Card-not-present fraud leads other types of payment fraud in countries that have migrated to the EMV standard. That is according to U.S. Payments Forum, a nonprofit organization that includes global payments networks, financial institutions, merchants, processors, and other industry participants.
There are at least two reasons for this. First is the growing popularity of ecommerce. Second is that companies — networks, institutions, merchants — can be slow to adopt the right combination of fraud tools to adequately protect all parties.
CNP fraud prevention requires a layered approach. Static verifications systems alone do not pass muster, as bad actors are quick to find ways to steal, hack, or spoof. While traditional, static tools require the user to submit information — such as addresses and other unique data — they do not prove that the user actually has any association to it.
Static Verification Tools
Merchants have traditionally relied on verification tools that are quickly and continuously being outsmarted by crooks. When used alone, these tools fail to adequately deter fraud.
Address verification service. This tool is used by most online retailers. It asks the customer to provide the billing address associated with his credit card. The system then matches that address to the billing address on file with the issuing bank.
The problem. Confirming a billing address does not prove that the person owns the card. Fraudsters can steal this information — data breaches often include billing addresses — and then use it for purchases. AVS alone does not prevent them.
IP address geolocation. This prevention method has the right idea, but the application is flawed. IP addresses enable merchants to verify that the geolocation of people attempting to make purchases match their billing or shipping address. IP addresses can also automatically prohibit orders from high-risk locations and countries.
The problem. There are many. For one, fraudsters now have tools that allow them to use any IP address. Some use malware on the cardholder’s computer to identify that address. Also, IP address verification can create problems for legitimate cardholders who are traveling or who use virtual private networks for privacy.
3-D Secure. This protocol provides an additional verification method for online transactions. It requires three participants — the merchant, the cardholder’s bank, and the issuer (such as Visa or MasterCard) — to approve a purchase. Verified by Visa and MasterCard SecureCode use the 3-D Secure process. Cardholders must create a password for each card, as well as provide personal information, such as their social security number.
The problem. It is not difficult for crooks to steal personal information that can then be used to enroll or complete purchases through the 3-D Secure system. Moreover, redirecting consumers to the issuer’s 3-D Secure system during the checkout process lowers conversions.
Dynamic authentication provides essential protection without the friction. It relies on artificial intelligence and real-time data analysis to decline fraudulent orders, and to lower the number of false declines from legitimate ones. We addressed the topic last week, at “Intelligent Ways to Manage Fraud.”
Online retailers should consider dynamic, risk-based authentication methods. They improve the customer experience while providing greater security for the merchant.
Real-time transaction analysis enables card user authentication before purchase authorization, providing an additional layer of security to the purchase process. It helps to identify unauthorized transactions by validating the payment details against prior purchase history, biometric and geolocation data about the payment device, malware characteristics, and other data. It eliminates automatically redirecting users to a third-party site for 3-D Secure — verification is only prompted when necessary.
Dynamic fraud prevention is the way of the present and future for CNP merchants. When combined with static tools and tokenization — substituting sensitive information with a non-sensitive equivalent (a token) — merchants can improve data security and increase consumer trust.