Estimates suggest that fraud attacks on online merchants in the US rose 11% after the EMV liability shift that happened on October 1, 2015. The value of fraudulent online transactions is expected to grow from $10.7 billion last year to $25.6 billion in 2020.
It seems that the EMV transition had the effect it was expected to have, and fraudsters have indeed set their sights on weak links—such as CNP transactions—putting e-commerce under fire. However, there are measures that can mitigate the risks of CNP payments fraud, which the Reserve Bank of Boston laid out in the report titled Getting Ahead of the Curve: Assessing Card-Not-Present Fraud in the Mobile Payments Environment.
The study suggests that enabling EMV chip card acceptance at POS reduces card-present counterfeit fraud by removing the opportunity for fraudsters to compromise payment card credentials. However, this is driving fraudsters to attack the more vulnerable online and mobile CNP channels with weaker authentication protocols at a time when consumers are increasing their use of mobile phones to make CNP purchases.
We will further review six recommendations from the bank that address various aspects of CNP fraud prevention. The hallmark of the list is that half of the recommendations are insisting on the necessity for collaboration between various participants of the ecosystem in various ways: sharing data, best practices, and collaborative development of security standards.
Channel-specific security measures
M-commerce is mostly considered an extension of the business, which leads to security measures being standardized across channels without considering the hallmarks of those channels. Meanwhile, risks associated with mobile m-commerce differ from e-commerce due to specifics of the environment and a different set of factors influencing the m-commerce experience.
It leads to the necessity to consider additional security approaches to prevent and manage mobile CNP fraud. For mobile-focused businesses, it is critical to implement appropriate methods to monitor fraud in their e-commerce and m-commerce channels and apply mobile-specific fraud management tools that leverage the unique capabilities of mobile devices.
Channel-specific monitoring generates rich data that can provide more detailed information on the customer device-specific behavior, addressing the need to manage fraud holistically across customer entry points. Businesses should also use the data collected from fraud tools to build a profile of a legitimate customer versus a fraudulent one in the mobile CNP channel.
Multilayered & multifactor security measures
There is no silver bullet when it comes to security controls and methods, and the most effective systems rely on a mix of those to ensure security. Therefore, companies should analyze available tools and choose the ones that best fit their CNP fraud strategy. Such sources as NIST, FFIEC, and 3DS 2.0 specifications and related network operating rules are proposed to help conduct an analysis.
Elimination of magstripes
Despite the migration of the US payments card from magstripes to chip cards, magstripes are still widely used. Customer habits are difficult to change, and the presence of a magstripe and a chip on a card may lead customers to use the stripe habitually. Professionals from the Federal Reserve Bank of Boston suggest eliminating magstripe as a measure to address major card vulnerability because the card is susceptible to counterfeit card fraud when swiped instead of dipped.
In the current CNP environment, many smaller e-commerce merchants may have weak authentication controls that provide fraudsters with the opportunity to make fraudulent purchases with stolen, counterfeit card numbers. There is also the risk that a counterfeit card number will be provisioned to a mobile wallet and used to make fraudulent purchases.
Overall, reducing potential vulnerabilities in other payment channels benefits the mobile channel as well, as they are all connected and used by consumers.
Information sharing and customer education
Collaborative efforts are known to have a positive effect on business growth and development. It also applies to the payments industry, where market participants recognize the need for more inclusive collaboration and information sharing to reduce overall payments fraud and CNP specifically.
Today, company-specific data is shared mostly only with governmental agencies and industry associations. As a result, valuable data remains in the circle of particular market participants, while cross-industry sharing could drive higher efficiency in fighting fraud.
In the retail payments environment, FIs often see fraud or suspicious activity faster than merchants because of the robust risk management tools and fraud monitoring systems they have to support compliance with financial services regulations. Financial institutions are also the primary point of contact by cardholders when fraudulent activity occurs.
For businesses to boost their security capabilities, cross-industry data sharing is a necessary element of collaboration. The need for more effective information sharing expands beyond the CNP environment to the entire payments ecosystem. The broader industry needs to identify ways to improve the value and timeliness of fraud data that will also help the CNP environment. All stakeholders also have an obligation to support continuous customer education regarding secure mobile payment practices and engage collaboratively in developing consistent materials and messaging.
Sharing of the best practices from channel-specific use case analysis
Collaborative efforts should go beyond sharing information to sharing best practices identified in use case analysis. Risks associated and experienced by one party of the payments ecosystem will translate into risks for all other parties, which means that best practices of fraud prevention should be shared with mid-sized and smaller/micro m-commerce merchants and CNP third-party/non-bank mobile solution providers.
It might be difficult to assess risks created across market participants due to the lack of consistency in how they evolve or operate. Hence, all third-party relationships should be carefully evaluated before an agreement is executed as well as on a recurring basis. Large e-commerce merchants and processors should recognize that sharing some of their best practices and experiences using different fraud tools for CNP payments with the smaller, less sophisticated, or newer mobile/e-commerce businesses will have a positive impact on the entire CNP environment.
Knowledge sharing across the ecosystem can help reduce overall fraud and increase consumer confidence in making mobile and online purchases.
The major stakeholders should coordinate efforts to develop best practices targeted at the smaller m-commerce merchants, determine effective ways to reach out to them, and communicate this information.
Collaborative standards assessment and development
Issuers, merchants (POS and e-commerce), acquirers, card networks, processors, PSPs, and WSPs should collaborate and coordinate initiatives to identify where gaps exist in current proprietary and open standards and practices.
All members of the ecosystem should share their unique expertise to facilitate the enhancement of technology standards, as well as guidelines and best practices, to improve the security of mobile and e-commerce CNP payments, particularly in such areas as authentication, tokenization, and encryption for data protection.
Keep reading
Prove's Developer Portal helps businesses balance strong security with a smooth user experience by providing developers with the tools they need to easily integrate identity verification into their applications, leading to streamlined onboarding and reduced fraud.
This blog explains the importance of identity verification APIs for secure and compliant applications, but also warns about common pitfalls in their implementation. It aims to guide developers on how to avoid these mistakes to ensure effective identity verification, improve user experience, and build trust in their digital platforms. The blog will delve into five specific mistakes and provide solutions, ultimately helping developers save time, reduce risks, and achieve better results.
With cyber threats on the rise, robust identity verification is crucial, but it needs to be balanced with a smooth user experience. Prove offers a solution that achieves both, using phone numbers for quick and accurate identity verification without added friction. This allows businesses to build trust and ensure security while offering a seamless user experience.