3 Ways to prevent card not present fraud
Small businesses like yours benefit from modern technology, including smartphones, the internet and ecommerce websites. They allow you to sell your goods or services without borders, but they come at a cost. That cost is fraud. Online transactions pose more risk to small businesses like yours than in-person transactions because the physical card is not within your line of sight. That makes it easier for thieves to scam your business with stolen card information.
Predictably, the rise in ecommerce also means a rise in one type of fraud: card-not-present (CNP) fraud. How big of a problem is it? The Nilson Report, which tracks card fraud, noted that card-not-present transactions accounted for 15.4% of worldwide purchases in 2019. But, CNP transactions accounted for 65% of the total losses due to fraud. So, it’s one of the biggest methods of fraud, and it can take a toll on your business.
In this article, we’ll take a look at what CNP fraud is, including the way scammers can get your customers’ information and how they use it. We’ll also focus on three ways your business can help prevent card-not-present fraud. To start, let’s talk about CNP fraud.
What is CNP fraud?
To understand card-not-present fraud, it’s important to understand card-not-present transactions. Like it sounds, a card-not-present transaction happens when a customer’s physical credit card or debit card is not actively swiped or dipped by the merchant. These transactions take place online or over the phone. Contrast this with a card-present transaction, in which a customer hands a physical credit card to a merchant at brick-and-mortar retailers.
In card-not-present fraud, fraudsters attempt to make purchases with the customer’s credit card information without physically holding the card. These unauthorized transactions can happen very quickly since the scammer just needs to have all of the customer’s information. Unlike card-present fraud, they never have to step foot in a physical store. Once they’ve used the card information in one unauthorized transaction online or over the phone, it’s easy for them to go on a virtual spending spree.
So, how do fraudsters get a customer’s credit card information in the first place?
How CNP fraud works
Now that you know the basics of CNP fraud, let’s look at how scammers get the credit card information and how they commit the fraud. First, because fraudsters don’t need to steal the physical credit card, consumers may not even know they are victims of fraud. When a thief steals a physical credit card, it’s obvious and easy to cancel the card as a result. But with card-not-present transactions, victims have very little sense that their information is at risk.
To fraudulently use a credit card, the criminals need the credit card number and card security code. Sometimes they’ll also need the card zip code and billing address. Criminals can get this payment card information in a variety of ways. The three most common ways are hacking, skimming and phishing.
- Hacking: A thief directly attacks computer systems with malware to get information from retailers, restaurants, hotels, financial institutions and other merchants. This data breach allows the hacker to get an enormous amount of customer data. The thief will then use this information or sell it to other criminals on the dark web, who then use it to commit card-not-present fraud and other cybercrimes.
- Skimming: A thief installs a device known as a skimmer on magnetic card readers at places like gas stations or ATMs. This skimmer copies data from debit or credit cards. Again, thieves then sell this stolen credit card data to other fraudsters.
- Phishing: A thief poses as a legitimate organization to fish for sensitive data. They will either collect this data over the phone or in email form, trying to get their targets to give away information over the phone or click a malicious link.
Once criminals have the data, how do they use it? Typically, they’ll try to make small purchases with the card information to ensure the card information works. Then they’ll use it to buy things online. This could be a subscription service, cryptocurrency (which converts easily to cash) or gift cards. When cybercriminals purchase gift cards with stolen card information, they can convert them to currency on third-party gift card exchange sites or use them to make purchases.
Although CNP fraud is not the merchant’s fault, the merchant is the one who loses. In card-not-present fraud, the merchant – most likely a small business like yours – has to reimburse the credit cardholder for the fraudulent transaction at their business. CNP fraud can hurt businesses that have to shoulder the responsibility of the fraud through no fault of their own.
Conversely, the issuing bank is the one who is typically responsible for repaying the cardholder in card-present fraud incidents, unless the merchant didn’t have payment terminals compatible with EMV chips. Then, the liability shifts from the issuing bank to the merchant, who was not EMV-chip compliant.
Now that you know more about how criminals execute card-not-present fraud, let’s take a look at a few key ways you can help to prevent card-not-present fraud at your business.
3 key ways to prevent CNP fraud
Keep an eye out for fraudulent orders
Fraudsters also will try to maximize the purchases they make in a short period of time before someone catches on to the fraud. So new orders or larger than normal orders should require more of your attention to confirm they are legitimate orders. Fraudsters also may use multiple cards with different numbers shipped to the same address. This is a telltale sign of card-not-present fraud, as the criminal is using more than one stolen card to make these purchases.
As you can see, it’s important to take extra care in examining your business’s orders. Fraud can occur at any time, and one lapse in caution can threaten your business.
Use authentication and tokenization software and tools
- Address Verification Service (AVS): This gives you the opportunity to compare the billing address the customer gave you during the transaction to the billing address the customer listed on their file at the issuing bank. If the addresses don’t match, you can decline the card and avert fraud.
- Card security codes: These are the three or four digit (Amex only) numbers on the back of the customer’s credit card, usually around the signature panel. Each credit card network calls it something different – CVV2 for Visa cards, CVC2 for Mastercard, and CID for Discover and American Express. Requiring these CVC, CID or CVV numbers ensures that the customer has the card in their possession when making an online purchase.
- Credit card association fraud prevention services: Most of the major card networks have fraud prevention services available to merchants. These programs let customers identify themselves to card issuers through personal passwords they set up when they enroll in the services. Each of these services – Mastercard SecureCode, Verified by Visa and American Express SafeKey help protect merchants against “unauthorized use” chargebacks.
- Multifactor authentication: This service requires buyers to verify their identity before completing a purchase. This happens a few different ways. It can happen by receiving a code on their mobile device or email address or it can utilize biometric scanning. Biometric face or fingerprint scans are much quicker for customers than verifying by code, but both serve the same purpose – verify a customer is who they say they are.
- Tokenization: This process helps keep customers safe by generating a single use string of numbers, called a token, that takes the place of one’s credit card information. It acts like the card information without actually being the card information. This helps to protect customers from fraud, since no account numbers are actually stored. Tokenization occurs in mobile device payments like Apple Pay or Google Pay and also implements biometric verification.
Go with your gut
In the process of reviewing transactions, something may feel off. Maybe it’s a repeat customer who is ordering something completely different than all of their past purchases. Or it could be ignoring free shipping and opting for priority shipping instead. Again, if it seems fishy, it’s better to validate the transaction. You may want to ask for more information from the customer. When you call the customer’s phone number, ask them specifics about the transaction. Cancel the order if they cannot give you the correct information.
You may also work with your payment processor to create a blacklist of known fraudsters, essentially declining any transactions from them. While your payment processor will help you with their capabilities, blacklisting can be very specific (like by IP address) or very generic (like a specific country).
As you’ve seen, card-not-present fraud can happen to any business that accepts online or over the phone payments. While your business could be on the hook for these charges, there are steps you can take to limit the occurrences in your business.
Heartland helps nearly 1,000,000 entrepreneurs make and move money, manage employees and engage customers with human-centered technology solutions that allow them to rise above the daily grind and lead their businesses into a brighter future. Learn more at heartland.us