The expected 100% growth in card not present (CNP) fraud by 2018 threatens small and medium businesses as well as enterprises, and companies need to shore up their data and customer analytics now to stem the tide.
That’s a huge number, more than double the expected 2015 CNP fraud total, but history supports it. CNP fraud rates have gone up dramatically in every region that has already implemented EMV technology. Five-year rates for card-not-present fraud rose by 100% in the UK, 233% in Canada, and more than 360% in France after EMV adoption. How can US merchants guard against this incoming wave of CNP fraud?
Verify your transaction data. Work with a payment service provider that offers comprehensive tools for authentication of identity, address, and card data. That includes CVV and CVV2 settings. As more criminals move into CNP, it's crucial that your business has access to the most up to date methods for spotting stolen card numbers and stolen identities.
In-house screening should also be more stringent and more focused on cross-border transactions. International transactions already carry a higher risk of fraud and chargebacks, and that’s expected to increase as part of the overall CNP fraud boom. When in doubt, call the customer and verify the data. Building detailed and up to date internal negative and positive reference files will speed up the manual screening process over time.
Analyze your customers’ behavior. Of course, skilled criminals can produce authentic-looking data to push a fraudulent transaction through. Behavioral analytics can combat that by evaluating customer behavior in real time. Carol Alexander of CA Technologies describes behavioral analytics as a form of “advanced authentication” because it can determine if the cardholder is really who he or she claims to be. People’s online behavior patterns usually don’t change dramatically, so a change in known cardholder behavior during shopping and checkout can flag a transaction for further screening.
Hide all transaction data. Now is the time to review your company's overall data security practices, especially transaction data transmissions. Even if your company doesn't store cardholder data, you can still be vulnerable to theft when transaction data is transmitted. Unless you're compliant with PCI-DSS standards, you're liable for potential fines of thousands of dollars per month if customers are victimized by a breach in your network. The easiest way to ensure ongoing PCI-DSS compliance is to partner with your payment service provider, who should be able to give you the tools and advice needed to validate compliance.
Other strong data-protection tools are tokenization and encryption—and merchants can’t just assume they’re automatically provided by their payment gateway. If your company doesn’t already use P2PE (point to point encryption) and tokenization, now is the time to talk with your payment processor about getting those tools implemented. P2PE shields your customers’ card data, from the point of interaction to the processor.
Tokenization adds another layer of security by removing the original card data from the transmission altogether and replacing it with tokens that are useless to anyone who manages to crack the encrypted transmission. Together, tokenization and encryption can help your company achieve PCI-DSS compliance, lower your risk profile, and protect your customers.
Adapt as the landscape evolves. Two-factor authentication was supposed to be a widely adopted tool for data security, but it creates friction that leads some customers to abandon their carts or pay by methods that don't require the extra authentication step, and many cardholders never opt in. Now 3D Secure, the authentication protocol that underpins Verified by Visa, MasterCard SecureCode and Amex SafeKey, is moving toward risk-based authentication based on real-time analysis of transaction data. The new approach requires stronger authentication on transactions that appear to be high risk without requiring cardholders to first enroll in the program.
Based on the experiences of other countries that have adopted EMV, we know more CNP fraud is coming to the U.S. We know how to reduce it. And we know that CNP fraud is always evolving, so our anti-fraud practices must always evolve, too. Merchants and other players in the US payments system need to stay alert, batten down the hatches, and be ready to pivot as the fraud landscape undergoes big changes this fall and over the next several years.
Sukanya Madhavan is director of product management at Forte Payment Systems