Card Not Present Fraud: A Growing Threat for Merchants
When the ability to purchase goods and services on digital platforms is simple and secure, everybody wins: merchants, banks, and consumers. Making those transactions both simple and secure, however, is becoming increasingly difficult.
Many factors—including the expanding implementation of EMV chip technology—have contributed to a dramatic rise in card not present fraud. In this article, we’ll take a closer look at this disturbing trend, and ways that merchants can protect themselves.
The Important Role of CNP
The term “card not present,” or CNP, refers to transactions that depend on manual entry of credit card information without the physical presence of the credit card itself. The term is most commonly applied to purchases over the internet. As ecommerce continues to grow, CNP transactions are taking on a larger role—according to estimates, anywhere from 9% to 25% of all credit card purchases are CNP transactions.
But consumers can be demanding: not only do they want the quickness and convenience of online shopping, they also insist the process be as frictionless as possible. Unfortunately, this need for speed and simplicity often comes at the expense of security.
As merchants work to secure the shopping experience for customers, criminals are working on new, easier ways to make fraudulent purchases.
The Weakest Link, the Highest Cost
While EMV chip implementation made POS card fraud more difficult, card not present fraud skyrocketed in response and is expected to be cost retailers upwards of $70 billion over the next five years.
Almost by definition, the legitimacy of CNP transactions are hard to verify. Without access to the physical card, merchants can’t know for sure whether they’re dealing with the actual cardholder or an imposter. Cybercriminals see this as a weak link in the transaction process, and the easiest point at which to use authentic information for fraudulent purchases.
Card not present transactions are highly susceptible to fraud. Even with security in place, card not present fraud prevention methods can be manipulated, leaving merchants vulnerable.
Card not present Fraud: How It Happens
CNP fraud starts with stolen information. Cyber-thieves use a variety of tricks to hijack authentic card details.
“Skimming” involves grabbing card information when the cardholder isn’t paying attention: a waiter, for example, could jot down numbers while ringing out a restaurant customer. Another trick fraudsters use is “phishing,” where the fraudster sends emails—allegedly from an official entity—hoping that users will respond with personal data.
Cardholder data is also increasingly available on the black market. Hackers gain access to the servers of retailers, restaurants, or other sources, then sell the stolen files to others who use them for criminal purposes.
No matter how it’s obtained, once cybercriminals have the information, they make fraudulent purchases.
Some may immediately try to buy as much as they can before they’re discovered, then delete the card info. Others may build elaborate false identities involving multiple cards and maintained over several years. As long as fraudsters can deal primarily with data (as opposed to actual cards), they’ll be making CNP transactions.
Why CNP Fraud Hits Merchants Harder
It’s important to understand that not all credit card fraud is created equal. In most cases of card not present fraud, the merchant bears the brunt of the loss, whereas in cases of card-present fraud, the credit card issuer is more likely to take the hit.
(In either case, cardholders are seldom liable for fraudulent purchases on their accounts, which is a key factor in the rise of so-called “friendly fraud.” Check out our guide on Preventing Friendly Fraud.)
Once fraudsters have the cardholder’s account information, preventing card not present fraud becomes exponentially more difficult. Unfortunately, acquiring the data usually happens before the merchant enters the picture; except for protecting their own client files, there is little merchants can do to stop the theft of cardholder data.
CNP Fraud and the Rise of Cyber Shoplifting
Detecting card not present fraud before it happens is difficult, but not impossible. Some credit card companies, for example, use newer technologies that can identify and flag attempts to purchase items that don’t seem to match the account holder’s typical card usage. In some instances, the bank will stop the transaction until the customer is heard from.
The technology is far from perfect, of course, but it can help. There is another scenario, however, that is almost impossible to detect until after the fact: cyber shoplifting.
Here’s how it works:
This type of friendly fraud can be committed by anyone, including loyal customers. Sometimes it even happens innocently, as customers confuse a chargeback with a merchant refund. But the problem is amplified when CNP fraudsters are the source: by misusing the legitimate chargeback system, criminals draw much less attention to themselves and are therefore harder to stop.
How Criminals Hide Behind Friendly Fraud
With typical card not present fraud, there is usually a very small window of time between the first fraudulent purchase and its subsequent discovery. Criminal fraudsters will normally go for larger items, such as electronics, or try for as many transactions as possible to increase their odds of some success. This method has the best chance of a large upfront payoff; ironically, it also makes it easier to spot the fraudulent action.
With friendly fraud, however, the waters are murkier. If the fraudster is using info from an actual cardholder, any distinctions in buying patterns are likely to be slight. Automated detection measures may spot some aberrations, but a careful fraudster will game the system.
If chargebacks and other fraudulent activity are linked to a fictional cardholder, there is usually no direct trail back to the fraudster. When banks or merchants discover fraudulent activity, the criminal simply stops using that account, effectively “destroying” the card.
The State of Chargebacks 2018
Launched as a way of collecting and analyzing industry findings, the State of Chargebacks survey reflects the experiences of more than one thousand respondents in the card-not-present space. Download to learn the latest insights on fraud and chargeback management.Free Download
Fighting Card Not Present Fraud
As mentioned before, criminal CNP fraud usually starts long before the merchant has any control, but there are certain step that can help mitigate risk.
The most effective ways to combat criminal CNP fraud are the most obvious: merchants need to use an address verification service (AVS), and always require the 3-digit CVV security code located on the back of cards. Insisting on both can help verify that the purchaser has the actual, physical card in hand, and is therefore more likely to be the legitimate cardholder.
Other ways to authenticate cardholders include using software to monitor and record the device, IP address, and IP geolocation velocity of a transaction. If the information doesn’t jive with the cardholder’s purchase history, it might be fake. That may sound extreme, but once the purchase is shipped, the fraudster is in control of the situation.
With all that in mind, however, merchants still need to understand that only a small percentage of CNP fraud actually results from large-scale criminal activity. Many of the precautions against criminal fraud slow down the check-out process and frustrate true customers. Merchants need to balance the true costs—including loss of business—of criminal fraud against any perceived benefit.
The Future of CNP Fraud
Preventing card not present fraud is not easy or cheap, especially considering the demands of a more integrated cross-border eCommerce environment. The threat is not going away any time soon, though. Merchants must do all they can to safeguard customers’ data while simultaneously making sure they don’t become victims of fraud themselves.
Evolving technologies show promise, but have their own limitations. Biometric recognition, where online purchases require a user’s fingerprint or other physical proof, offers accuracy and convenience … but raises questions about security and privacy. Card recognition—essentially requiring users to equip their devices with personal card scanners—could increase security, but the logistics of putting such a program in place are daunting.
All the same, criminal fraudsters are continually coming up with new techniques and leveraging new technologies. Fraud managers must remain up-to-date on software patches and best practices to protect their customers and their business.
Running a business can be overwhelming enough, without having to worry about the risk of fraudulent transactions. At Chargebacks911®, we can help you mitigate your risk of card not present fraud, so you can concentrate on your business. Contact us for more information and a free demo.