3 minute read

Card-Not-Present Fraud: How to Save Consumers from Themselves


Consumers are less concerned with the cost of fraud due to the fact they are rarely, if ever, held responsible for the actual fraud loss and therefore suffer little to no financial repercussions. However, they are greatly inconvenienced if the fraud occurs on their debit cards, and the funds in their underlying DDA account are used. On the other hand, the costs incurred due to fraud weigh heavily on the shoulders of financial institutions. As with all fraud prevention measures there is a delicate balance between the added security measures and customer experience and card fraud is no exception.

EMV has closed off counterfeit fraud opportunities at the point of sale (POS), but there is now a shift to Card-Not-Present fraud. According to Javelin, by 2019 Card-Not-Present (CNP) fraud is forecast to affect 3.1% of consumers, nearly twice the projected level of POS fraud (1.6%). With CNP fraud representing the easiest opportunity for fraudsters, hackers are now becoming a happy source of stolen card data to target online merchants more aggressively. 26% of POS shoppers cite concerns about their personal information as the reason they stay offline. However, online spending is projected to grow to $458 Billion in 2017, reaching 10% of total retail purchases. This growth, along with the lack of strong online anti-fraud tools will drive security needs to top of mind to protect both the financial institution (FI) and the consumer.

CNP Fraud not only impacts the brand, but also the bottom line. Javelin estimates that CNP fraud will become a $24 billion problem. And Aite Group calculated that card-not-present fraud will cost retailers and financial institutions $7.2 billion in the United States by the end of 2020. Since the end user experiences a limited amount of inconvenience following the fraud, a fraud prevention tool needs to consider the customer experience in everyday transactions online to encourage adoption.

Two of the more common solutions include 3D Secure and Dynamic CVV. 3D Secure (3DS) has been an imperfect answer to user authentication online. The initial 3D Secure protocol enabled secure online shopping by providing “3 Domain” communication between the issuer, merchant, and cardholder. It also facilitated an authentication dialog between the cardholder and the issuer. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data in addition to payment data to complete a transaction online. This first iteration of 3DS does not support non-browser-based card-not-present payments including in-app, mobile, and digital wallets.

The payments industry recognized the need for an updated approach incorporating risk based elements. This led to the development of a new draft 2.0 specification that would take into account these new payment channels and deliver expanded capabilities in terms of technology, security, performance, user experience, and flexibility. 3DS 2.0 conducts a risk assessment of the transaction to help determine if it was initiated by the legitimate cardholder. The risk based score is developed using device authentication and behavioral analytics to determine if additional authorization is needed or not. If the transaction is deemed low risk, authentication could be bypassed which helps reduce transaction abandonment. If the transaction is deemed high risk, then the solution uses one-time passwords or biometrics to verify the user. The user no longer pre-enrolls with 3DS and therefore no longer needs to remember a static password for their authorization. According to an Aite report, an average of 5% of cardholders are impacted with the new risk based approach.  

Currently, Jack Henry uses 3D Secure for both jhaPassPort™ and Powerlink platforms. jhaPassPort uses the risk based decisioning solution provided by RSA. Powerlink’s platform is not risk based and is through a partnership with CA (Arcot).

All credit cards have a three- to four-digit code called a CVV. This number today is typically static, meaning it never changes. There are solutions in the market providing a dynamic, or changing, CVV number to prevent fraud. These solutions use cards or mobile applications to provide a CVV code that randomly changes. If a thief uses credit card information stolen from a data intrusion and the online merchant asks for the dynamic CVV (versus a static CVV), the CVV or security code would likely have changed by the time the fraud is attempted and the transaction would be declined. The technology is an intuitive solution to a growing problem and addresses merchant concerns that some authentication technology negatively affects conversion rates.

The problem? The cost to issuers. Cards with physical dynamic CVV displays reportedly cost 10 times more than EMV chip cards and 50 times more expensive than mag-stripe cards. The ultimate solution lies in Mobile Dynamic CVV (DCVV2). By issuing the CVV code via mobile channels provides security against CNP fraud and a low cost alternative to the expensive dynamic CVV (DCVV) cards. The solutions in the market offering Mobile Dynamic CVV do so either via a mobile app that dynamically produces a CVV code or via text and email for a daily code. New codes can be generated at any time by the end user if they fear their card information has been compromised. Since very few online shoppers are more than a few feet from their phone, this extra step is not as burdensome.

Life and technology is moving faster than ever. Certain audiences either don’t have time or don’t care to take note of the daily security threats that surround them. They do not want the inconvenience of additional security measures or the headache of waiting for a reissued card (and in turn changing all their saved payment info). By providing an additional security layer in as least obtrusive way as possible, both sides can ultimately win this fraud fight together.
Button - Back to Top