Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to stop card-not-present scams and keep customers happy

Merchants need to balance buyers' online experiences and their controls for analyzing suspicious purchasing behavior to prevent card-not-present scams.

In 2014, the U.S. Department of Commerce estimated that shoppers spent almost $300 billion dollars via the Internet...

(a number it expects will grow in future years).

There were a significant number of online fraud attempts, too -- and about 78% of those were made through website applications. In contrast, only 3% of fraud attempts were made via mobile applications. Card-not-present fraud has become the tool of choice for fraudsters because there is no need to steal the card itself --only its attributes. Customers are typically unaware of the theft until after fraudulent transactions have occurred. Additionally, fraudsters' ability to rapidly shift tactics among endless types of Internet transactions or phone orders makes this activity lucrative and difficult to detect.

Yet payment card fraud is not merely a risk to the unsuspecting customer. Companies have skin in the game too, and many correctly see transaction security as a way to reduce chargeback and fraud-related fees. Transaction security is also a feature benefit to give consumers reassurance that they are safe when sharing their payment card data when purchasing products and services online.

In this tip, we'll review the current and emerging controls for thwarting card-not-present payment fraud and how merchants should utilize these controls as part of their fraud prevention programs.

CVCs and fraud prevention

Card verification codes, known more commonly by their shorthand names such as CVC1 and CVC2 (also called CVV1 and CVV2), were introduced in the late 1990s by card issuers to combat the card-not-present and card-cloning fraud schemes. CVC1 is an encoded validation for a swiped card that is stored on track 2 of the magnetic stripe of a card; CVC2 is a validation number that is merely printed on the physical card. These innovations are designed to help reduce the overall value of digitally stored credit card information.

It is difficult to process an online transaction without the card number and the CVC2 value and, since merchants are not allowed to retain CVC2 data, stolen or leaked card numbers alone have minimal value without the accompanying CVC2 numbers. However, it should be noted that malware samples used during recent point-of-sale transactions have been able to capture this information. This was exactly the process employed in major data breaches at retailers, including Target Corp. and Home Depot Inc. Attackers aim to steal millions of payment card records, sell them on the black market and subsequently use the card data for fraudulent card-not-present online transactions.

Unfortunately not all merchants validate or even require the CVC2 code for online transactions, which is a key reason why card data theft is rampant; fraudulent card-not-present transactions are often both easy and profitable.

Chip and PIN is an initiative that strives to take security efforts a step further. Chip and PIN cards store payment data on an encrypted microchip -- either instead of, or in addition to, the mag stripe data -- and also require a PIN number like an ATM card in order to process a transaction. It would be impossible to clone a card that uses the chip function, and if a card were lost or stolen, the PIN would prevent the card from being used fraudulently. But even Chip and PIN technology would likely do little to thwart card-not-present fraud in the U.S.; since the PIN is designed to replace the signature verification in a point-of-sale transaction, future online transactions will likely continue to require merely a credit card number and occasionally a CVC2 (CVV2). The sad reality is that as Chip and PIN rollouts make point-of-sale fraud more difficult, criminals will see card-not-present fraud as the path of least resistance, increasing its prevalence.

Preventing card-not-present fraud

Effective business intelligence -- that is, the technical implementation of common sense -- is needed to further reduce a company's exposure to online fraud. But implementing controls that are effective -- yet not overly burdensome -- on the merchant is a difficult process. For instance, a transaction that represents a significant deviation from a customer's normal purchasing behavior (because of items purchased, value of the transaction, time of day and the like) is usually a reliable indication of fraud. But taking every conceivable situation or combination of attributes, that would cause a transaction to stand out, from a common sense perspective is limiting and expensive to implement. New technology must be deployed into the process chain to not only detect potential fraud based on common sets of rules, but to work inside a global intelligence network.

Next Steps

Learn more about preventing credit card risks and the debate about end-to-end encryption and tokenization in the financial services industry.

This was last published in February 2015

Dig Deeper on Debit and credit card fraud prevention

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are card-not-present scams a worry at your organization? What are you doing to prevent them?
Cancel
We haven't experienced any negative issues of fraud, in particular the "Card Not Present" scams that have been plaguing many national retailers and enterprises. Our credit card acceptance policy is to make sure and get the security code from the customer when they order either online or via phone. We have monitors in place for the employees who handle the transactions to ensure no scamming of the customers numbers takes place.
Cancel
Fraudsters love the card-not-present tool. However, my perspective is that with proper real-time data analytics through business intelligence, this type of fraud can be controlled.
Cancel
Jason is right. If your log management and real-time analysis is working, there shouldn't be an issue. We're not in an age (except in remote regions where connectivity is spotty) where we're running a carbon machine to take a credit card imprint. And most phone transactions protect against fraud by asking for all the info including billing address, code on the back and more. This should not be an issue.
Cancel
It may be a nuisance to some but for card-not-present purchases, only ship the product to the billing address on file for the card.  People trying to buy things with a stolen card number will not get the product. For those looking to send a gift to someone, they can mail it themselves. I have seen a lot of ways to steal all the information mentioned to use a card without the owner knowing it's being done.. Getting to scary nowadays. 

Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close