Migration to EMV has migrated the card fraudsters online
EMV standards have helped reduce fraudulent transactions considerably, but this has forced fraudsters to move to the online world. In the year 2016, fraud in the online space has increased 30% [Source: Radial’s eCommerce Fraud Technology Lab]. Also, in the first quarter of 2017, it is reported that credit card testing has increased by 200%.
Credit card testing actually is the bigger problem – this allows criminals to figure out which stolen credit cards are still active to process their fraudulent transactions. The biggest online frauds in 2016 happened in entertainment, jewelry, entertainment and sporting goods, which can be easily resold. Most merchants operate in the less secure Card-not-present environment and they are susceptible to high value credit card frauds.
How does this work?
Fraudsters buy stolen credit credit numbers in thousands from sources on the dark web. The first thing that they do after that is to figure out the cards that are active by running credit card teting, as the window of opportunity that they have is only a short duration, before the customers block their cards.
Many fraudsters invest in high-end server farms and hire skilled developers to automate the credit card testing payment process. These scripts can attempt large numbers of small value transactions on thousands of accounts in a quick blitz and track the active cards. Those active cards are then used to make high-value purchases.
How does the merchant get affected?
If the merchants don’t run a fraud prevention program, then they would become liable for high-value transacations, which the customers will contest later. However, if they are overly aggressive on their fraud prevention program, then they run the risk of rejecting legitimate transactions. The moment, legitimate transactions are rejected, the brand value gets hit through word-of-mouth pubicity by dissatisfied customers.
This combination is deadly for merchants and they need to figure a way to reduce customer friction, while at the same time be able to prevent frauds and chargebacks from customers.
What can the merchant do?
The merchant should have means to check if card testing is happening in their environment. That means that the security system should be tuned to identify patterns and identify problems that can be flagged for human intervention. Some of the things that they ought to look forward include – small value transactions, large number of transactions in short duration of time, many transactions from different payment brands, and unusally large number authorization failures. This would reduce fraud considerably.
However, you can use easier and simpler ways to prevent this testing by requesting users to fill the Captcha box without creating friction in the sales process. Also, you can opt for 2-factor authentication as they do in India for all card-not-present transactions, where an OTP is sent to the registered mobile number or typing the pre-defined card verification password. There are reports that the OTP can also be spoofed by sophisticated fraudsters. In order to counter this, payment brands are now starting to implement biometric based secondary authentication to pass the transactions.
In order to protect Card-not-present (CNP) transactions, Visa came up with 3DS 1.0 specifications. Though it sorted out problems for merchants as far as the web transactions were concerned but there was no support for mobile transaction in 3DS 1.0 version. Additionally, it added a lot of friction for the customers during their checkout process.
In order to iron out the challenges faced by customers as well as merchants in 3DS 1.0, EMVCo came up with 3DS 2.0 that allowed transactions to be performed both on the web as well as the mobile interface. It also provided a number of options for frictionless authentication and transaction for customers in the form of biometric or one-time passwords. 3DS 2.0 is becoming a global standard, which would allow cards from all payment brands to be authenticated easily by merchants.