​Card Not Present Fraud Trends and Prevention Methods

EMV chips are a new technology that help prevent credit card fraud. When criminals conduct a mass fraud, they generally copy the magnetic strips and card information. Because they’re unable to copy the EMV chip, this prevents in-person fraud. Unfortunately, this technique increases the chances of virtual, card-not-present fraud cases. Online retailers don’t use EMV chips, so they can’t capitalize on this technology. As a result, retailers, payment processors and the e-commerce industry must use alternative techniques for authenticating e-commerce transactions.

The Current Dilemma

Over the years, consumers have become increasingly comfortable with using credit and debit cards online. Forrester Research estimated that online sales would increase in the United States by $51 million from 2015 to 2017. As the e-commerce industry grows, the risk of CNP fraud will grow. Compared to other types of card fraud, CNP fraud accounts for about 16 percent of losses. According to Cybersource, e-commerce fraud is 0.9 percent of all online revenue.

A Growing Trend

CNP fraud plagues all 80 countries that use EMV. Physical transactions allow for something called the ownership factor; the merchant sees the cardholder and their verification. Because this can’t happen online, merchants and issuers use a combination of similar processes to prove that the card is being properly used.

The Building Blocks of Fraud Prevention

Authentication can occur through the ownership (having a card or the IP address linked to it), knowledge (PINs and addresses) or inherence factors (fingerprints and personal details). When authenticating a card, one or more of these factors must be provided by the cardholder. The account issuer then takes the payment to their merchant account.
All of the CNP transaction types use information factors to verify the identity of the cardholder. They may also use ownership factors like the individual's IP address or chips ensure that the actual cardholder is part of the transaction. Often, merchants will use multiple factors to determine whether the individual can use the card.
Intermediaries like major card brands are often brought in to help merchants limit their CNP risk. These companies implement unique strategies to ensure that businesses can avoid fraud. For instance, one intermediary might collect data from multiple merchants to check cardholder information for verification, while another may perform a risk assessment and require a second authentication from the cardholder.
Some of the authentication techniques that are used include:

  • Behavioral Biometrics: This type of biometrics is based on the individual's behavioral patterns.

  • End-Point Identity: An end-point identity is a term used to describe any technique like an IP address that identifies the device that the consumer uses.

  • IVR Voice Authentication: With this option, the cardholder has a pre-recorded voice message or PIN that they use for authentication.

  • Physical Biometrics: Physical biometrics are based off of the person's physical characteristics.

  • Random Knowledge-Based Authentication: With this option, one or more secret questions are asked at random to authenticate the user.

The Best CNP Authentication for Merchants

 Merchants can conduct most CNP authentication techniques, but they do require upfront costs and routine maintenance. Due to the difficulty of adopting these practices, some transactions may be abandoned, and consumers may be reluctant to conduct a new purchase.
The effectiveness of these techniques depends on a merchant’s size. Larger ones have high traffic and profits that justify making the switch. For smaller merchants, an intermediary may handle CNP authentication. Presently, merchants tend to use three approaches to authenticate CNP transactions. They’ll typically use alternative intermediaries, an account issuance or standard intermediaries.
To create a user account, the customer will set up a profile with a username, telephone number, password and address. The merchant will send a token to the customer to ensure that the merchant has received valid information. Afterward, the customer uses the token to verify their account, set up security questions and create account details. If the merchant discovers that the customer is using a new IP address, they may require answers to some of their security questions. For larger merchants, this technique has been fairly effective and is a key way to prevent fraud.
With a standard intermediary, cardholder information is often re-entered for each purchase to prove that they have the card in their possession. Because this information isn’t stored in the magnetic stripe, it shows that the card was not a part of a mass fraud. Fraudulent activity is still possible, but mass fraud cases are less likely.
Payment gateways and card brands have been working to create a new option because this approach doesn’t eradiate the potential for fraud. Presently, they are developing an approach that assesses the fraud risk of each transaction through data. If the transaction has a high fraud risk, the cardholder has to provide further information for authentication.

The last common option for authentication is to use an alternative intermediary. This is done by a third-party that has better authentication capabilities than most small business. One of the most popular examples of this is PayPal. When an e-commerce business uses PayPal, it does all of the authentication of usernames, passwords and security questions. To use this authentication technique, merchants must set up the alternative intermediary in their programming interface.

To learn more, check out our infographic on CNP fraud