As the threat of card not present (CNP) fraud continues to rise, a recent survey suggests many consumers are willing to take extra steps during a transaction to block online card fraud if their bank offered the option.
But only 38% of consumers who shop online have ever encountered the option to participate in two-factor authentication to affirm their cardholder status when shopping online, according to new data from Auriemma Consulting Group.
The finding underscores a conundrum for banks and merchants grappling with fast-rising online fraud rates in the booming e-commerce environment: Merchants and banks intent on driving sales volume are loath to introduce speed bumps to the checkout process.
CNP fraud is on track to surpass $7.5 billion by 2020, and the problem is generating a lot of industry buzz, Most agree the U.S. migration to EMV could only accelerate CNP fraud’s growth, as thieves shift their activity from the point of sale to the Web.
Merchants currently bear the brunt of CNP fraud, unless they add fraud-deterrent services harnessing the technology of 3D Secure, which shifts chargebacks to issuers. A recent makeover smoothed out some of the friction 3D Secure introduced to the checkout process, but merchants remain wary from past experience and relatively few have embraced it.
Consumers also are aware of the growing threat of fraud when shopping online, according to Auriemma’s recent survey. Even though the card networks’ zero-liability policies generally protect them from personal losses, 70% of consumers Auriemma surveyed said they would be likely to use two-factor authentication if their bank offered such a service.
But banks may have reluctance equal to merchants about making any changes in consumers’ online checkout processes, because they're not showing much interest so far in trying out a new technology that promises to block CNP fraud via two-factor authentication.
Tender Armor, a Fort Lauderdale, Fla.-based startup, in late 2015 announced CvvPlus, designed to block fraud for online and over-the-phone transactions where a card isn’t present. To thwart fraud where thieves may have stolen card data including the CVV2, Tender Armor provides an alternative CvvPlus code that's generated anew each day to authenticate the cardholder's identity.
“We’ve had a lot of interest, but the sales cycle is proving to be very slow,” said Madeline Aufseeser, Tender Armor’s CEO and co-founder.
Once a bank enables CvvPlus on a credit or debit card account, cardholders must add the three or four-digit code each time they initiate a card transaction online or over the phone. Tender Armor sends a new code daily via text message or through an app
“It's just one extra step for consumers to check their text message or click on the CvvPlus app to get the code, and it effectively blocks CNP card fraud, protecting all parties,” Aufseeser said.
Tender Armor is in discussions with several banks and one is preparing to test the service, but most are still evaluating their options, Aufseeser said.
“In the U.S. market, banks have a level of concern about CNP fraud, but they’re not necessarily willing to take aggressive action on it yet,” she noted.
One reason is that chargebacks are rising through all channels, both in-store and online, and banks don’t have good systems to sort out the sources and possible solutions for fraud rising across the board, Aufseeser believes.
“As the EMV migration evolves, there’s a lot of conflicting data about where exactly card fraud is coming from and who’s paying for it, and banks are writing a lot of it off,” she said.
Analysts are on the fence about whether two-factor authentication will take hold broadly.
Some consumers will be willing to take extra steps, but some would likely find it inconvenient, said Patricia Hewitt, CEO of PG Research & Advisory Services in Savannah, Ga.
Recent alarms about “security holes” in SMS messaging also could be a drag on text-based security programs, Hewitt pointed out.
“I believe ultimately what we’ll end up with is a triangulation security grid that will use a combination of biometrics, geolocation and device fingerprinting to validate transactions, all behind the scenes,” Hewitt said.
It remains to be seen how many consumers are willing to pause mid-transaction to add the code, but many they seem open to the idea, according to Auriemma’s survey.
More than a quarter of survey respondents said they would be very likely to use two-step authentication (27%), while close to half (43%) said they would be somewhat likely, and less than a quarter (22%) said they would not be very likely to use it. A fraction (8%), declared they would be unlikely to use two-step authentication.
Plenty of respondents also worry that two-step authentication will be a hassle. Forty-three percent of respondents agreed the two-step process is more trouble than it’s worth, while 59% disagreed with that idea.
Among those likely to use two-step authentication, the approach they would prefer varies. Nearly a third, or 30%, said they would prefer to answer additional security questions, while 26% said they preferred biometric authentication, such as scanning their fingerprint. Equal numbers of consumers—21% each—said they would prefer entering a PIN or entering a unique code sent via text.
The majority of consumers prefer security over speed when paying online. For a $100 debit card purchase, 87% of consumers said it’s most important their purchase is secure, even if it takes longer to check out, compared with 13% who said they would prefer a fast transaction over one that required more security steps.
Auriemma conducted its survey online among 500 consumers in May 2016.