Card-not-present (CNP) transactions account for nearly 80% of the fraud in the United States today.1 It’s an eye-opening statistic. So how did we get here?
As much as 60% of U.S. payment sales can now be attributed to CNP transactions2, which include e-commerce and phone transactions. Digital transformation was already well underway when the pandemic hit, but there’s no denying that COVID-19 accelerated the trend. Consumers, even those who were less tech-savvy, rapidly migrated to online and mobile channels. Unfortunately, so did fraudsters — as the need for information, but not a physical card, made CNP transactions easier targets.
Types of CNP fraud
The rise in CNP volume has led to the emergence of various forms of criminal attacks, including:
- : Criminals acquire personal information to create a false identity and then spend the money of a consumer or business and establish illegitimate merchant services accounts under that identity.
- hird party takes over a financial account by stealing login credentials, providing complete access to the individual’s or the business’s finances.
- : Someone initiates a seemingly legitimate transaction and then requests a chargeback from the issuing bank. The purchaser keeps the product or service in question while also getting a refund for the cost.
- Card enumeration (or “brute force”) attacks: A criminal systematically submits transactions with enumerated values such as primary account number, card verification value (CVV), expiration date and postal code to derive legitimate payment account details. Typically targeted are legitimate e-commerce merchants with weak fraud controls in place.
Common fraud risk mitigation tools
Businesses can minimize the risk of CNP fraud by taking a multi-layered approach to security and enabling an array of fraud protection tools, including velocity checks and CVV, address verification service (AVS) and unmatched refunds filters.
Businesses should also consider using Captcha where cardholders must identify a series of distorted letters or numbers to prove they aren’t a bot trying to infiltrate the site or launch an enumeration attack.
For even more fraud protection, on their websites they should implement 3D Secure authentication, which requires cardholders to complete an additional verification step with the card issuer when paying.
Best practices to adopt
Some other recommended best practices for reducing risk include:
- Maintain PCI (Payment Card Industry Security Standards Council) compliance to prevent any misuse of systems.
- Keep platforms and software up to date
- Monitor transactions and reconcile accounts daily.
We can help
Ultimately, the very best practice is to partner with us on managing the risk associated with your card processing. To ensure you are using the most effective tools and taking all the right steps to protect your transactions, contact your banker, who can refer you to a Merchant Services Specialist. In addition, for the latest guidance on managing card acceptance risk, visit our Merchant Services Client Resources page.
1 “How Financial Institutions Should Combat Fraud in a Post-Pandemic World,” October 2021, https://thefinancialbrand.com/123139/banking-payment-fraud-trend-card-not-present-synthetic-identity/
2 “How Financial Institutions Should Combat Fraud in a Post-Pandemic World,” October 2021, https://thefinancialbrand.com/123139/banking-payment-fraud-trend-card-not-present-synthetic-identity/