Javelin, Visa offer different takes on whether card fraud is moving online

Visa says there is no increase, Javelin said CNP fraud is up 40 percent

stolen credit card

According to a report released last week by Javelin, card-not-present fraud went up 40 percent this year, but according to Visa, there has been no increase in the rate of online fraud. 

The increase in card-not-present fraud was part of a general increase in fraud, reported Javelin.

"We've been measuring fraud for over a decade and this past year is very significant because we hit a record high as far as the number of victims of identity fraud," said Al Pascual, research director and head of fraud and security at Javelin Strategy & Research.

But there was some good news last year.

While total losses added up to $16 billion, an increase over last year's $15.3 billion, it was still down significantly from a peak of $22 billion in 2012. And the average loss per victim last year was just $1,035, down from $1,165 in 2015 and $1,727 in 2012.

Companies are getting better at protecting against fraud and in detecting it quickly when it does occur, he said, through use of analytics and notifications.

"We have more tools to bring to bear generally," he said.

But the total instances of fraud went up, particularly when it comes to account takeover and card-not-present fraud.

There were 15.4 million victims total last year in the U.S., 6.15 percent of the population, and an increase of 2 million from last year.

Account takeover fraud losses were up 61 percent from 2015, to $2.3 billion in 2016, and incidents rose by 31 percent.

Another area of growth was card-not-present fraud, which was up 40 percent. This was due to the 2015 liability shift, which has caused many merchants to switch to more secure, chip-based card readers at the point of sale.

Criminals with stolen credit card numbers, stymied by new security in physical stores, moved online.

"It's not as though we are getting better, and criminals stand still," Pascual said. "They're finding workarounds."

However, according to Visa, there has been no increase in the rate of card-not-present fraud.

"We're not seeing an increase in the rate of online only fraud," said Stephanie Ericksen, vice president of risk and authentication products at Visa International.

The credit card company recently released a report about the migration to chip-based cards.

"There has been a lot of progress in helping prevent and drive down fraud in the card-not present space," she said. "Tokenization, data analytics, improved risk scores to deter fraud and prevent it -- that is something we made significant investment in and are moving forward to help companies implement them."

The difference between the two reports is because of the things being measured, said Visa spokesman Fabricio Migues.

"The Javelin study is based on a survey of about 5,000 consumers," he said. "Our data is based on millions of actual transactions. That is a very important distinction."

He also added that while the total amount of card-not-present fraud is up, so is the number of card-not-present transactions.

"Based on the data we see, we are not able to attribute CNP fraud trends directly to chip," he said.

Javelin defended its numbers.

"We conducted our independent study and are reporting on number of victims of CNP fraud in 2016, in this case," said Pascual. "Our findings are consistent from what we have heard from others in the space, including merchants, issuers, and other networks."

The Visa report also went into more depth about the status of the EMV migration.

As of the end of the year, 39 percent of all merchants and 49 percent of the payment volume was on chip-enabled terminals, said Visa's Ericksen, and counterfeit fraud was down 52 percent at the merchants who made the switch.

The number of chip-enabled Visa cards in circulation nearly doubled over the course of the year, to more than 408 million, and the number of merchants with chip-enabled terminals more than doubled, to 1.8 million.

The EMV migration liability shift date was in the fall of 2015 -- that is when merchants became liable for fraud if they still had the old, magnetic stripe card readers.

But the transition is moving along at a reasonable rate, Ericksen said.

"From what we've seen in other countries around the world, it does take them two to three years after the liability shift date to get to 60 percent of the volume," she said. "This is a migration. It's not a one-time event. Every merchant is going to make the implementation investment decision at a time that makes sense for them."

For example, merchants with high-ticket products, or high fraud rates, made the switch first, she said.

"We have seen some significant adoption in certain key merchant segments," she said. "Electronics stores, home goods stores and department stores, a lot of those were some of the first to go to chip technology, as well as pharmacies and drug stores."

Want to speak out on fraud? Head to our Facebook page.

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline