The popularity of online payments is a double-edged sword. While it helped fuel the growth of the financial sector, it also brought with it a never-before-seen amount of payment fraud. Today, card not present (CNP) credit card fraud is by far the most popular kind of payment fraud out there.
If you’re a bank or a payment provider, then in many cases you’ll be the one who will have to swallow the cost of payment fraud via chargeback fees, investigation fees, as well as government fines. The costs associated with fraudulent payments can be so large that they may force your company to shut down.
Read this article to find out what CNP fraud is and how to protect yourself and your clients.
So what is CNP exactly? As we mentioned in our article on preventing payment fraud, card not present fraud is a type of transaction fraud that does not require the presence of a physical debit or credit card during the criminal act.
In this case, a card not present transaction is any transaction that takes place over the internet or over the phone.
For card-not-present fraud to occur, all a criminal needs is the victim’s credit card number, name, three-digit security code (CVV), and the expiration date.
One of the most frustrating things about CNP fraud is that there is very little a bank or a payment processor can do to prevent the falling of sensitive client data into unscrupulous hands.
Customers value convenience and low payment friction above all else. And, with the safety net of chargebacks, they are often very lax when it comes to the security of their credit card data. This means that breaches are close to inevitable.
Once that payment information is out there, it is out there for good, often being sold and resold to several criminal outfits.
And the customer might allow several fraudulent payments to take place before blocking their card and issuing a chargeback.
This is because, in many cases, the victim won’t realize that any funds have been stolen from them until they see their bank statement. Which can happen weeks (or even months) after the first fraudulent payment occurs.
Fraudsters can obtain the payment information of their victims in a variety of ways. The most common of these include phishing attacks and database breaches.
After the attacks are carried out, the data is typically sold off to other criminal outfits on the dark web.
These criminals, in turn, will be the ones carrying out the actual CNP fraud.
When card-not-present fraud occurs, it is not the direct victim that bears the loss. The sum they lose is typically refunded by the payment provider, the bank, or the merchant.
On top of this, credit card companies may subject your business to additional chargeback fees and investigation fees.
As of 2021, CNP fraud is 81 percent more common than card present fraud. While card-present fraud is much less prevalent now thanks to the introduction of chip and PIN technology, CNP fraud is only becoming more and more widespread year after year.
What’s even more worrying is that gaining access to stolen credit card data is only becoming easier for criminals as time goes by.
Breaches of sensitive payment data, such as credit card numbers and e-retailer login credentials, are becoming more and more widespread.
According to an industry report, the number of stolen credit cards available for sale on the dark web has increased by an astonishing 153% last year alone.
And according to a study by Juniper Research, retailers will lose 130 million US dollars due to CNP fraud in 2023.
There are hundreds of methods using which banks and payment processors can prevent card-not-present fraud.
While no do-it-yourself approach can offer you the protection of dedicated CNP fraud protection software, the 4 step process listed below can be a good starting point for modernizing the fraud prevention system of your bank or payment processing company.
Whether you run a traditional bank or an e-payment system, more is always better when it comes to the amount of data you have about your customers.
Always make sure that you log not just the bare minimum regulator-required information about your clients, but also gather additional pieces of data that will help you understand whether they are actually the ones using the account.
Some people in marketing might tell you that introducing any additional friction into the client registration process is unacceptable. There is some truth to this. Introduce too many steps into a procedure and some users will undoubtedly go to a competing service.
So what do you do in this situation?
Data enrichment is the best way to collect additional data about your clients without introducing any additional friction. Put simply, data enrichment is the process of taking separate data points from your clients and using them to gain additional information about your clients thanks to a separate service.
You can use your user’s name and an address to see if they have been involved in any fraud. Or you can take their email address and see whether it’s connected with any real social media accounts. Or if the IP address associated with your client is seemingly used by dozens of other credit card holders.
Gaining this additional information helps your team (and your automated systems) notice discrepancies and suspicious activity where they wouldn’t otherwise see it.
And, as data enrichment is completely invisible to the client, it introduces zero friction into the process.
Once you have enough information about your clients and their normal behavior, you can create rules or integrate AI-based fraud detection schemes to help protect your clients from payment fraud risks.
The behavior of criminals almost always follows certain patterns that can signal payment fraud.
By turbo charging your security solutions with enriched data points, you can make them much more accurate. They will now be capable of identifying fraudulent transactions that would have flown under its radar before and recognizing genuine transactions as such in places where they could’ve flagged them as potentially malicious before.
One of the most common fraud-related payment patterns are micro transactions. Before attempting to make a large purchase, the fraudsters will typically test the card with a small amount of money to see if the credit card data they purchased is correct or if the associated account has any cash on it.
Perhaps they will sign up for a $0.99 trial of a subscription service or make a minimal payment in a mobile game.
If this micro transaction is a success, the fraudsters will then typically attempt to use the stolen card to buy a much more expensive item.
Identifying card testing immediately is a great way of flagging fraudsters before they are able to do any serious damage by making a big payment.
Having a large amount of information, you can accurately assess which transactions are of high risk.
Whenever you find this to be the case, don’t be afraid to ask the user for additional authentication steps.
If you’ve done everything correctly up to this point, the vast majority of transactions falling into this group will be fraudulent.
And if, despite all of your efforts, any legitimate users have fallen into this group by mistake, then they will have no difficulty going through these additional steps.
If your systems are very certain that the transaction is fraudulent, you can ask the user to provide a lot of Know Your Vustomer information, so that you can be sure without a shadow of a doubt that the transaction is legitimate before letting it go through.
On the other hand, if your systems have detected a fringe case that only barely triggers your fraud detection algorithms, then you can opt to ask for fewer and simpler identity verification methods from the user.
Lastly, nothing will be able to protect you from fraudulent payments if your company is the main source of them.
One of the best things you can do for your business is to do your best to protect the payment information of your clients.
Having the credit card information of a large portion of your client base compromised is both a PR and a chargeback nightmare.
So make sure your security team stays on top of all of the latest security rules and standards.
For example, many security experts will tell you to use state-of-the-art 256-bit Secure Sockets Layer (SSL) encryption to encipher all of the sensitive payment data you receive from and transmit to your clients. Price-wise, upgrading from 128-bit to 256-bit SSL encryption is rather inexpensive, so there’s no reason not to do it.
To get more information about credit card fraud detection, check this article.
Card-Not-Present fraud is the most prevalent method of payment fraud today.
CNP fraud is 81 percent more common than traditional card-present fraud, and the gap between the two is only likely to rise in the future.
According to a Juniper Research projection, in 2023 retailers will lose an astronomical 130 million US dollars CNP fraud in 2023.
Protecting your business from chargebacks and fines associated with CNP fraud can be expensive. Thankfully, third-party solutions can give you all of the benefits of a custom, AAA-tier system for a fraction of the cost.
Proud to announce that SDK.finance is the best FinTech startup 2015! Central European Startups Awards has… Read More
On November 10, SDK.finance was presenting demo at Bank Innovation Israel 2015 DEMOvation challenge. Bank Innovation… Read More
Great news! SDK.finance is selected for the €20.000 cash prize pitch competition at Execfintech! After… Read More
On March 8, CTO SDK.finance Pavlo Sidelov and CEO Alex Malyshev were attending one of the… Read More
On March 30, SDK.finance has been selected as a finalist for Red Herring's Top 100 Europe award,… Read More
Money 20/20, the cutting-edge FinTech conference, was held April 4 – 8 in beautiful Copenhagen… Read More