Card-Not-Present (CNP) Transactions and Fraud Risk
According to research conducted by the Federal Reserve in 2018, card-present fraud decreased from $3.68 billion in 2015 to $2.91 billion in 2016. However, eCommerce card-not-present fraud climbed by $1.17 billion during the same period. With the broad implementation of EMV (chip) technology across the country, this number is expected to rise. Fraudsters are shifting their efforts online as EMV chip cards make card-present theft more difficult.
Chargeback fraud is more likely in card-not-present transactions because cardholder information is more challenging to check. When a consumer receives a product or service, they can claim that they never approved the charge or that they did not receive the thing.
What Are Card-Not-Present (CNP) Transactions?
To be considered for a CNP transaction, you must not use a physical terminal to tap your mobile wallet or swipe your magnetic stripe, or enter your EMV chip. As a result, card-not-present transactions can be made over the phone, online, or via fax.
Card-not-present transactions are often misunderstood since many people believe that if a customer is there with their card, the transaction is considered card-present.
Even though the customer has their credit card in hand, the transaction is still regarded card-not-present even if the card information is manually entered into the card terminal. Because the transaction occurred at the point of sale, the card itself never contacted the machine; read on to know why.
How Does Card-Not-Present Fraud Work?
Any time a fraudster obtains payment information, such as a credit card number, the name, and address of a customer, or the three-digit security code on the back of a credit card, they commit CNP fraud.
The reason is data breaches and phishing attempts have made it possible to buy whole stolen accounts on the dark web, fraudsters can easily purchase “full” now. Most of the time, the merchant bears the brunt of the responsibility for fraudulent CNP transactions, and chargebacks are widespread.
Tips to Reduce Card-Not-Present Fraud
Because the merchant, payment service provider, or bank of the victim is usually held liable for CNP fraud, knowing how to protect your business from it is critical. To help you distinguish between legitimate customers and fraudsters, new technologies have been developed.
Amass All of Your Client’s Contact Information
In general, the more information you know about a customer, the better. This is true in the context of credit card fraud prevention, marketing and sales, and the processing of credit card transactions. The same information that lets you confirm user IDs or contest a chargeback can also help you increase upselling, cross-selling, and segmentation.
When it comes to what you should be collecting, the bare minimum is:
- Email address
- Information about your credit card, including the CVV code.
- The mailing address for the payment.
- The IP address of the device that was used to sign in
- Phone number
- Account registration, login, and credit card payments are all places to collect this information.
In addition to following the best SCA practices, there is a wealth of additional information available to you. As we’ll see later, user devices, phone numbers, and email addresses can help to weed out rogue actors – or at the very least show that they’re dangerous consumers.
When you have more information about a user, it’s easier to reject transactions that could be fraudulent using a card not present.
Conversions and sales can be negatively affected if too much friction in the data collection process.
Enrichment of Data
It may have occurred to you after reading the first suggestion that you might be asking yourself, “How can I acquire additional information without creating friction?” Data enrichment is the solution. Everyone from e-commerce sites to financial institutions is now using these tools, and it’s not hard to see why.
You might think of it as an approach that takes single data points and uses them to compile information from other places throughout the internet. In some cases, it is discovered that an account’s email address is being used to register for accounts on social media sites such as Facebook. A landline or cell phone number can be checked to see if it’s in the United States or another nation.
With all of that information, anomalies may be detected more easily. The most excellent part is that you don’t have to ask people for additional authentication procedures because the correct technologies allow you to do so quickly.
This practice works because the cardholder is unaware of the data augmentation, which reduces risk without impeding the appropriate consumers too much. Data enrichment is a significant task, and the most crucial part is finding new, relevant datasets that are both fresh and open source. One way to achieve this is to link an email address to the user’s associated social media profiles, which should be done following GDPR standards.
Best Data Protection Practices
Credit information must still be protected even if they aren’t in front of you at the time. According to PCI Data Security Standard (PCI DSS), this is the case, and it is primarily intended to safeguard every merchant from future CNP fraud efforts (and card-present too).
Online security solutions like SSL should be used whenever sensitive information like credit card numbers or social security numbers are collected on a website. In addition, you should encrypt all of your data, whether it’s being transferred between clients and your website or between your employees.
This practice works because encrypted and protected data is less likely to come into the hands of criminals, which minimizes overall fraud. Managing backups and configuring protection software and hardware can be pricey owing to fast expansion. It’s the most frequently stated issue among industry insiders and consultants.
Solutions for Card Not Present Fraud
Businesses can choose from various fraud prevention products, whether they need a complete end-to-end system or only a few specific modules. The points above are ideal, but it’s also a good idea to consider additional safeguards like biometrics, captchas, and one-time passwords.
Using a device fingerprinting module, your fraud manager will be able to examine the hardware and software of a person who visits or transacts on your website.
When a device is fingerprinted, tens of thousands of data points are gathered that can be used to identify potentially harmful individuals. These include:
- Operating system
- VPN and browser information
- Time zone and language
- User agents
- IP address
- HTTP request headers
- Plugins or fonts and more.
Final Thoughts
The most effective method to avoid CNP fraud is to be well-prepared, well-equipped, and well-versed in the field. No matter how many layers of protection are put in place, fraudsters will find a way to get through. However, a good knowledge of CNP would reduce the cases of fraud.