The U.S. retail payments industry is undergoing significant change to secure card payments by migrating to EMV chip cards for card-present or point-of-sale (POS) transactions. Effective October 1, 2015, card network operating rules changed to shift fraud liability to the merchant if it was not enabled to accept EMV chip credit or debit cards. As a result, merchants have been upgrading their terminals to comply. Enabling EMV chip card acceptance at POS reduces card-present counterfeit fraud by removing the opportunity for fraudsters to compromise payment card credentials. However, this is driving fraudsters to attack the more vulnerable online and mobile card-not-present (CNP) ¹ channels with weaker authentication protocols, at a time when consumers are increasing their use of mobile phones to make CNP purchases. According to a 2016 Javelin study, consumer use of the mobile browser to make online purchases doubled from 2011 to 2016, and the availability of mobile apps to make online purchases is adding to that trend. ²

Recognizing that these trends are predictors of future CNP growth, industry stakeholders are closely monitoring the CNP landscape and assessing existing security controls for gaps to understand what is needed to protect against new risks and threats. This whitepaper describes the work of the MPIW ³ to identify and analyze potential areas where mobile commerce is vulnerable to fraud and other threats. The analysis was conducted within a framework of four use cases to which existing wallet models were mapped.  The group identified potential risks and threats for each model and then compared risks across models. They completed the analysis by outlining key controls and tools to enhance security for the wallet models within the use cases.

The whitepaper first provides an overview of the current CNP landscape (Section III). Context is based on the impact of CNP fraud in European countries and Canada after they migrated to EMV chip cards, and also shows the growth trends for e-commerce and m-commerce transaction volume. It then describes the framework used to analyze the four mobile CNP use cases and the subsequent comparative analysis across functions and risk factors (Section IV). The paper concludes by describing several gaps and issues associated with security approaches, as well as recommendations for industry stakeholders to consider for improving CNP payment security.