Understanding & Avoiding CNP Fraud

As we trundle ever-closer to total chip-card domination, the experts are predicting that – as happened in other countries who adopted EMV technology – the majority of fraud is going to migrate away from counterfeit and stolen cards, and towards the easier target: card-not-present (CNP) fraud.

As usual, for business owners, this is a good news/bad news sort of thing. The bad news? Unlike card-present fraud, in which the issuer generally picks up the liability for fraudulent costs, merchants are usually responsible for any CNP fraud. Since this type of fraud is already the largest way merchants lose money, the idea that CNP fraud is going to become an even larger problem is a bit daunting.

But here’s the good news: there are some relatively easy steps you can take to avoid the majority of CNP fraud.

Internet Fraud 101

We all know that the internet is rife with tricks and scams, but you might not know all of them. Let’s go over the basics, and then talk about what your business can to do avoid being liable for their fraud.

Phishing Attempts: The fraudsters will send out fake emails or set up fake websites that look legitimate in an attempt to get people to enter sensitive information such as credit card numbers. These emails might also contain malware…

Malware: Software designed to work in the background and spy on the user in order to collect sensitive information, or just really screw up their computer.

Account Takeover: A form of identity theft in which the fraudster gathers information about their victim, then use that information to take over the victim’s credit card/merchant accounts, change their passwords and billing address, etc.

Application Fraud: Much like in account takeover, the fraudster will use information gathered about their victim to open accounts in the victim’s name.

Credit Card Generators: This is what it sounds like: a fraudster will use a generator to create fake credit card numbers. This one is easy to combat if you employ at least a couple methods of verification.

Friendly Fraud: This form of fraud (also known as chargeback fraud) has been on the rise recently. After ordering and receiving the goods, a fraudster will request a refund claiming that they never got their order, it was damaged, or the order was supposed to be canceled. These claims are very difficult to combat because often merchants do not have the documentation to prove the fraudster wrong.

How to Protect Your Business

Maintain PCI standards (even if you aren’t being held accountable): PCI DSS (Payment Card Industry Data Standards) is a set of standards designed to reduce card fraud. These standards largely include common-sense ideas: maintain a firewall, set all passwords to something unique, regularly update and run anti-virus software, encrypt or tokenize all sensitive stored and transmitted data, restrict access of customer data to only those who need to see it, etc. Check out the PCI Standards Council website and this reference guide for more information about their standards. This one might not help you avoid CNP fraud as much as it will help you avoid data breaches. Nobody wants data breaches.

Use an Address Verification Service (AVS): This service compares the billing address entered by the customer to the address on file with their credit card issuer. The service will flag any orders where the addresses don’t match or only partially match, and it’s up to you to decide if you want to risk accepting the order. AVS is good protection against card information obtained though means like phishing and malware because the fraudster might not know the billing address. The downside: AVS only works in the United States.

Check the Issuer Identification Number (IIN): The first six numbers of the credit card number is called the IIN (previously known as the BIN–Bank Identification Number). This number is like the international AVS–you can ensure that the information on the IIN (such as the country) matches the information provided to you on the order.

Security Code Verification: By requesting the three or four digit security code on the back of a credit card, you add another piece of information that fraudsters have to collect in order to pass off as a legitimate customer.

Email Verification: If you send a message to the email address provided by the customer requesting that the customer verify the email address is correct, you can ensure that the email is associated with the other information provided.

Use a 3D Secure Service: These services, such as Mastercard SecureCode and Verified by Visa use plugins on your website to verify the identity of the cardholder. Customers who have cards held by participating banks will be asked to enter a password verifying their identity before they make their purchase. Bonus: the liability of any fraudulent charges that get through the 3D service is picked up by the issuer, not the merchant.

Take a Look at Suspicious Orders: Somebody quietly put in an order for a large amount of expensive goods? And they want priority shipping? And they want them shipped to a foreign country? Sounds suspicious to me! Maybe you should look into that a bit further. Check out this link to learn more about what suspicious orders look like and what you can do about them.

Maintain Extensive Records of your Transactions: The more information you have, the more difficult it is for customers to claim fraudulent refunds. Just make sure you only keep sensitive information that’s absolutely necessary. Also…

Send out Confirmation Emails: This step also makes it more difficult for fraudsters to cry chargeback. They can’t claim they weren’t informed, and email leaves a paper trail.

Practice Good Customer Service: Frustrated customers who can’t get in touch with your business are more likely to ask for refunds on their products rather than attempting to solve the problem in a way that’s more agreeable to you.

Don’t assume CNP fraud is somebody else’s problem. In all likelihood, you’ll lose the most if your business is hit with fraudulent purchases. But here’s some more good news: since we know CNP fraud is on the rise, people are already developing new ways to combat this problem. It’s only going to get easier from here on out.