Card not present (CNP) fraud has continued to increase as more and more business is being conducted in an e-commerce environment. According to Cardhub, “Credit card and debit card fraud resulted in losses amounting to $11.27 billion during 2012.” It goes on to state that, “merchant losses mainly occur on card-not-present (CNP) transactions on the Web, at a call center, or through mail order.” Moreover, it is documented that fraudsters are getting “cleaner” in their fraud methods, making it more difficult for theft to be detected.
In response to the increased threat posed for CNP merchants, the Payment Card Industry (PCI) Data Security Standards (DSS) were developed. The twelve requirements provide a framework for merchants to implement in order to protect sensitive data and to also protect themselves from potential breaches. For more information regarding PCI, please click here. However, very few security systems are without fault. If fraudsters are able to penetrate your system, valuable information can be stolen and used to take as much from you as they can. Typically, these types of issues are not caught right away, resulting in losses to your organization through loss of inventory, customer chargebacks and your reputation. Therefore, it is paramount to implement multi-layered approaches to effectively fight fraud.
Two-Step Fraud Detection
There are two stages to effectively combat fraud: automated evaluation and manual investigation. Implementing systems that flag when transactions are outside of the norm for your organization is crucial to highlighting only the transaction or activity that is suspicious and warrants further review. Once these have been flagged, looking at each transaction individually to ensure legitimacy is key to mitigating loss.
Automated Evaluation
Here at CashLINQ, we are committed to helping you fight fraud. The reality is that fraud protection systems are expensive and may not make sense for your organization. Therefore, we have included many of the recommended automated features into our core products and have a team dedicated to helping your organization become and maintain PCI compliance. CashLINQ’s automated tools include, but are not limited to, Card Verification Value 2 (CVV2), Address Verification Service (AVS) and Captcha.
Card Verification Value 2 (CVV2) is a three-digit code printed on the signature panel of credit cards, except in the case of American Express where it is a four-digit code printed on the front of the card. Requiring this information helps to verify the legitimacy of the card in a CNP environment. This information is then included in the authorization process and the response can be used to make a risk evaluation.
Address Verification Service (AVS) verifies the credit card billing address entered at the time of the transaction matches the records on file at the card issuer. When this matches the AVS response is “Y” and when it does not the AVS response is “N”. A partial or no match may indicate fraud. If you are interested in adding additional fraud prevention to your product, please contact your Relationship Manager to enable AVS verification, which will then decline transactions with an AVS response of “N”.
CAPTCHA– When sensitive data is stolen, fraudsters will go to online gateways and run “scripts” that process multiple transactions for small dollar amounts to verify the legitimacy of a card number. Using features such as CAPTCHA ensures the transaction being submitted through your gateway originates from a real person.
Manual Investigation
The second part of mitigating fraud is manual investigation. We have fraud monitoring tools and review suspicious activity, but it is important that you do your part as well. Making a point of logging into your account daily to review recent activity is important. You will begin to see trends in regular processing activity. When something looks out of the ordinary, investigate it and verify its validity. Below are four potential warning signs of Card-Not-Present-Fraud:
- Unusual transaction activity such as: multiple transactions for low dollar amounts to many different card numbers, multiple transactions originating form a single IP address, or multiple transactions on one card over a short period of time
- First-time shoppers, donors, or registrants
- Unusual activity such as: larger-than-normal product purchases, orders including varieties of the same purchase, or inconsistencies in the order details (for example: billing address mismatch, area code on the phone number outside of the zip code area, or invalid e-mail addresses)
- Unusual shipping requests such as: rush or overnight shipping, shipping outside of the country, shipping multiple orders and card numbers to a single address.
Processing in a CNP environment increases your risk for fraudulent transactions and requires a different level of due diligence because unlike card present environments, you’re unable to inspect the physical card for legitimacy, verify cardholder identity and tune into suspicious activity. Take advantage of automated fraud monitoring systems and manually investigate any suspicious activity. Comply with PCI data security standards and begin implementing a two-step fraud detection system to protect your organization from potential losses.