry, and DSS usually follows in its name, signifying data security standard.
PCI DSS requirements managed by the PCI Security Standards Council in Wakefield, Mass., are designed for businesses that have an online merchant identification for digital credit card transactions. Those with IDs have to keep up with these security measures, Tesmer noted.
Randy Vanderhoof is executive director of a nonprofit called Smart Card Alliance based in Princeton Junction, N.J., while also serving as the director of EMV Migration Forum, which is tied to the alliance.
“There are software services to subscribe to that look for fraud patterns at checkout,” Vanderhoof said of online purchases. “One example is that the person who has a card lives in Pennsylvania, but the IP [Internet protocol] address is showing that the transaction is from an eastern European country.”
Requiring a billing address is another potential approach to be more secure, Vanderhoof said.
“Most banks don't require you to set up accounts in person,” he added. “Fraudsters can apply for a bank credit card by mail if they have acquired personal information about you online or in another way.”
Carolyn Balfany is the senior vice president of MasterCard's Global Products & Solutions, based in St. Louis.
“The creating of the unique code, called cryptography, also provides the foundation for tokenization,” Balfany said. “Tokenization is a safer way to send sensitive data, including card account numbers, online.
“The technology works by creating a random, unique number that represents actual data. This 'proxy' or 'nonsensitive' information, known as a token, is sent to the cloud for processing and storage.
“As a result, the sensitive data is protected both in-transit and at-rest. If hackers manage to break into the system, all they would find are meaningless tokens.”
Stephanie Ericksen, the vice president of Risk Products for Visa Inc., based in San Francisco, noted that token numbers can be random sets of digits in different sequences, not necessarily placeholders for all 16 digits in a credit card number.
This wide range of always-different variations makes it harder for hackers to know which numbers are authentic and which are the proxies.
Ericksen added, in agreement with Vanderhoof, that using predictive patterns is largely how fraud is being better tracked and stopped, one transaction at a time.
Transactions that don't make sense to the system are more likely to be identified as fraudulent right away by the card issuer, Ericksen said.
An example is a credit card number being used in one location and then a gas station several hours away in less time than the card owner could drive to the second location.
“More issuers are signing up for 3D Secure 2.0,” Ericksen said.
This service tracks a phone and its associated credit card through geo-location.
It will ping, saying the phone is in San Francisco, but a transaction on the card just occurred in Texas, Ericksen said.
Fraud scoring by Visa for all transactions, on a scale of 1 to 99, is another approach to help merchants and consumers.
Visa Checkout and MasterPass by MasterCard are time-saving, security-protected services for consumers as a way to store and use their credit card and billing information quickly without having to type it in with every digital transaction.