Combatting the ever-growing numbers of card and data breaches around the globe should be a top priority for every business accepting CNP (card not present) payments. Any ecommerce or MOTO merchant needs to choose a payments provider with excellent fraud prevention solutions to ensure that their customers’ data and assets are protected.
In certain cases, fraudsters holding stolen card data may make purchases on your website. As an unsuspecting merchant, you will deliver the product before the fraudsters open a dispute and request a reimbursement (chargeback). You may be left without the product and without payment. In addition, the payments provider or acquiring bank will learn about the fraud and may terminate your merchant account on account of your breaching specific chargeback thresholds. You'll be put on a blacklist, meaning no chance for applying for a new merchant facility with other banks.
Losses in the billions
In Europe, losses due to fraud reached approximately 1.8 billion EUR in year 2016. The UK experienced the highest losses for a single country, where in 2015 the total loss was 646 million EUR and in 2016 this increased to 703 million. The UK and France alone contribute almost 75% of all card fraud in Europe.
Rising fraud trends
Based on data from Euromonitor International and the UK Cards Association, the card fraud losses across 19 European countries show that CNP (card not present) fraud increased from 50% of all fraud losses in 2008, to 70% in 2016.
European Fraud Map (fico.com)
Card Fraud in the UK (2017 FFA UK)
This is a 3-digit code printed on the back of cards, and was one of the first security measures introduced with rise of fraud in online payments. Payment Card Industry (PCI) compliance standards do not allow merchants to store CVV codes, therefore in the event of card data being stolen these codes will not be obtained by the fraudsters. The payment gateway will not accept a payment when the CVV code is missing, as without it there is a high possibility of the transaction being fraudulent.
Verified by Visa and Mastercard SecureCode are essentially identical services for each card company. The process by which they function is known as 3D Secure and involves a redirect to cardholder's issuing bank website during the checkout process. At this point a special password needs to be entered. This is usually a PIN generated by a card reader, or a code sent by SMS. This extra security measure adds another essential safety net in protecting merchants’ customers.
Although seemingly obvious, the required entry of a card’s expiry date is still an important tool to verify the card. Typically, the card issuers set an expiry date of up to 3 years. If the transaction request - received online or via phone order - contains an invalid month and/or year, the card issuer will not approve the transaction and it will not be successfully processed by the payment gateway.
An Address Verification Service is used to verify the address and postcode, as entered by the shopper, with the proof of address that card issuer has (the address to which card statements are sent). If there is no match, or only a partial match, it may indicate that the shopper is not the actual cardholder. In Europe, AVS is only widely supported within UK.