What's ahead for online fraud in 2016
By Steve Beene, founding partner, MSP Consulting
Although the U.S. rollout of EMV technology is beginning to eliminate some fraud concerns of retailers, experts expect to see an increase in online fraud as fraudsters turn their attention to online sales. Some reports indicate online retail fraud in the U.S. alone is expected to rise by 106 percent over the next three years.
What's ahead in 2016
Even though card present credit card fraud will likely be on the decrease as the EMV rollout started in October 2015 continues, the new chip technology will not directly benefit online retailers and businesses.
For the first time in history, about half of all online purchases made on Black Friday were with mobile devices. This fact represents both the convenience mobile devices have brought to consumers’ lives and also the increase in fraud many businesses now face. In fact, the National Retail Federation expects online retail sales to increase during the 2015 holiday season by 3.7 percent over 2014, up to $630.5 billion this year. Experts estimate that up to one quarter of these sales could potentially be fraudulent.
Further, according to a report by Javelin Strategy & Research, card not present fraud, which includes online transactions, is expected to be nearly four times greater than pointofsale card fraud by 2018.
The holidays also bring the need for merchants to adhere to customer demands and create a fast and streamlined checkout process to avoid abandoned sales. Typically, in the interest of convenience, key security measures are discarded and fraudsters are presented with an avenue that is often less secure; therefore, easily targeted.
Likewise, because fraudsters can exploit the convenience of mobile channels, businesses should be aware of the risk of fraud that this holiday season can present.
The best protection against credit card fraud is to "know your customer." However, this has become increasingly more difficult in the global, online economy. Credit card fraud can be devastating but there are steps businesses can take to protect themselves.
Here are some of most common fraud issues facing businesses followed by steps that can be taken to mitigate these risks:
Stolen card/identity theft fraud: This type of fraud occurs when cardholder and credit card information is stolen and used to illegally purchase services or products. Typically, a business finds out about this type of fraud when the actual cardholder initiates a chargeback after notifying their issuing bank of a stolen card. However, by the time this happens, the product has left the store or has been shipped or the service has been rendered. As such, the business is out the product/service with no compensation.
Mitigating actions (verify card value/billing address): Verifying the CVV code and billing address with the sale helps to confirm the cardholder is actually the person authorizing the sale. The address verification system (AVS) can confirm if the address provided matches the billing address on file with the credit card issuing bank. Unless a sale is initiated by a known customer, only ship to the verified billing address.
Eliminate guest checkouts: Online businesses should require customers to register and create a unique user ID and password to help a them manage fraud. Customer activity can be tracked and "questionable" accounts may be deactivated. Likewise, for repeat customers with accounts in good standing, less scrutiny is needed on their sales, while new customers can be monitored and even limited in their sales activity. For instance, a repeat user in good standing may be permitted to ship to a noncertified address, while new users may only be permitted to have the option to ship to their verified billing address, until they build trust with your business.
Utilize fraud scoring systems: One of the more robust fraud management tools for online sales is a fraud scoring system. These tools, along with internal procedures, can be implemented to "rate" each sale to determine risk level. These tools aid businesses in identifying and avoiding high risk sales that may turn out to be fraud. Fraud scoring systems use a wide range of input to critique as sale, including IP filtering, geography filtering, sales thresholds (amount of sale, number of transactions), proxy detection, and even social media information.
Compromised systems and data
This fraud typically occurs when a point of sale system, website or other system that stores credit card information is "hacked." In these cases, the hackers steal customer credit card data and personal information that has been entrusted to keep secure by the business. The business may be liable for excessive fines and devastating negative exposure in their community. Consequently, this type of fraud is most widely represented in the news.
Utilize end-to-end encryption and tokenization: Tokenization replaces sensitive date, such as the credit card number, with a nondescript value set called a "token" while the sensitive data is stored securely. Encryption is the process of transforming data using an algorithm to make it unreadable to anyone except those possessing the "decoder ring," usually referred to as a key. When both technologies are deployed, systems are highly secure, making hacking of data extremely difficult. Most payment solutions offer these technologies that can be integrated into a point of sale or website.
Implement 3D secure: Each of the major card brands has a 3D Secure solution: Verified by Visa, MasterCard SecureCode, American Express SafeKey, etc. These solutions are integrated into a business' website and provide a safer, more secure online payment method as the actual card data is not entered on the website. The cardholder authenticates the sale by entering in their user ID and password, which act like a PIN. These systems help protect all parties, including the business (merchant), the card holder and the banks from fraud. The drawback to these 3D Secure technologies is it requires the cardholder to register their credit card with the corresponding card brand’s solution. Still, the first step is to enable your business website to work with these technologies and most payment gateways support 3D secure.
This fraud is perpetrated by international fraudsters who understand how to work the payment system to their advantage, at the detriment to the business. The aim is to extort product and/or money from the business and their a many elaborate scams associated with their international fraudsters.
Businesses must be especially cautious with international sales. Since address verification is not supported in most countries (AVS is only supported in the U.S., Canada and the U.K.), a business cannot verify the billing address. International sales are at the business' own risk and there is very limited protection from fraud. For this reason, businesses are encouraged to only do business with known international customers. For new international customers, be sure to conduct proper due diligence on the legitimacy of the cardholder and the sale. There is a general lack of advocacy for businesses as it relates to the safest methods of accepting credit card payments. Knowing these fraud techniques and adopting these fraud mitigating procedures will help avoid the significant impacts of experiencing credit card fraud.
Looking to the future
By understanding the most common types of credit card fraud, businesses can better fight and control new cases of fraud this holiday season and in years to come. Further, the earlier merchants have fraud management procedures and solutions in place, the faster they can begin to prevent losses. In layering security solutions, merchants can more securely authenticate payments throughout systems and networks. This will ensure that their environment – and customers' payment information – is protected against fraudsters and attacks of hackers.
Steve Breen is a founding partner of MSP Consulting and has more than 25 years of experience guiding clients and bank partners in the area of payment solutions and associated technologies. He specializes in deploying solutions for healthcare, franchise and business-to-business markets and works closely with community bank partners to optimize their non-cash payment offerings.