A person opens a website or mobile app and navigates to its product listings. They scan through the items for a moment until finding what they want, then add it to their cart and head to the checkout page. Within seconds, they've input their credit card information and completed their purchase.
It's an ideal scenario for e-commerce retailers. You want people buying from your store as often as possible—that is, as long as they are who they say they are.
E-commerce sellers face the growing risk of card-not-present (CNP) fraud, especially with e-commerce sales on the rise. Government estimates put e-commerce sales for the fourth quarter of 2017 at $119 billion, a near 17 percent increase over the same period in 2016.1 While growth in online retail is good news for retailers, it also carries with it increased risks of fraud and theft.
What Is Card-Not-Present Fraud?
CNP fraud refers to thefts that don't involve physical credit cards and occur most often through online transactions using a computer or mobile devices. The appeal of such scams is obvious, as the person with the stolen payment information evades being asked for concrete identification.
Criminals commit CNP fraud once they collect critical information related to a person's credit card account. If a criminal has an account number, card expiration date and security code, along with personal information such as the cardholder’s name and billing address, they may easily accumulate considerable purchases before getting caught.
Credit card companies monitor transactions for potentially fraudulent purchases by comparing new activity against customers' data histories and locations. However, criminals are becoming more sophisticated and strategic. Criminals will often use bots—software programs used to mimic human behavior—to make minor "test" purchases to ensure the information is accurate before attempting costlier thefts. If the smaller purchases go through, the perpetrator may feel emboldened in their assumptions that the merchant or credit card issuer will not detect criminal activity until after they've secured their goods illegally.
In some cases, the criminal will extend the theft by returning the products as defective or insisting that they never received the purchased goods. The merchant will then be forced to issue a refund in response to the card issuer's chargeback. According to one study, retailers and financial institutions could lose $7.2 billion to CNP scams by 2020.2
What You Can Do
As merchants become more aware of the threats CNP fraud present to their businesses, the need for viable solutions becomes more urgent. Already, there are several strategies you can deploy to defend against potential criminal purchases. The approach you take will depend on your company's size and capabilities, but here are some tactics to consider as you get started:
1. Multiple Forms of Authentication
The most effective data and payment security protocols include multiple authentication points and depend on layered collaborative networks. Where possible, you might partner with your card issuer and payment platforms to share information on potential risks. If the card issuer flags suspicious activity, you want to know about it so your network can work together to shut down criminal behavior.
But there are also measures you can take on your own. Reviewing a purchase location can help you catch potential criminals in the act. If someone who typically orders goods from a small town in Kansas is now buying up products in New York, there may be a reason for concern. It's possible that the customer just moved recently, but halting the purchase until you contact the cardholder could stop a cybercriminal in their tracks.
Requiring billing address verification and two-factor authentication can also hinder fraudulent behavior. Before a customer completes the log-in or purchase process, you might ask them to input a short numeric code that's been sent to their mobile phones or emails.
Risk-based authentication systems will likely prove especially valuable in this area, as they draw on multiple factors to assess a shopper's likelihood of committing fraud. The more dynamic these systems become, the more frictionless the experience will be for valid consumers and the more difficult to hack for cybercriminals. While hackers will continue to attempt the theft of personally identifiable information (PII), it will be increasingly difficult to fake behavioral information such as how someone types on their keyboard (keystroke dynamics) or other online patterns.
2. Order Monitoring
Sometimes the clues to catching fraudsters lie in the orders themselves. Large orders, especially those charged to accountholders who typically purchase at smaller volumes, should send up a red flag. The type of order matters, too. Criminals are keen to purchase items such as gift cards because they can easily convert them to cash. While gift card purchases in and of themselves aren't a reason to suspect fraud, taken in context with other factors, they could point to malicious behavior.
Inconsistencies or erratic account behavior should raise concerns as well. For instance, if one account is associated with several addresses—all of which differ from the billing address—there may be cause for further verification.
3. Customer-centric Security
In the end, any approach to combatting CNP fraud should keep the customer in focus. If a security tactic disrupts the customer experience with slow or overly complex processes, consumers might get frustrated and potentially abandon their shopping carts. That said, however, anti-fraud tools continually evolve to provide more transparent and more frictionless security for consumers. Mobile devices and the implementation of biometrics to authorize payments are one example.
Better Tech Requires Better Security
Technologies such as digital wallets, EMV chip cards and contactless payments are enhancing the e-commerce experience. Customers want fast, easy payment options and the technology for delivering on that demand improves all the time.
But there will always be people looking to take advantage of vulnerabilities, and cybercriminals may well see card-not-present transactions as the ultimate low-hanging fruit. Merchants and their partners must collaborate not only to stop attacks while they're in progress but to make them so difficult to pull off that fewer fraudsters will even try.
1 “Quarterly Retail E-commerce Sales: 4th Quarter 2017,” U.S. Department of Commerce, February 2018.
2 “Card-Not-Present Fraud Losses to Exceed $7 Billion by 2020,” Yahoo Finance, May 2016.
The information provided herein is sponsored by Discover® Global Network. It is intended for informational purposes, and is not intended as a substitute for professional advice.