The Green Sheet Online Edition
February 23, 2015 • Issue 15:02:02
Worldpay warns of online fraud spree
All businesses need to be vigilant in identifying potentially fraudulent card payments, but small businesses should be extra vigilant this month, said international acquirer Worldpay. In a statement issued Feb. 2, 2015, Worldpay's London office warned small businesses to be on their guard as "unprecedented levels of attempted fraud" are expected throughout the month of February.
Although the Worldpay warning was delivered to U.K. businesses, it has equal application for U.S. merchants, as online sales and hackers are rarely deterred by national borders.
It also demonstrates the inherent vulnerability of online retailing even in markets (like the U.K.) where the EMV (Europay, MasterCard and Visa) security protocol is firmly entrenched. EMV is an international standard for securing data on credit and debit cards, at the merchant checkout and throughout the clearing process.
Tim Lansdale, Head of Payment Security at Worldpay, said the company's data suggests fraud attempts against online merchants could jump by as much as 80 percent in February as hackers start to cash in on customer card data they were able to harvest during the hectic end-of-year holiday shopping season.
"We see a dip in fraud around Christmas as hackers go on the hunt for information, using the online sales rush to stockpile thousands of customer card details. It isn't until February that they start cashing in on all the data they've collected," Lansdale said. Of course, that's not to suggest hackers aren't still on the prowl for card data. "Other breaches can last much longer; attackers might decide to keep returning to their targets, sometimes for years," Lansdale added.
Worldpay's data shows that in the U.K. at least nearly all card data breaches (99.3 percent) involve the online channel, not the physical POS. This is not surprising, as EMV has been fully implemented in the U.K. since 2006. The Worldpay data also indicate the overall risk of getting hacked is greater for small businesses, with those businesses accounting for all, yes all, reported data breaches in the U.K., according to Worldpay's data.
Businesses in the entertainment, hobby and leisure sectors account for nearly a quarter of all card data breaches, based on Worldpay's research. Businesses in the entertainment sector, especially online ticket and booking sales, tend to be "easy prey," Worldpay said, given the high number of card transactions processed by these sites. Clothing and footwear stores account for about 16 percent of online fraud. Worldpay's data also shows that 11.6 percent of online fraud involves the "jewelry, beauty and gifts" sector.
In a statement about the Worldpay data, Lansdale took small businesses to task for not doing enough to protect card data. "You wouldn't leave your store unlocked overnight, yet so few businesses are doing enough to protect their online shop fronts and keep hackers at bay," he said.
EMV raises issues in U.S.
Meanwhile, U.S. payments expert Avivah Litan, Vice President and Distinguished Analyst at Gartner Inc., warned in a new research note that poor implementations of EMV chip technologies are proving a boon to fraudsters. She predicted that by year-end 2015 at least 5 percent of card issuers will experience fraud on EMV cards due to improper implementations, up from a handful today.
Litan also wrote in a Feb. 2 blog post that because of the relatively slow adoption of EMV-compliant POS devices by U.S. merchants, the card networks and their participants should brace for at least five more years of dual-technology cards (mag stripe as well as EMV cards).
Litan and other experts have consistently pointed out that EMV chip cards are just one step toward better card data security, and even that security is minimal without also requiring PIN authorization of credit and debit card payments.
Under an aggressive implementation schedule set by the card brands, U.S. merchants are supposed to have terminals in place that can communicate with EMV chips in customers' credit and debit cards by Oct. 1, 2015. It's not exactly a mandate. Merchants can choose not to implement EMV, but if they don't, they are liable for any fraud losses that result from compromises of data from mag stripe card transactions they accept.
Many smaller merchants have balked at having to install EMV terminals, arguing that the costs of upgrading are greater than the likely cost of fraudulent payments from mag stripe cards. The National Association of Convenience Stores complained in a recent post to its website that the costs are especially high for independent gas stations.
NACS quoted an executive at one gas station chain who said the upgrade would cost $35,000 per location. (Aware of the additional costs and programming required to bring gas pumps into compliance with EMV, Visa Inc. and MasterCard Worldwide have given gas station operators an additional two years to upgrade the card terminals on their pumps.)
"Further, according to many industry forecasters, it's not likely that a majority of merchants or card-issuing banks will have implemented chip-/EMV-compatible cards or readers by that date [October 1]," NACS wrote.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.