Card-not-present (CNP) fraud is generating quite a bit of chatter in financial and payments circles today. Much of the talk centers on the link between greater global use of the EMV standard and rising CNP fraud.
The connection is legitimate, as counterfeiting artists have a much more difficult time duplicating chip cards than they do cards with a magnetic stripe. In the face of this new adversity, criminals in areas of the world where EMV has taken a firm hold are following the path of least resistancenamely online, mail order and telephone fraud. Its certainly happening in Europe, where CNP fraud surged
Of course, fraudulent online, mail order and telephone transactions posed a significant and growing threat long before the EMV standard began to take hold around the developed world. Todays CNP fraudsters arent exactly on the cusp of a new trend; their tactics have been effective for decades.
CNP fraud makes up 16% of the entire U.S. card fraud picture today, which resulted in more than $5.3 billion in losses in 2013. Much of the CNP fraud growth is fueled by consumer comfort with online transactions. As well, the development of several new payments tools has made electronic transactions so simple they become almost carefree. By 2017, U.S. consumers are expected to spend
For many years, issuers were able to shrug their shoulders when it came to CNP fraud. Thats because most losses from fraudulent e-commerce transactions could be charged back to the merchant. Today, however, with increased merchant enrollment in 3D Secure protocol programs, such as Verified by Visa and MasterCard Secure Code, CNP chargebacks have been virtually wiped out. If a merchant participates in either of these programs and a fraudulent transaction gets through, the issuer no longer has chargeback rights.
However, not all merchants are on board with the 3D Secure protocol. In fact, some have coined the innovation a conversion killer, mainly because it can disrupt an otherwise seamless online checkout experience for consumers. Yet for every naysayer, there is a supporter. Most recently, a Dutch e-commerce processor conducted a survey to support the idea that 3D Secure can actually
Issuers are, understandably, a bit stand-offish on programs that threaten their chargeback rights. Beyond the potential to damage the bottom line of card-issuing credit unions and banks, 3D Secure programs also have a long way to go before they are as secure as they hope to be one day. Both Visa and MasterCard have made commitments to continue to improve the programs security and to also develop strategies that allow the protocol to offer merchant and issuers equal rights.
Still, the fraud risk from online transactions has become problematic for merchants and issuers. Fortunately, the industry has hardly thrown up its hands. On the contrary, innovation in authentication methods is alive and well.
Among the new technologies being bandied about the industry, the use of payment tokens, or tokenization as its commonly called, offers the greatest potential to slow the growth of CNP fraud in the U.S. Thats because the process replaces all of that coveted card account data with a single, secure token. The token has zero value for a fraudster because it would have to be decrypted, and the only entities capable of doing so are the major card networks.
Today, card data, such as the Primary Account Number (PAN), is static. As soon as a fraudster has obtained it, the data can be used multiple times for a variety of nefarious purposes. Worse, merchants are storing this vulnerable data in what we have seen to be insecure ways. Tokenization, on the other hand, replaces that PAN data with a unique token, and storage of cardholder data is limited to the tokenization system. This removes a hefty burden from the worlds merchants, who are increasingly under attack from data-hungry hackers.
Tokenization and EMV are similar in that they both use dynamic data to prevent duplication. Unlike EMV, however, tokenization is a technology that is nearly invisible to the cardholder. Think of it like fraud-prevention strategies in the background of a portfolio its another layer of security running completely behind-the-scenes. Cardholders only become aware of the security measures when they have been victimized or when a suspicious transaction has been flagged. Otherwise, its a non-intrusive way to keep an eye on consumers accounts with minimal involvement from the cardholder.
Although tokenization is mostly theoretical today, the development of standards is underway. EMVco, for instance, released its technical document for implementing tokenization in online or mobile environments in March 2014. MasterCard, Visa and American Express have also
The most important change an issuer can make is to hone its fraud-detection strategies to identify and prioritize accounts where a transaction has been declined by a 3D Secure module; those accounts should be queued for review by a human fraud analyst.
Card issuers may want to take their fraud-prevention measures further by writing strategies that analyze other risky attributes, such as dollar amount region or risk scores. In the event the 3D Secure validation for a fraudulent transaction is authenticated, allowing a fraudster or account takeover artist to move forward with the transaction, those strategies would fill in behind 3D Secure, acting as a second layer of protection.
The new state of the CNP chargeback, in combination with the predicted increase in e-commerce and online fraud in the wake of EMV, has forced card issuing financial institutions to pay more attention to their CNP fraud strategies. As fraudsters acclimate to the new world of payments, issuers, too, must adjust their strategies to keep fighting the good fight.
Nicole Reyes is a senior fraud prevention analyst for The Members Group (TMG), and Brandon Kuehl is a senior product manager for TMG.
