Online Merchants Must Act Now—While They Have the Chance
According to the scheduled EMV transition that was agreed upon by the major card networks, the liability for fraud at both gas pumps and ATMs was originally intended to shift to merchants in October 2017. However, Visa, MasterCard, and American Express have all announced that the liability shift at gas pumps would be delayed until late 2020.
This is great news for gas retailers, as they’ll have an additional three years before the burden of counterfeit card fraud falls on their shoulders. For issuers, cardholders, and online merchants though, the new arrangement is less than ideal.
Why Are Card Networks Delaying Liability at Gas Pumps?
Simply put, upgrading a payment terminal at a gas pump is very expensive and time-consuming.
The variety of card reader used by gas pumps is very different from those used by other card-present merchants and come at a much more significant up-front cost. Not only that, but each gas pump that’s upgraded must also be officially inspected and approved by a state official to ensure that it dispenses at a proper rate and that customers are charged correctly.
Other merchants do not have to seek state inspection for their card readers, yet the EMV transition at standard retailers still proved to be more chaotic and time-consuming than anyone expected. Therefore, conducting the same process, with more steps, at more than 100,000 gas pumps and ATMs in the US by October 1, 2017 would be impossible.
The card networks viewed the liability shift delay as the only way to prevent that chaos from recurring on a larger scale.
Continuing Fraud is an Inevitability
While the reasoning may be sound, that’s little consolation to all the other parties that will be put at further risk of criminal fraud.
Gas stations were already a highly-favorable target for criminals seeking to grab cardholder data with skimmers and other devices. In fact, skimming at automated fuel dispensers (the industry term for gas pump, also referred to as an AFD) is the most common source of cardholder data theft. With all other card readers converting over to EMV chip technology, gas pumps will be even more enticing to fraudsters.
Using these skimming devices in conjunction with other tools, fraudsters can collect sufficient amounts of cardholder data to execute unauthorized transactions online. While cardholders are perceived as the victims of this criminal activity, online merchants are ultimately the ones who stand to lose the most.
It’s not their intention to play favorites, but by pushing back the liability timetable, the card networks put the interests of card-present merchants ahead of those of eCommerce merchants. This is just the latest in a long line of policies that cater to card-present businesses, while online merchants continue to suffer with little hope of relief or assistance.
Highlighting the Need for Standardization
A recent study revealed that sensitive cardholder information can be hacked in a matter of seconds. This new vulnerability, combined with increased threats associated with postponed EMV technology, is alarming.
Fortunately, though, the researchers who highlighted the ease in which criminals can access account information outline a clear solution: industry standardization. This is the same essential approach I’ve been suggesting for years; now though, it’s becoming increasingly difficult to ignore the desperate need for such a change.
Standardization across the eCommerce industry will be essential to preventing successful fraud attacks. This means not only establishing consistent guidelines and benchmarks for how transactions, chargebacks, and disputes are conducted by merchants, but also determining how banks, processors, and card networks should comply with policies and procedure.
Still, the industry doesn’t seem to show any signs of overhauling their approach to eCommerce fraud or the disconnect between card-present and card-not-present policies. Equitable changes won’t transpire in the foreseeable future; for now, merchants and issuers will need to create their own solutions.
Different Strategies for Different Fraud Threats
The delay of EMV technology adoption at gas pumps leaves open a window for criminal fraudsters, thereby putting online merchants at greater risk. The best approach to deal with this reality is to adopt the necessary strategies for the evolving and ever-increasing online threats.
For criminal fraud stemming from identity theft, this can mean fraud filters, AVS and 3D Secure technologies. Other threat sources will necessitate additional tools, such as chargeback mitigation services to deal with friendly fraud or affiliate fraud alerts to take on the problems associated with this advertising technique. This is what’s referred to as multilayer fraud management—a web of intersecting, complimentary technologies which, when combined, identify and block threats coming from numerous different sources.
There is no way to absolutely prevent fraud, and the industry seems to offer little in the way of answers for the future. Therefore, merchants will need to be proactive and take charge of fraud prevention before criminals have a chance to wreak unprecedented damage on their business.
