It’s been over a year since the EMV fraud chargeback liability shift brought chip cards front and center for merchants and consumers. Although the technology appears to be having the desired effect of reducing card present payment fraud, since EMV does not protect against fraud in card not present scenarios, thieves are increasingly taking their business online. Business Insider reports that online fraud has increased by 9-12% for merchants, year-over-year in 2016.
Looking toward 2017, card not present fraud will likely continue to be a concern among merchants of all sizes. Let’s take a closer look at card not present fraud as well as the steps merchants can take to prevent these scenarios from happening.
5 Examples of Card Not Present Fraud
Making online purchases with stolen card information. Thieves use stolen cardholder names, card account numbers, and card expiration dates to fraudulently purchase items online.
“Testing” cards. Fraudsters make several small transactions online using stolen credit card numbers, to see whether the numbers will work.
Intercepting packages. Thieves intercept packages containing products that they have purchased using stolen card information.
Online skimming. Hackers exploit unpatched weaknesses in the POS system, use malware to steal data, and then sell the data for fraudulent purposes.
Gift card fraud. Individuals looking to quickly turn stolen product into cash will often activate gift cards using stolen payment details, then sell these digitally delivered funds on an open marketplace within minutes.
Combating Card Not Present Fraud
One of the best ways for merchants to combat online fraud using stolen card information is to implement a payment solution that uses an address verification service (AVS) and requests card security codes located on the backside of payment cards. Both of these features help verify that the purchaser is in fact the cardholder.
Thieves test cards to check which cards have been reported stolen, and those that have not. If a payment goes through, the thief uses the card number to make a larger purchase. AVS and card security code verification during checkout can help deter card testing activities by slowing down the transaction, which frustrates thieves focused on instant gratification. Another way to combat card testing is by using a solution that monitors device, IP address, and IP geolocation velocity for irregular purchase activity. Card testing attacks can also be mitigated with a solution that identifies each buyer’s device and true IP address that exists behind a web proxy.
It might seem old fashioned to intercept packages that are ordered online, but it’s still a common way fraud is committed. Red flags include large orders of small ticket items and multiple orders to the same address.
Merchants can avoid this type of fraud by reviewing orders before fulfilling them, contacting customers via email or phone to confirm the order before shipping, and requiring customers’ billing and shipping addresses during checkout. If the addresses don’t match, merchants should find out why (for example, ask if the item is a gift or is being sent to a cardholder’s alternate address).
When it comes to fighting online skimming, a multi-layered technology approach is the best bet. Both tokenization and end-to-end encryption technologies bolster security throughout the payments transaction, making it more difficult for fraudsters to steal data for future use. Merchants should also ensure that security updates, passwords, and software patches are in place and current to protect any holes that could lead to online skimming.
The first step to tackling gift card fraud is to treat gift cards like cash. Merchants offering virtual gift cards should update order review processes and ensure sufficient time is built in to check for fraud. Using real-time fraud scoring during authorization and leveraging device identification tools can automate the transaction approval process for certain transactions that have been identified as having qualified device and IP reputational scores.
Card not present fraud is likely to remain a persistent threat, but merchants can take steps to protect themselves. Investing in proven security solutions, and following best practices to detect and mitigate this type of fraud can help merchants protect their customers and their business.
Brendon Paquin is a Product Manager at Payment Processing Provider, Vantiv