With CNP Fraud, Vigilance Is Only Part Of The Battle

With EMV changing the way payments are made in person, so, too, is the nature of fraud changing. Card not present (CNP) fraud is becoming a favorite avenue pursued by criminals, meaning merchants must do more than just block and tackle — they must also be mindful they’re not chasing away good customers, as omnichannel technology and operations firm Radial’s Senior Product Manager Bryan Heron explains.

The impact of online fraud reaches far beyond the dollar count of sales lost.

When data breaches occur, jobs are on the line from the CIO down to lower-level IT personnel.

And the damage to trust and confidence on the part of consumers can be incalculable. To paraphrase an investing maxim, a company can be built up over decades and destroyed in minutes.

Against this backdrop, fraudsters are finding new avenues by which to ply their trade. In recent studies, as noted by EKN Research and Radial, developed nations are seeing an increase in card not present (CNP) fraud, which now accounts for as much as 70 percent of all card fraud and is growing at double-digit percentage rates in some nations.

With firms losing more than $5 million in stolen data tied to breaches, the true cost of online fraud is increasing. Retailers and merchants are losing more than $3 for every dollar of fraud incurred as recently as 2014, and that number was up from $2.79 the year before. At 71 percent, as estimated by one secure payments processing firm, identity theft is the most common type of fraud. Phishing follows close behind at 66 percent.

In terms of tempting targets for fraud, eCommerce stands out. Radial noted a 55 percent growth in fraudulent activity through the last 12 months.

The numbers are alarming, to be sure, and PYMNTs spoke to omnichannel technology and operations firm Radial’s Senior Product Manager, Bryan Heron, to get a sense of how enterprises can mitigate risk in the face of a rising tide of malfeasance.

“We think EMV is directly responsible for the increase in fraud, but it’s not the only reason,” Heron said, directly addressing the rise of CNP fraud in developed nations.

“[Card not present fraud’s growth is] a combination of two things,” he said. “Fraudsters are leaving card present and finding the weakest entry point.” In addition, people and merchants are simply doing more business online. “E-Commerce is really booming. If EMV didn’t happen, we would still see an increase in fraud, but it’s making it worse.”

Beyond the watchword of EMV, a transition must happen eventually in the world of payments to prevent cybercrime, and the merchant must be proactive beyond mere vigilance.

“If your goal is to cut off fraud — sure, reduce your channels, tighten your requirements, and while that might reduce fraud, it’s going to kill you as far as your sales and conversions,” said Heron.

Narrowing retail omnichannel conduits simply to choke off access to would-be fraudsters ultimately becomes self-defeating, as does over-reliance on one security channel — or lack of awareness about which methods might be flexible and powerful enough to mitigate cybercrime risk while also maximizing commerce.

Overcorrecting can indeed have real impact — of the worst kind — for businesses. The false positive is a profit killer and has the double whammy of turning away customers from a relationship that might otherwise be long-lived and fruitful for merchants.

BI Intelligence reported news that retailers declined $8.6 billion in suspected fraudulent payments that were good orders in 2015.

“The theme we believe in is blocking fraud isn’t good enough — you’ve got to drive sales and identify good orders because there’s a ton of money sitting on the table,” said Heron. “It’s going to kill loyalty downstream, with 15 percent of shoppers experiencing false positive experiences and 66 percent of those limiting or stopping consumers coming to your store.”

Heron pointed to the Payment Card Industry Data Security Standards (PCIDSS) as food for thought for retailers and merchants — a certification that requires mindfulness and proactive efforts. This is a certification given to retailers requiring advanced fraud and risk management smart technology for regular fraud checks.

Heron believes getting certified is not something that can be done once and forgotten, but simply kicks off a necessary process.

“Once you’re verified, you need to do things during the year, including penetration testing and vulnerability scans to help maintain PCI standards,” he said.

The two firms cited other avenues as being useful in a multi-front fight against eCommerce fraud — particularly in cross-border instances and where manual review can prove too unwieldy, or where the Internet of Things requires additional security measures. Among those initiatives: Retailers should request billing and shipping addresses of consumers so address verification systems can be effective before transactions can be processed. Additionally, geolocation and smart technology can help provide a layer of verification that ensures legitimate transactions are processed.

To download the whitepaper, fill out the form below:

    First Name*

    Last Name*

    Title*

    Company*

    Work Email*