In 2014, the U.S. Department of Commerce estimated that shoppers spent almost $300 billion dollars via the Internet...
(a number it expects will grow in future years).
There were a significant number of online fraud attempts, too -- and about 78% of those were made through website applications. In contrast, only 3% of fraud attempts were made via mobile applications. Card-not-present fraud has become the tool of choice for fraudsters because there is no need to steal the card itself --only its attributes. Customers are typically unaware of the theft until after fraudulent transactions have occurred. Additionally, fraudsters' ability to rapidly shift tactics among endless types of Internet transactions or phone orders makes this activity lucrative and difficult to detect.
Yet payment card fraud is not merely a risk to the unsuspecting customer. Companies have skin in the game too, and many correctly see transaction security as a way to reduce chargeback and fraud-related fees. Transaction security is also a feature benefit to give consumers reassurance that they are safe when sharing their payment card data when purchasing products and services online.
In this tip, we'll review the current and emerging controls for thwarting card-not-present payment fraud and how merchants should utilize these controls as part of their fraud prevention programs.
CVCs and fraud prevention
Card verification codes, known more commonly by their shorthand names such as CVC1 and CVC2 (also called CVV1 and CVV2), were introduced in the late 1990s by card issuers to combat the card-not-present and card-cloning fraud schemes. CVC1 is an encoded validation for a swiped card that is stored on track 2 of the magnetic stripe of a card; CVC2 is a validation number that is merely printed on the physical card. These innovations are designed to help reduce the overall value of digitally stored credit card information.
It is difficult to process an online transaction without the card number and the CVC2 value and, since merchants are not allowed to retain CVC2 data, stolen or leaked card numbers alone have minimal value without the accompanying CVC2 numbers. However, it should be noted that malware samples used during recent point-of-sale transactions have been able to capture this information. This was exactly the process employed in major data breaches at retailers, including Target Corp. and Home Depot Inc. Attackers aim to steal millions of payment card records, sell them on the black market and subsequently use the card data for fraudulent card-not-present online transactions.
Unfortunately not all merchants validate or even require the CVC2 code for online transactions, which is a key reason why card data theft is rampant; fraudulent card-not-present transactions are often both easy and profitable.
Chip and PIN is an initiative that strives to take security efforts a step further. Chip and PIN cards store payment data on an encrypted microchip -- either instead of, or in addition to, the mag stripe data -- and also require a PIN number like an ATM card in order to process a transaction. It would be impossible to clone a card that uses the chip function, and if a card were lost or stolen, the PIN would prevent the card from being used fraudulently. But even Chip and PIN technology would likely do little to thwart card-not-present fraud in the U.S.; since the PIN is designed to replace the signature verification in a point-of-sale transaction, future online transactions will likely continue to require merely a credit card number and occasionally a CVC2 (CVV2). The sad reality is that as Chip and PIN rollouts make point-of-sale fraud more difficult, criminals will see card-not-present fraud as the path of least resistance, increasing its prevalence.
Preventing card-not-present fraud
Effective business intelligence -- that is, the technical implementation of common sense -- is needed to further reduce a company's exposure to online fraud. But implementing controls that are effective -- yet not overly burdensome -- on the merchant is a difficult process. For instance, a transaction that represents a significant deviation from a customer's normal purchasing behavior (because of items purchased, value of the transaction, time of day and the like) is usually a reliable indication of fraud. But taking every conceivable situation or combination of attributes, that would cause a transaction to stand out, from a common sense perspective is limiting and expensive to implement. New technology must be deployed into the process chain to not only detect potential fraud based on common sets of rules, but to work inside a global intelligence network.