One of the biggest challenges facing banks, issuers and retailers around card-not-present (CNP) fraud is the fact that a majority of payments and transactions are still being processed on decades-old technology.
When this technology was put in place, no one could imagine a world where CNP transactions would become so ubiquitous. However, eCommerce now consists of around 20% of all retail spending in the UK and China, while in the US, about $1 in every $10 paid to retailers comes from online channels.
As technology evolved to facilitate digital payments, the architecture did not. So, what's the solution?
In short, technology needs to be implemented to help identify the specific behaviors that can determine if card activity is genuine or fraudulent.
The escalation of CNP fraud
Around the world, American Express, Discover, JCB, MasterCard, UnionPay and Visa (collectively known as EMVCo) have made card present (CP) transactions more secure and Chip & PIN technology is testament to this.
In the UK for example, where the technology has been implemented for a decade, CP fraud losses in 2017 were 71% lower than the peak of £218.8m in 2004, prior to the roll out of Chip & PIN, according to a Financial Fraud Action UK report.
Late last year, the U.S. Federal Reserve Bank reported that CP fraud decreased from $3.7bn to $2.9bn between 2015 and 2016 alone as the US moves away from the traditional magnetic stripe method of credit card transactions.
As the new technology made it tougher to clone cards, criminals naturally began looking for new weaknesses. The Fed reported that from 2015-2016, CNP fraud in the US increased from $3.4bn to $4.6bn and in Europe, 80% of payment card fraud happens via CNP.
Juniper Research issued a report in January that estimates CNP fraud will cost retailers about $130bn in revenue between 2018-2023. It's worth noting that in 2017, the estimated cost was $71bn (by 2022), so the projections have substantially increased.
A new wave of consumer engagement
CNP is an appealing target for criminals because with the proliferation of stolen personal data available has made it a relatively easy crime to commit, coupled with the fact that it’s almost anonymous and can be done from anyone in the world remotely. Even with no additional information about the customer or transaction and in the absence of the proper authentication mechanisms, criminals can easily organize large-scale, autonomous attacks over a very short period.
Exacerbating this problem is the new wave of consumer engagement, whereby the transaction environment more heavily combines CP and CNP. Nearly everything these days can be ordered online and picked up in person such as tickets for travel or events or pre-paid retail purchases, so how can the industry become better authenticators?
Across Europe, the second Payment Services Directive (PSD2) regulations are going live in September of this year, resulting in more rigorous authentication practices for all card transactions known as Strong Consumer Authentication (SCA). This will manifest itself in an updated version of the 3D Secure authentication protocol, 3D Secure 2.0 (3DS 2.0), which will help enable the merchant to provide additional context for the transaction and enable the issuer to more accurately determine the risk of the transaction.
In addition, 3DS 2.0 will enable card issuers and merchants to be able to communicate via an instant data exchange APIs, meaning they will be able to work together to authenticate a transaction faster. With more than 100 data points shared by the merchant and also by the consumers’ card and device, all parties can make much more informed risk decisions, reduce fraud rates and boost revenue.
Evolution necessary as CNP becomes the norm
Banks, issuers and merchants must demonstrate an ability to fight CNP fraud, realizing that the fight will never end. We're facing real fraud perpetuated by ruthless criminals and for every barrier we construct, they'll seek a bypass and it is having a troubling influence on consumers. In a recent survey, Featurespace found that 62% of US consumers believe they're at a higher risk of fraud compared with two years ago, and 77% said they check their accounts at least once a week for suspicious activity.
Efforts that produce 3DS 2.0 and PSD2 are steps in the right direction, as the industry tries to collect information from all parties at a time when the spectrum of digital services grows to accommodate consumers' demand for frictionless payments. However, all that data is worthless if it can't be collated and analysed to detect suspicious and subtle changes in behavioural patterns that are powerful indications of illicit activity.