Static online security isn't enough to stop post-EMV fraud
The U.S. Payments Forum’s report on global Card-Not-Present (CNP) fraud shows that CNP fraud is the most prevalent type of payment fraud reported in countries that have migrated to EMV technology, and it continues to increase.
Canada, for instance, introduced EMV in 2008 and witnessed CNP fraud quadruple since then. Australia started adopting EMV in 2003 and saw CNP fraud increase 5 times in the period 2008-2014. In an effort to limit CNP fraud, payment service providers in many countries have deployed various fraud prevention tools, such as Card Verification Numbers (CVN), E-mail Address Validation (AVS), 3D Secure, and Transaction Risk Analysis (TRA).
Several of these technologies have proven to be effective. However, CNP fraud continues to increase because of the rapid growth of e-commerce and because fraud prevention tools have not been fully adopted by all stakeholders.
To reduce exposure to CNP fraud, all stakeholders , including merchants, issuers, acquirers, and financial institutions, should adopt a layered approach to secure payment data.
Stakeholders should move away from solutions that rely on static data such as Card Verification Numbers, because they are ultimately susceptible to the same fraud schemes that cause CNP fraud. Instead, stakeholders should migrate to dynamic, risk-based authentication, both to eliminate cardholder friction and to improve the online shopping experience. Key examples of such dynamic solutions:
Real-time, automated transaction risk analysis allows detecting unauthorized, fraudulent payments by validating a payment’s details using the payer’s purchase history, information about the type and location of the payer’s device (e.g. IP-address, geolocation, device fingerprint), malware characteristics, etc. This type of solution is at the heart of the European Banking Authority’s Regulatory Technical Standards (RTS) for strong authentication of users of payment services in Europe.
3D Secure allows merchants to delegate authentication of the payer to the financial institution that issued the payer’s credit card. The financial institution should perform strong authentication of the payer, for instance using one-time passwords generated using a payment app, or via authentication codes delivered via SMS to the payer’s mobile phone. It is promising to see that approximately 50% of merchants evaluate payer authentication using 3D Secure as an effective tool to mitigate payment fraud, and we expect this rate to increase further.
Tokenization, which replaces sensitive information (e.g. a credit card number) with a non-sensitive value (e.g. a one-time credit card number), ensures that merchants don’t have to process sensitive credit card numbers anymore, making them a less attractive target for fraudsters, and making it easier for them to comply with PCI DSS requirements.
Stakeholders should ideally incorporate these fraud prevention tools into their EMV migration strategy to address both card counterfeit fraud and CNP fraud.