Although complete migration to EMV is expected to take up to seven years, CNP (card-not-present) merchants will struggle with increased fraud as criminals shift online to more vulnerable remote payments.
Multilayered authentication is critical for preventing card-not-present (CNP) fraud. A layered approach enables merchants to safeguard payments at all levels. Combined with the industry best practices outlined below, merchants can offset the detrimental impacts of EMV on CNP payments and fraud.
Authentication is a way for merchants to validate both the legitimacy of the card itself as well as the identify of the person attempting to use it to make a purchase. Authentication is a top priority in the fight against CNP fraud because the merchant cannot view the actual credit card. There are a variety of ways to authenticate CNP payments:
Device authentication. This confirms a certain device has been used for the transaction. A one-time password (OTP) – a password that can only be used once and is often time-sensitive. Some option include:
Randomized PIN pad – allows consumers to enter a PIN and use a debit-enabled debit or credit card.
Biometric factors—allowsa process that validates a consumer from a mobile device using tools such as facial recognition, voice recognition or fingerprint scanners
Experts advise online companies to use a combination of at least two authentication methods. This approach will insulate merchants against CNP fraud more effectively.
Proprietary and transactional data assist with risk management and fraud prevention. Merchants, issuers and acquirers own proprietary data, which consists of lists of high-risk credit cards, email addresses, IP addresses and other similar information. Transactional data is information collected at the time of payment such as name and shipping address.
There are several other elements to CNP security.
AVS. Credit card companies and issuing banks provide Address Verification Services (AVS) to merchants in order to check submitted billing addresses. This is usually done during the authorization process on the credit card. Merchants will receive one of six codes from their payment processor to indicate what areas matched. AVS is very useful as part of a risk solution. Information provided through AVS can indicate whether a transaction is authentic or fraudulent.
3DSecure. Currently, this tool is a secure communication protocol that offers real-time cardholder authentication straight from the issuer during an online transaction. Payment networks have created products to enhance this method of fraud detection. This authentication technology is similar to the “chip-and-PIN” approach. It asks consumers to enter a unique PIN to authenticate the cardholder’s identity at the time of purchase. 3DS is beneficial to merchants because it can help reduce fraud, particularly when it’s used with other risk management tools.
Tokenization. This method is designed to replace card values with different values called tokens. They are unusable by any outsiders. Also, only specific merchants or channels have access. One of the most important aspects of this approach is that merchants never have to store sensitive data and don’t need to alter how payments are accepted or authorized. Tokenization is an important fraud tool for merchants because the data remains secure. Plus, since the token includes the last four digits of the credit card, it can be verified easily.
New Visa/MasterCard Technology. In the future, MasterCard’s Chip Authentication Program (CAP) and Visa’s Dynamic Passcode Authentication (DPA) are hoped to be considered EMV for CNP transactions. Though not yet available in the United States, the concept is that handheld EMV readers, or even smartphone apps, can serve as a layer of protection against fraud for merchants in CNP channels. This method is still in development and could take a few more years before implementation.
Wearable biometrics. Personal devices continue to grow in popularity and aren’t just limited to smartphones anymore. Wearables—from Fitbits to Apple Watches to smart wristbands—are quickly becoming mainstream. The upside is that most of these devices are fitted with the ability to authenticate their owner via biometrics. These devices use the owner’s unique biometrics like heartbeat, fingerprint or even visual/face characteristics to authenticate and log in to online accounts, effectively replacing passwords and PINs.
As EMV continues to be fully adopted by more brick-and-mortar locations, multi-layered authentication becomes a must for every merchant in the online payments channels. With a layered approach in place, merchants have the necessary tools to protect their payments at every stage of the transaction process. By using the best practices featured here, e-commerce retailers will be better prepared to challenge friendly fraud successfully in a post-EMV world.
Manav Gupta is vice president of issuer products at Verifi, Inc.
