ThreatMetrix Strategies for Card Providers and Online Merchants to Counter Predicted Rise in Cybercrime When EMV Chip Cards Chase Bad Guys Online

Posted on May 14th, 2014 by Dan Rampe


Following recent data breaches at major retailers (Target and Neiman Marcus, et al.), American merchants will follow the lead of others around the world and drop magnetic stripes in favor of chips on the 1.2 billion credit and debit cards currently used in the U.S.

The new cards are called EMV. The “E” stands for Europay and the “M” and “V” stand for MasterCard and Visa, companies that first backed the idea of a chip to replace magnetic stripes. Credit card networks have set a deadline of October 2015 – less than 18 months away – for most U.S. merchants to adopt EMV payments systems. Following this deadline, any retailers and banks supporting magnetic stripe cards will be liable for fraud losses as a result.

“The U.S. is the final G-20 country to make the transition to EMV chip cards,” said Julie Conroy, retail banking research director, Aite Group. “While the transition will effectively address the rapid increasing rates of counterfeit fraud, fraudsters will focus their efforts more intensely online, as they have in all other countries that have made the switch to EMV. Merchants and issuers alike need to adjust their online defenses to combat the fraud while at the same time preserving the customer experience.”

Because they create a unique code for each transaction, EMV chip cards are much more difficult to hack or counterfeit than current striped cards. Therefore, many criminals have taken their “talent” for fraud, moved it online and become cybercriminals.

With the introduction of the EMV chip, UK credit card fraud has gone down dramatically according to Financial Fraud Action UK. However, online fraud increased 21 percent in Europe as a whole in 2012, in part due to the introduction of EMV cards.

“Card providers and online merchants need to be aware of the likely increase in online fraud associated with the adoption of EMV chip cards,” said Andreas Baumhof, chief technology officer, ThreatMetrix. “Retailers are up against a hard deadline to make the switch to EMV payments systems, but they need to be prepared for the influx of online fraud that will go hand in hand with the transition to EMV. We have seen this in every single country that introduced EMV – and it will happen here as well.”

ThreatMetrix has outlined several cybersecurity strategies to help merchants and card providers protect their businesses and customers during the transition to EMV chip cards, including:

Frictionless context-based authentication – To protect customers from the potential increase in online fraud, merchants and card providers should implement frictionless context-based authentication. This strategy enables businesses to establish trust for each account login based on a fully-anonymized user identity, device usage, geolocation, customer behavior and other factors without compromising the user’s identity or workforce efficiency.

Real-time trust analytics – To protect cardholders from potential online fraud or identity theft, merchants, card providers and other financial institutions should use real-time trust analytics. These offer instant analysis of device, location and behavioral context for every authentication attempt. Using a consistent set of identity authentication policies compared against global benchmarks derived from industry peers, the size and scale of the enterprise, geographic location and more, real-time trust analytics offer unprecedented identity authentication policies.

Effectively protecting customers, merchants and card providers means ramping up efforts to combat online fraud prior to the widespread adoption of EMV. The ThreatMetrix® Global Trust Intelligence Network delivers real-time intelligence that offers merchants and card providers consistent risk assessments of data and creates a digital persona of users by mapping their online behaviors and devices.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.




MasterCard, Visa and American Express Call for Hard-to-Counterfeit Credit Cards and Tokens Replacing Account Numbers to Help Plug Breaches

Posted on February 10th, 2014 by Dan Rampe


“Once more unto the breach, dear friends, once more; Or close the wall up with our English dead!” (Shakespeare, Henry V).

Piling up English dead to stop hackers sounds a mite extreme – especially if you happen to be English. However, MasterCard, Visa and American Express are pushing for new technologies to make it more difficult for cybercriminals to exploit businesses and their customers.

MasterCard CEO Ajay Banga said merchants and payment processors have to work toward chip technology and tokenization to improve security. “We’ve got to get ahead of this as we go forward otherwise you’re going to have [more breaches like Neiman Marcus and Target]. The more often it happens, the worse it feels.”

Chris McWilton, MasterCard’s president of North American markets, wrote merchants reminding them a “liability shift” is in the works. Merchants not upgrading to a safer technology would be responsible for paying for defrauded customers.

One of those technologies, writes Christina Rexrode on, is the EMV (Europay, MasterCard, Visa) chip, which is “sometimes called ‘chip and PIN’ or ‘chip technology’ [and is] supposed to be harder to copy than cards with only magnetic stripes.”

Visa’s CEO Charlie Scharf says he’s seen “a large number of the big merchants” commit to chip technology and “a number of the banks” already issuing chip cards.

Banga says, “Everyone needs to be on the bandwagon. Banks need to be there, merchants need to be there, governments are clearly there. We need to get the networks there and the acquirers there, and I think there’s a lot of progress on that front.”

Rexrode writes that “in markets where chip technology was installed, MasterCard [reported] it saw a 60% to 80% decrease in counterfeit fraud.” And, while chip technology would not have prevented a data breach like the one Target suffered, MasterCard’s Banga said chip technology would make stolen data, “much, much, much less valuable to a fraudster, because it’s tough to counterfeit the card, and it’s almost impossible to duplicate all the unique data that flows for that transaction to get approved.”

Tokenization is another safeguard that MasterCard, Visa and American Express are urging be adopted. Tokenization lets customers shop online without entering their account numbers which are replaced by other identifiers known as tokens.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.