How can you minimise card-not-present (CNP) fraud?
How can you minimise card-not-present (CNP) fraud?
Online sales in the UK saw the equivalent of five years of growth between 2020 and 2021. While the COVID-19 pandemic accelerated this sharp upturn, preference for online retail will only continue to grow. But as most businesses still rely on card payments for online transactions, they are open to all manner of ecommerce fraud, including card-not-present (CNP) fraud.
Card-not-present fraud is particularly dangerous because credit card details can be stolen en masse through phishing and malware. And unlike with card-present fraud, the merchant won’t have the opportunity to examine the card for any evidence of fraud, like altered account numbers or a missing hologram. Successful fraudulent payments can result in significant revenue losses for businesses.
All companies that operate online and collect card payments should be aware of card-not-present fraud, how to identify it, and how to prevent it.
What is a card-not-present transaction?
A card-not-present transaction occurs when a merchant receives a customer’s payment information remotely rather than in-person. Examples include:
Customers submitting card details via an online payment page
Customers filling in a payment form and sending it by email/post
Customers providing their card information via a phone call
What is card-not-present fraud?
Card-not-present fraud refers to the fraudulent practice of using stolen credit card information to complete a transaction without being in possession of the physical card.
Due to the rise of ecommerce, incidents of card-not-present fraud have surpassed card-present fraud. Today, it’s the most common type of fraudulent card transaction, accounting for 79% of all card fraud losses in the UK. Its popularity is aided by its relative ease.
In theory, a fraudster only requires access to a card number, the expiration date and a card’s CVV code to complete an online transaction via card payment. However, strong customer authentication (SCA) is thankfully now a requirement for business, and is designed to reduce the problem of card-not-present fraud.
What does card-not-present fraud cost merchants?
Card-not-present fraud cost UK businesses £456m in 2020, of which £377m was lost online. By comparison, lost and stolen card fraud, the next biggest type of card fraud, cost businesses £79m.
And card-not-present fraud affects both consumers and businesses. For example, when a customer realises that they have been a victim of card-not-present fraud, they may request a chargeback with their bank. This is essentially a reversal of a debit or credit card transaction. It means businesses lose the payment, but are also liable to pay chargeback fees, not to mention the losses incurred through transaction fees and the operational costs involved in processing the order.
Merchants who accumulate too many chargebacks are placed in the high-risk merchant accounts pool. At best, this increases card processing fees. At worst, it can prevent merchants from being able to take credit and debit card payments at all.
An additional cost for merchants is the resulting disintegration of the customer-business relationship. This is because customers may associate the theft of their information with the brand that took that fraudulent payment. As well as losing defrauded customers, businesses can also suffer reputational damage.
What are the most common methods for card-not-present fraud?
Card-not-present fraud is so common because it can repeatedly occur before a victim realises what’s going on. This is because they still have their card physically with them and, unless they keep a keen eye on their bank statement, have no reason to expect that transactions are being carried out using their information.
There are several ways fraudsters can obtain card information to carry out this type of fraud. Among these, the three most common are:
Hacking is when somebody gains access to a computer system that contains sensitive financial information. This might be a retailer, a hospitality business, a bank or any form of service provider. Hackers can then sell the stolen data to other cybercriminals who can use it to commit payment fraud. According to the most recent figures from the Office for National Statistics (ONS), 2.8 million frauds involving UK payment cards were reported for the year ending March 2019.
Skimming refers to the process of copying and stealing information directly from a physical card. Skimming devices that capture card information are difficult to detect and can be installed on ATMs or at petrol pumps. A report from UK Finance found 52,782 cases of skimming fraud on UK credit and debit cards in 2020.
Phishing is a method of obtaining financial information by pretending to be an official from a credit card company or bank. For example, a scammer might send out an email claiming a customer’s account is at risk and informing them that they must follow a link and enter their login information and/or card details as a response. The scammer will then steal the information that has been entered. Reports indicate that phishing is on the rise. UK Finance revealed that 25,000 bank-branded phishing websites were removed in 2020, a figure which is four times higher than it was in 2019.
Ways to reduce card-not-present fraud
As a business, you can act to prevent card-not-present fraud. Below are some of the key ways you can do this:
Be on the lookout for ‘test’ transactions
Watching out for unusually small transactions can help prevent large fraudulent payments from affecting your business later. Fraudsters typically ‘test’ out the stolen card information with small purchases. Then, if these are successful, they’ll move to bigger ones. Spotting this card testing practice as soon as possible can help prevent the fraudster from using the stolen card details to complete further purchases.
Collect customer information to spot unusual transactions
Having as much information as possible on a customer can help you spot a fraudulent transaction. This is because you can ask for more information to authenticate payment details, while also identifying suspicious payments. If, for example, you see that a transaction was made in a location with no connection to the billing address, it should at least flag the transaction for further scrutiny.
Examples of the kind of information you should gather on customers include:
What devices were used
Identify unusual behaviours
Similar to ‘test’ transactions, fraudsters will often act differently to legitimate customers to avoid detection or to maximise their gains. Potential fraud indicators include hundreds of login attempts, several customers on one IP address, high chargeback requests and many password reminders/resets.
Implement 3D Secure for card payments
3D Secure is a security measure designed to protect merchants from credit and debit card fraud by adding an additional verification step. Today, there are many different security protocols for various credit cards, all based on the 3D Secure platform. Popular examples include:
Mastercard Identity Check
American Express SafeKey
While 3D Secure reduces credit card fraud, the extra layer of security will also add friction to the purchase for consumers. Ravelin previously found the average transaction took 37 seconds to complete.
Accept alternative payment methods
Open banking payments are intrinsically secure and built for online payments. One of the key ways it ensures such a high level of security — without adding unnecessary friction to payment journeys — is through its baked-in SCA measures.
When customers confirm their purchases and choose open banking at checkout, they are sent to their bank’s app to confirm the payment, usually with biometrics. Their bank verifies that the customer owns the device they are paying from and requires fingerprint recognition or facial ID to authorise the payment.
Our complete guide to open banking explores the differences between open banking payments and card payments in greater detail.