Canadian e-commerce has reached another milestone. According to Insider Intelligence, e-commerce sales will exceed $100 billion in 2022. Businesses of all sizes are competing for some of that revenue, from large e-commerce enterprises and big box stores to small and medium-sized businesses (SMBs). Unfortunately, companies that enter the e-commerce arena will have to contend with not only more than competition, but also the risk of losses from online payment fraud.
One of the most difficult challenges to overcome with online fraud is the diverse forms it can take. Fraud actors can steal physical credit cards and use them online. Actors also hack databases and compile data necessary to use accounts in sophisticated fraud schemes, or steal a consumer’s identity and open accounts to use online. Additionally, credit card holders themselves may commit chargeback fraud, demanding a refund from the credit card company but keeping the merchandise they’ve received.
Compounding the issue even more is the fact that online merchants have little visibility into who’s initiating an online transaction. At first blush, it may seem like the cardholder is the purchaser, but it may actually be a fraud actor with ill-gotten information necessary to authenticate the transaction. Furthermore, an e-commerce merchant may not know if that person just made 100 purchases with different credit cards from the device they’re using.
Solutions for Mitigating Online Fraud
The payments industry is fighting back against these types of activities. One familiar way is to require the card verification value (CVV or CVV2) or card identification (CID) number when a consumer makes a card-not-present purchase. This mechanism is very effective at preventing misuse of cardholder data stolen by skimmers as the CVV or CID are not included in "Track Data" that can be read from the magnetic stripe or the EMV chip of a card.
Unfortunately, if the fraudster is in possession of a stolen credit card, they would have access to the the CVV or CID that is printed on the back or front of the card.
Another means used to bypass this control is through the use of a keylogger in malware on a consumer’s computer or mobile device that captures that number along with account numbers when victims are performing e-commerce transactions. One solution to this class of attack is to employ a system of dynamic card verification, for example, with an app that enables the consumer to request a one-time-use passcode. A fraud actor wouldn’t have the app to request the code, and a keylogger would not be able to steal information that a hacker could use (or sell on the black market) for a future purchase.
Taking Online Fraud Prevention to the Next Level
Some card brands, banks and payment processors are implementing 3-D Secure for stronger protection against online fraud. The current specification of this security protocol, 3-D Secure 2.0, developed by EMVCo in partnership with Visa, Mastercard, JCB & American Express, moves authentication to the background for more frictionless transactions for consumers – and more data for the payment chain.
For example, 3-D Secure compliant implementations can confirm cardholder data is typically used with a particular device or access information on the consumer or transactions made from that device. The system can also inform a merchant if there’s been a large volume of transactions drawing from one account or notify a merchant that the user has attempted to make purchases using different credit cards from the same device. If 3-D Secure flags a transaction as suspicious, the issuing bank can send a challenge for additional authentication before approving the transaction.
A Visa study found that the technology is user-friendly while decreasing fraud. Fewer than 5 percent of transactions required additional verification, and the remainder proceeded quickly and without interruption.
There is a cost associated with 3-D Secure; however, merchants may find the ROI, both in a decrease in online fraud and the time savings from fewer cases to investigate, is well worth the fee.
FIDO Offers Alternative to Password Protections for E-Commerce Portals
While card verification values and 3-D Secure offer protections to online credit card transactions, consumers still face risks to their plethora of e-commerce portals. A big challenge for many is how to remember all of those passwords. To overcome this challenge, it is common for users to use the same password in every one of their e-Commerce portals. This creates a tremendous risk; if a fraudster can acquire or determine a password for one e-Commerce system, they will attempt to use the same password in other e-Commerce systems.
A solution gaining momentum to counteract this sort of threat is an open-source system from the Fast Identity Online (FIDO) Alliance. FIDO Authentication standards are based on public key cryptography that replaces passwords. The solution is more secure than an SMS one-time password, and it’s simpler for consumers. While FIDO’s focus extends beyond payments to website and application logins, FIDO can work with other systems, such as 3-D secure, to authenticate the cardholder’s identity.
Do You Have the Right Online Fraud Prevention?
As merchants and their payments solutions providers plan for the future, they need to ensure they’re working with payment gateways and processors that understand online fraud’s impact on e-Commerce businesses and support solutions to mitigate its risk.
The smart strategy is to work with a company with modern infrastructure, a platform that extends to enable the full range of payment methods, and support for solutions that combat the threat of online fraud.
If you are looking to learn more about how Ingenico combats fraud in the payments industry, get in touch with us.
Steven Bowles is the Regional Security Officer for Ingenico