November 15, 2016
Some estimates suggest that fraud attacks on US online merchants rose 11% after the October 1, 2015, EMV liability shift. In absolute numbers, the value of fraudulent online transactions is expected to balloon from $10.7 billion last year to $25.6 billion in 2020.
It appears that the EMV transition had the effect it was expected to have and fraudsters have indeed turned their efforts towards weak links – such as CNP transactions – putting e-commerce under fire. There are, however, measures, that can mitigate the risks of CNP payments fraud, which The Reserve Bank of Boston laid out this Thursday in the report titled "Getting Ahead of the Curve: Assessing Card-Not-Present Fraud in the Mobile Payments Environment."
The study suggests that enabling EMV chip card acceptance at POS reduces card-present counterfeit fraud by removing the opportunity for fraudsters to compromise payment card credentials. However, this is driving fraudsters to attack the more vulnerable online and mobile CNP channels with weaker authentication protocols, at a time when consumers are increasing their use of mobile phones to make CNP purchases.
We will further review six recommendations from the bank that address various aspects of CNP fraud prevention. The hallmark of the list is that half of the recommendations are insisting on the necessity for collaboration between various participants of the ecosystem in various ways: sharing data, best practices and collaborative development of security standards.
M-commerce is mostly considered to be an extension of the business, which leads to security measures being standardized across channels without considering the hallmarks of those channels. Meanwhile, risks associated with mobile m-commerce differ from e-commerce due to specifics of the environment and a different set of factors influencing the m-commerce experience.
It leads to the necessity to consider additional security approaches to prevent and manage mobile CNP fraud. For mobile-focused businesses, it is critical to implement appropriate methods to monitor fraud in their e-commerce and m-commerce channels and apply mobile-specific fraud management tools that leverage the unique capabilities of mobile devices.
Channel-specific monitoring generates rich data that can provide more detailed information on the customer device-specific behavior, addressing the need to manage fraud holistically across customer entry points. Businesses should also use the data collected from fraud tools to build a profile of a legitimate versus a fraudulent customer in the mobile CNP channel.
There is no silver bullet when it comes to security controls and methods, and the most effective systems rely on a mix of those to ensure security. Companies should analyze available tools and choose the ones that best fit their CNP fraud strategy. Such sources as NIST, FFIEC and 3DS 2.0 specifications and related network operating rules are proposed to be helpful in conducting an analysis.
Despite the migration of the US payments card from magstripes to chip cards, magstripes are still widely used. Customer habits are difficult to change and the presence of a magstripe and a chip on a card may lead customers to still habitually use the stripe. Professionals from the Federal Reserve Bank of Boston suggest the elimination of magstripe as a measure to address major card vulnerability because when swiped instead of dipped, the card is susceptible to counterfeit card fraud.
In the current CNP environment, many smaller e-commerce merchants may have weak authentication controls that provide fraudsters with the opportunity to make fraudulent purchases with stolen counterfeit card numbers. There is also the risk that a counterfeit card number will be provisioned to a mobile wallet and used to make fraudulent purchases.
"Overall, reducing potential vulnerabilities in other payment channels benefits the mobile channel as well, as they are all connected and used by consumers.
Collaborative efforts are known to have a positive effect on business growth and development. It also applies to the payments industry, where market participants recognize the need for more inclusive collaboration and information sharing to reduce overall payments fraud, and CNP specifically.
Today, company-specific data is shared mostly only with governmental agencies and industry associations. As a result, valuable data remains contained in the circle of particular market participants, while cross-industry sharing could drive higher efficiency in fighting fraud.
In the retail payments environment, FIs often see fraud or suspicious activity faster than merchants because of the robust risk management tools and fraud monitoring systems they have to support compliance with financial services regulations. Financial institutions are also the primary point of contact by cardholders when fraudulent activity occurs.
For businesses to be able to boost their security capabilities, cross-industry data sharing is a necessary element of collaboration. The need for more effective information sharing expands beyond the CNP environment to the entire payments ecosystem. The broader industry needs to identify ways to improve the value and timeliness of fraud data that will also help the CNP environment. All stakeholders also have an obligation to support continuous customer education regarding secure mobile payment practices and should engage collaboratively in developing consistent materials and messaging.
Collaborative efforts should go beyond sharing information to sharing best practices identified in use case analysis. Risks associated and experienced by one party of the payments ecosystem will translate into risks for all other parties, which means that best practices of fraud prevention should be shared with mid-sized and smaller/micro m-commerce merchants and CNP third-party/non-bank mobile solution providers.
It might be difficult to assess risks created across market participants due to the lack of consistency to how they evolve or operate. Hence, all third-party relationships should be carefully evaluated before an agreement is executed as well as on a recurring basis. Large e-commerce merchants and processors should recognize that sharing some of their best practices and experiences using different fraud tools for CNP payments with the smaller, less sophisticated, or newer mobile/e-commerce businesses will have a positive impact on the entire CNP environment.
Knowledge sharing across ecosystem can help reduce overall fraud and increase consumer confidence in making mobile and online purchases.
The major stakeholders should coordinate efforts to develop best practices targeted at the smaller m-commerce merchants, determine effective ways to reach out to them and communicate this information.
Issuers, merchants (POS and e-commerce), acquirers, card networks, processors, PSPs and WSPs should collaborate and coordinate initiatives to identify where gaps exist in current proprietary and open standards and practices.
All members of the ecosystem should share their unique expertise to facilitate the enhancement of technology standards, as well as guidelines and best practices, to improve the security of mobile and e-commerce CNP payments, particularly in such areas as authentication, tokenization and encryption for data protection.