Research by the Aite Group revealed that CNP fraud increased by 100 percent in Australia over the three years (2008–2011) following EMV adoption. And a similar pattern occurred in both Canada and the UK after each country transitioned payment terminals to EMV.
The good news is that increased EMV adoption by merchants in the United States means more secure card-present (CP) transactions at the point of sale (POS). Because each transaction requires a unique, one-time use code, card data can't be skimmed and used in order to create counterfeit cards.
The bad news is that fraudulent activity generally takes the path of least resistance. When merchants beef up security at the POS, criminals look for vulnerabilities elsewhere. And that means online channels.
So what steps can you take in order to reduce fraud during e-commerce transactions?
Constructing a CNP security solution requires a multi-layered strategy rather than a single method of attack. And e-commerce businesses must pay attention to new technologies and emerging security techniques, as fraudulent activities continually evolve.
Require multi-factor authentication
During a CNP transaction, identity authentication ensures that the account owner is the person behind the online purchase. And that means requiring one or more authentication factors.
Authentication factors can include the following:
- Something the person has (a credit card)
- Something the person knows (a PIN)
- Something inherent to the person (a fingerprint)
Industry experts recommend authentication processes include at least two factors and ideally all three. Single-factor authentication creates an extremely high-risk environment, leading to unacceptable levels of fraudulent transactions and chargebacks.
Secure cardholder data with tokenization
Used in both CP and CNP payment environments, tokenization replaces the primary account number (PAN) with a substitute value. But tokenization can't be the only fraud-fighting strategy employed by e-commerce merchants.
That's because the tokenization techniques available today don't completely conceal cardholder data across the entire payment chain. There's often the risk of fraud at the point at which the consumer enters the card number into a device or browser or while the number is in the merchant's system before being exchanged for a token.
A current approach to tokenization is what's called an "acquirer token," or a "non-payment token." Once the merchant sends the PAN to the acquirer, a token is returned in place of the card number. The acquirer then stores the card number and associated token in a secure vault accessible to the merchant.
Tokenization often reduces the number of merchant systems that must comply with PCI DSS. And tokenized card data can't be used in order to initiate an e-commerce payment, so the information is useless to criminals if stolen.
As rates of EMV adoption increase among merchants in the United States, those in the e-commerce space must work to investigate and implement security strategies in order to combat CNP fraud.
As you move through the EMV adoption process, what changes in fraudulent activity are you seeing?