Earlier this week, I received a new debit card through the post with all the associated card carrier materials and advice on card use. What struck me, as a consumer, is how little is said about the challenge of avoiding card-not-present fraud – the very type of fraud that accounts for 70+% of card fraud in Europe. Reference was made to mail and telephone orders involving quoting the card number, expiry date and possibly the card security code and delivery or billing address where appropriate: all the same information that was available to me through the content of the envelope that had just dropped on my mat!
Reference to online purchase security was a little stronger with some “self help” tips about checking that the merchant website is reputable and secure (https://), recording merchant physical contact details, keeping any user names and passwords secret, and printing order confirmations. There is also, of course, information provided about 3-domain security (digital certification protocols like MasterCard SecureCode and Verified by Visa). This helps to better protect the channel, but overall uptake, deployment, utilisation and completion of these protocols is still patchy, and even 3-domain security does not always help avert fraud – take instances such as account takeover, first-party fraud and application fraud.
(One would like to think that the extra “self help” tips for online purchases are due to the fact that e-commerce is by far the most prolific card-not-present channel, whereas mail and telephone order is shrinking in size and popularity. But the cynics might suggest that such extra help is actually being offered because the liability model has changed for e-commerce. Banks are keen to ensure the authenticity and security of e-commerce transactions because, if a merchant is signed up for 3-domain security authentication, banks can’t reclaim fraudulent spend on those transactions via subsequent "did not participate" chargebacks. The same pressure/imperative for banks does not exist for mail or telephone order, as these transactions are not covered by 3D protocols and are therefore still eligible for chargeback.)
There is a good news story for the innocent and card-not-present consumer, though. However insecure the CNP environment might have become as we have moved quickly into the realms of ease of accessibility and agility of payment, correctly deployed card fraud prevention and detection solution like FICO® Falcon® Fraud Manager are still managing to beat the criminals at their game. Our latest data shows that FICO Falcon users in Europe have cut the value of CNP fraud by more than 50% across two years — much better than the industry’s 6% reduction in the same period.
This is not to say that we have the CNP problem cracked, of course. Indeed, while the absolute value of CNP fraud losses may have reduced, the proportion of fraud attributable to CNP continues to rise. So perhaps a criminal now has difficulty making £500 on one transaction as he may have done in the past, but if he can get £400 through 10 separate transactions then it is still worth the effort.
And of course it is not simply a European story — CNP losses are expected to swell even further with the pending migration in the US from magnetic stripe cards to chip card technology, just as they did elsewhere in the world. As the global CNP environment becomes more attractive to criminals, so the defences need to become more thorough and sophisticated.
As my colleague Martin Warwick has reflected, there are new defences in the armoury like merchant profiling, and it is important that all banks stay vigilant both to the changing nature of attack and the developing solutions to redress. We need to continue to suppress the attraction of the CNP channels for the criminal.