Newest Ways To Detect CNP Fraud
The shift to EMV technology isn’t just affecting payments in-stores—due to the increased difficulty of fraud in-stores, many people are expecting that there will be an increase in card-not-present (CNP) fraud. We’ve already talked about how business owners can avoid fraudulent purchases for the present moment. But don’t get too attached. New, supposedly more secure methods are just around the corner.
We’re aware of how difficult it is to keep up with ever-changing technology, so we’ve got you covered. Here’s the security technology you’ll be hearing about in the next few years.
This form of security is being employed by multiple banks, but the clear leaders are Mastercard’s SecureCode and Visa’s Verified by Visa. The name is a reference to their three domain model: the acquirer domain (the merchant), the issuer domain (the bank) and the interoperability domain (the technology used for the acquirer and issuer domains to talk to each other).
3D secure adds an extra security step during checkout, courtesy of a card issuer. The service uses a plug-in to detect cards from participating banks and, when it finds one, it opens a pop-up window asking the customer to enter a pre-set password to verify their identity. This does two things: first the potential fraudster needs to know another, difficult to collect, piece of information to charge the card. Also, when opening the pop-up window, the bank is able to see if the user is using a proxy. Best of all, the issuer generally covers the cost of any fraudulent purchases that make it though the 3D secure system.
Sounds like a good deal, right?
Well, 3D secure has been around for a while, and most people in the United States have never heard of it. There’s a reason for that. The security programs have been slow to be adopted by online retailers due to their badly thought out technology and poor customer education.
The most obvious problem is that 3D secure technology confuses customers. A lot. Pop-up windows, historically, have not been used for good purposes. Naturally, users are going to be suspicious when they find one that’s asking for some sort of banking password and other personal information. Worst, from a merchant perspective, some customers might be so confused that they abandon their purchase altogether.
The technology has also gotten criticism for asking customers to create passwords at inconvenient times (a customer who just wants to buy their stuff is not prepared to create a secure password), making it too easy to change forgotten passwords, violating user’s privacy by allowing third parties to see the transactions, leaving obvious vulnerabilities in their software, and pawning off liability charges onto customers.
Obviously, 3D secure systems still have a ways to go. Nonetheless, 3D secure is already starting to be adopted by many ecommerce websites, and, for the most part, the technology is doing its job. Meanwhile, the makers are aware of the need for fraud-proof technology, and are working on making these programs more user-friendly and secure.
Hey—remember how I just said issuers are working on making 3D technology more secure? Mastercard’s Chip Authentication Program (CAP) and Visa’s Dynamic Passcode Authentication (DPA) programs are part of their solution.
CAP/DPA is basically EMV for online transactions. The idea is that banks will issue a little hand-held EMV terminal called a CAP reader (though a smart phone app might be in the works too). To authenticate their identity, the customer will use their chip card and PIN, and then the reader will generate a one-use password. While this was being developed primarily for banking, issuers have recognized the possibility of integrating it with 3D secure software—the one-use password can be used in conjunction with 3D secure’s pop-up service.
Issuers have already started rolling out CAP readers in the UK for online banking, and unsurprisingly, the technology wasn’t quite up to snuff. The UK CAP readers are poor-quality and have technological problems that fraudsters could potentially exploit in many different ways.
The other obvious problem: in America, we don’t have chip-and-PIN cards yet. No PINs means no way to verify the user, and that’s not very secure at all. However, because CAP/DPA is essentially a way to bring EMV technology, a technology that has already proven very secure, to CNP transactions, in theory it is a very viable option to reduce fraud online. However, the technology isn’t there when it comes to the CAP reader or American’s credit cards.
We’re going to have to wait a few years for this one, guys.
On the other hand, tokenization is a form of security that you could implement right now (and the payment card industry encourages you to do so). While this isn’t going to help you root out fraudulent transactions, it will help protect against any data breaches. If you don’t use it already, this is one you’ll definitely want to consider, since Mastercard, Visa and American Express have announced their intention to make tokenization a global standard online and in-store. Let’s be honest: soon, you probably won’t be able to ignore it.
You’ve probably heard of encryption, and you’ve probably heard of tokenization, but I wouldn’t be surprised if you didn’t know the difference. Here it is: encryption works like a secret code. You use a key to encrypt and decrypt the data. Anybody who gets a hold of the encrypted data without a key to interpret it will just see a mess of characters. It works really well… unless the interceptor finds the key, in which case encryption is completely useless. And it is possible to find the key. On the other hand, tokenizing a number is irreversible because there is no connection between the original number and the token. There is no master key that can reverse the tokenizing process.
Theoretically, once a customer enters their credit card number and verifies their identity (perhaps though a process employing 3D secure), their credit card number will be replaced with a token number sent from the payment processor. The whole thing works the same way poker chips do–when you, the merchant, are talking to money providers down the line, everybody can treat that number like it’s the customer’s real credit card number. Since everybody knows the token is associated with that particular customer and that particular transaction, you’re all on the same page. But like a poker chip, outside of that particular transaction, the token won’t work anymore. There’s no need to store customer’s real credit card number at all, and because each transaction has its own token, the data is essentially useless to any fraudsters who steal it.
Obviously, tokenization is not a perfect solution. There are still times when the customer’s real card data needs to be entered and transmitted (so you can’t give up on all your other means of encryption), the customer’s identity still needs to be verified in the first place, and tokenization won’t protect against account takeover.
So What’s the Point?
That’s why we’re talking about multiple forms of security: none of them are 100% effective by themselves. Theoretically, these forms of security will work together. 3D secure protects against application fraud, CAP/DPA protects against phishing and account takeover, and tokenization protects against information theft.
There will never be one fool-proof way to end fraud. We will never be able to make a completely hack-proof system. But maybe, by employing a few different, very secure methods, we can get close. Although those methods haven’t quite arrived yet, they’re looking promising.