What Retailers and FIs <i>Don't </i>Want this Holiday Season
December 9, 2016 12:13 PM
With the holiday shopping season underway, retailers are preparing for an influx of payment volume from shoppers and scammers alike. And credit unions are concerned about how fraudsters could spoil the holiday season for some shoppers and their FIs. Here are a few of the problems facing this years shoppers.
EMV Issues
While most financial institutions have implemented EMV "chip and PIN" technology or are in the process of rolling it out, FIs are still liable for any losses that consumers incur as a result of retailer data breaches.
"Data breaches have exceeded last year's record, and millions of consumers have already had their information compromised, yet retailers continue to resist critically needed national data security standards," said Dan Berger, president and CEO of the National Association of Federal Credit Unions. "With this void in protection, every retailer's sale sign is a welcome sign for cybercriminals and a hazard for consumers who may unwittingly fall victim to a retail data breach."
According to Identity Theft Resource Center, there have already been more than 900 data breaches in 2016, a marked increase over last year's 781. The business sector which includes retailers has been responsible for 397 (44.1%) of this year's braches, with 5.5 million consumer records exposed.
NAFCU and the Credit Union National Association continue to press Congress to implement stricter data security standards for merchants.
Debit Fraud Up
A new report Federal Reserve report shows that debit-card fraud losses rose by 44% between 2013 and 2015, totaling more than $2.4 billion in losses for merchants, cardholders and card issuers. The average loss last year was 10.3 basis points as a share of transaction volume an increase from eight basis points in 2013. Average fraud lose as a share of transaction value for the median covered issuer were 6.6 basis points (0.066%), an increase from the 5.1 figure in 2013. The average fraud prevention and data security costs for median covered issuers was just 1.9 cents per transaction.
Retailers may be worried about how trustworthy their temporary holiday staff is, but they should be even more concerned about their permanent workers. The number of permanent employees who accessed or sent sensitive data they should not have increased sharply to 30% in 2016 from 7% in 2015, according to IT and security professionals surveyed for Bay Dynamics' pre-holiday retail cyber risk report. By contrast, only 6% of security professionals say their temporary workers have access to personally identifiable information, and only 13% say their contractors can access that type of information.
Retailers should also be concerned that their point of sale terminals don't have the latest card security, making them a more appealing target for fraudsters. Overall, 37% of all U.S. merchant locations are now EMV-enabled, according to Visa. While this is huge progress from the 2015 holiday shopping season, it leaves the majority of merchants using less-secure magstripe payments. New Jersey has the highest rate of merchant adoption, but even it hasn't passed the halfway mark, with just 48% of stores chip-enabled.
Retailers may get some relief from consumers who are proactive enough about account security to activate mobile card controls, enabling them to block payments altogether or under certain conditions if they fear their card has been lost or stolen. But retailers should not simply trust consumers to use this feature. "While a niche group of security-minded consumers will use controls, the fact remains that consumers still are a bit lazy when it comes to these things, because they have very little skin in the game," said Julie Conroy, research director for Aite Group.
Another consumer attitude that could shape fraud trends is the prioritization of speed over security. In the U.S., 48% of gamers would switch payment methods if a faster, easier method came along, while 43% would switch if an alternative payment method offered better discounts, and 41% would switch if another method provided superior security, according to research by PayPal.
Retailers are increasingly focused on driving traffic to e-commerce and mobile apps, but fraudsters are in just as big a rush to get there. Largely due to the EMV shift at the point of sale, many fraudsters are seeking to exploit account credentials online, where EMV-chip card technology adds no security. ACI Worldwide predicts that e-commerce fraud attempts will rise 12% globally this holiday season compared with last year, but in the U.S. online fraud attempts will spike much higher, reaching 43% by volume and peaking on Dec. 24.
If a breach does occur, merchants may face the unwelcome prospect of being in the headlines for weeks if not months for all the wrong reasons. Target and Neiman Marcus, for example, are still known for suffering well-publicized breaches during the holiday season years ago.
