The EMV liability shift that took place last October has reduced the amount of card-present fraud, meaning it is difficult for criminals to use counterfeit and lost or stolen cards in face-to-face transactions. But the downside to EMV is that fraudsters are now turning their attention to card-not-present (CN) arenas, such as mail order and telephone transactions, and the internet, in particular. In the CNP world, EMV cards are fairly useless, offering no more protection than the traditional magstripe cards they’re replacing.
It has been shown in every country in which EMV was implemented, CNP fraud skyrocketed, because thieves are going to take the path of least resistance when it comes to their nefarious activities. CNP fraud totaled $9 billion in 2015, and that was with only two months of the EMV liability shift. This essentially means merchants and processors are going to have to be extra-diligent in their efforts to protect cardholder information when shopping in CNP environments.
As a merchant, there are steps you can take to help reduce CNP fraud’s impact on your business and your customers. Below are some tips that can make your customers safer when shopping online and reduce your liability:
Use an address verification service (AVS). AVS was developed and is maintained by Visa to help prevent fraudulent activity by allowing merchants to verify the credit card’s billing/shipping address(es) when making online or other CNP purchases by comparing it to the address on file with the card issuer. If they match, the transaction can proceed, but if not, additional information may be requested of the customer or the transaction may be declined.
Use card security codes. Make sure you enable the field form on your online order form that would require customers to enter their card security codes to help verify that the customer is in physical possession of a valid credit card. These security codes are 3-digit numbers on the backs of Visa, Mastercard and Discover cards, and a 4-digit number on the front of American Express cards. Not having a security code may mean the customer is not in possession of the card and only has the account number, which could indicate stolen account information.
Enable velocity limits. Contact your payment processor to find out if they have velocity checking, which looks at how many payments have been attempted with a single account. They may be based on number or dollar amount, or both. If there are too many failed attempts in a certain period of time, further attempts are automatically stopped. This can help protect the automated testing of stolen credit card information, particularly by bots.
Increase authentication methods. Requiring customers to authenticate their purchases against some pre-arranged credentials has been shown to have a positive impact on reducing CNP fraud. Some may say additional authentication, like security questions, device authentication and/or biometrics, is just an extra hoop to make customers jump through in order to prove they are who they say they are, but any additional information or steps you require may help deter fraudsters. A thief may be able to get a customer’s card number, billing address and security code, but will they know the customer’s oldest cousin’s middle name? Probably not. Nor are they likely to be using the same device. Increasing the number of steps to check out is also a deterrent, as fraudsters just want to get in, make their purchase, and get out, before the card number is reported as stolen.
Make sure you are PCI compliant. This is kind of the “no-brainer” on the list – all merchants accepting card payments must be compliant with the requirements of the Payment Card Security Data Security Standard (PCI DSS, or PCI for short). This is the body that sets the rules for data security management, policies, procedures, network architecture, software designs and other protective measures. It helps protect you in the event of fraudulent card use in all situations, including CNP situations, whether they be online or phone orders. If you are not compliant and a fraudulent card is used, you could lose the cost of the purchase and shipping fees, and you may even have to pay fines similar to those charged by banks for chargebacks or bounced checks. And because CNP fraud is increasing, it is almost an inevitability you will be hit with a fraudulent transaction, so it is worth the time and effort to become PCI compliant.
There are many tools that can help you reduce your susceptibility to CNP card fraud, but only if you implement them. You owe it to your customers to provide them with a safe and secure shopping environment, and the steps outlined above are just a few of many that can help protect your customers – and you – when shopping online. It is unlikely that CNP fraud is going away any time soon, but using tips like those above can help reduce it.