According to Fraud – The Facts 2020, a review from UK Finance, the official body for the banking and finance industry, while advanced security systems put in place by the financial world prevented £1.8 billion of ‘unauthorised fraud’ in 2019, criminals nevertheless managed to steal more than £1.2bn through various frauds and scams.
Committed through the abuse of credit and debit cards where a cardholder is generally not physically present (CNP) when a purchase is put through, whether by phone, mail order, web, email or fax, the risk is very apparent. And the problem is compounded – for which read ‘passed back to retailers’ – because CNP transactions are not protected by chip and PIN, so retailers cannot check if a card is genuine and that a cardholder’s identity hasn’t been abused. UK Finance puts the value of losses from fraud on UK-issued cards at £620.6 million in 2019 – an 8 per cent decrease from £671.4m in 2018.
When making a sale, there are several ways for a card payment to be taken – either electronically using chip and PIN, a card swipe or contactless such as a card tap, via a keyed entry made by the retailer or remote entry by the customer. CNP payments are also known as ‘keyed entry’, even where a retailer has the card physically in front of them. Payments via the likes of Google Pay, Apple Pay and Samsung Pay are all made using mobile wallets and are considered to be card-present transactions when contactless card terminals are used. However, they are classed as CNP where there is no contactless transaction.
There are some tell-tale signs of potential fraud that retailers can and should look out for.
First, check orders that appear out of the ordinary: goods which don’t fit together or values that are higher than normal, especially if they are easily resalable. In situations such as these, the fraudster is looking to mine the card before it is reported and blocked. Next are ‘customers’ that have tried a number of cards that have been declined before one is accepted. They may be cycling through a number of stolen cards until one works.
Then consider whether a fraudster has asked for someone else to collect goods – in person or via courier. Here, the fraudster is clearly aiming to stay anonymous and in the shadows. It’s also important to look at where the card is registered and where the goods are to be shipped to. If in doubt, contact the customer for a suitable explanation – and if necessary, cancel the sale.
Banks and card issuers are fighting back. They stopped £999.2m of suspicious activity in 2019. New systems are being put in place, including real-time analysis of transactions against a customer’s habits and history. And a new process, Strong Customer Authentication, will finally be in place from this month. This will send customers a text or email to a phone or other device to verify the transaction before letting a sale go through.
But central to retailer defences are technical methods of protection which require deploying the systems that the banks and card issuers have in place.
Looking at each in turn, and starting with Verified by Visa, Mastercard SecureCode and SafeKey, these are gateway systems that remove the need for the retailer to collect, handle and store sensitive card information. Each is similar in that they engage a customer making a transaction online with a window that demands they authenticate themselves with a password created when the account was first opened. It’s rather like putting a card into an ATM where a PIN number authenticates the user.
These systems require software applied to the retailer’s site or connection to a payment gateway to recognise the card. As UK Finance, notes: “Use of these authentication services by a merchant shifts the liability from the merchant to the card issuer in the event of a chargeback, under most conditions.” Chargebacks are no longer a threat for a retailer if the card is subsequently reported as stolen.
Another option is an Address Verification Service (AVS), where card processors aim to confirm the cardholder’s address when a retailer enters the numeric elements of an address.
AVS is often used in tandem with the card security code – the three or four-digit security code printed on credit and debit cards. Each code is linked to an account and can be used to validate that the cardholder is making a transaction with a genuinely held card. The code also confirms that the card is current and not expired or replicated. Further, because it’s not on a magnetic strip, it cannot be swiped and stored illicitly. American Express calls this the Card Identification Number (CID); Visa the Card Verification Value (CVV2) and Mastercard the Card Validation Code (CVC2).
To get the best protection from this method, retailers must always capture, at the time of purchase, even if they don’t store it, the name precisely as it appears on the card; the card number, security code and expiry date; the customer’s phone number and email address linked to the card, and their full billing address. These systems aren’t as strong as the gateways highlighted above: there is always the risk of a chargeback.
All of this points to the one solution that retailers can use to prevent fraud-related chargebacks – only accepting purchases via an online store and entrenching gateways in the purchase process.