Few things are more sought-after by hackers than private credit card and payment data, Stealing credit and debit card numbers for fraudulent use is as popular as ever with cybercriminals. And recent data suggests they’re increasingly turning to card-not-present fraud.
The annual Identity Fraud Study conducted by Javelin Consulting and Life Lock shows card-not-present fraud is rising by about 40 percent every year. Card-not-present fraud also cost businesses roughly double the amount in financial losses than point-of-sale (POS) fraud.
This uptick in card-not-present fraud is something that any business in the digital payments value chain should take note of. That goes for fintech payment data security to physical retailers guarding POS systems. Read on to learn about what card-not-present fraud actually is, what it means to businesses, and steps you can take to prevent it.
Card-Not-Present Fraud Explained
Javelin’s annual report also suggests that e-commerce shoppers run a higher risk of card-not-present fraud than other shoppers. And while 78 percent of e-commerce fraud victims detected (and reported) the crime within a week, consumers and businesses still need to be vigilant.
Card-not-present fraud is more specifically defined as situations where merchants never see, touch, or handle a physical credit or debit card. This can be either online, over-the-phone, or even physical mail. Phishing email attempts to get someone to wrongly enter their payment card data and send it to fraudsters is a common example.
This differs from older point-of-sale fraud methods like ATM card number skimmers. And it’s no surprise, as the value and volume of e-commerce and online shopping keeps growing every year. Businesses are working overtime to respond and protect their customers’ sensitive cardholder data. Upwards of 68 percent of online businesses say they expect more fraud than the previous year, with 62 percent indicating they intend to increase fraud prevention budgets.
In addition to phishing, card-not-present fraudsters also gain access to data by hacking into banking, credit agency, or payment processing systems. They’re typically after at least one (most likely all) of the following cardholder data:
- Card Number
- Expiration Date
- Security Code
- Personal Billing Info (address, telephone number, etc.)
Finally, scammers and cybercriminals love to buy, sell, and exchange illegally obtained cardholder data on the dark web. Just because a consumer’s card hasn’t been fraudulently used yet, doesn’t mean it’s not already out there on the black market.
What the Trend Means for Business
The Javelin data should be a wake-up call to both retail merchants that take payments and backend financial companies that store cardholder data. Merchants themselves are often stuck with costly chargeback fees when card-not-present fraud transactions get reviewed and overturned by the bank. This can range anywhere from $20 to $200 per transaction, with fines of up to $10,000 if chargebacks exceed certain thresholds.
bFor banks, fintechs, and payment facilitators, the result is a damaged reputation and potential regulatory penalties. Payment processors, in particular, are subject to the Payment Card Industry Data Security Standard (PCI DSS). The PCI framework lays out best practices and technology standards designed to protect cardholder data and guard against things like card-not-present fraud. For any business that handles cardholder data, PCI DSS compliance should be considered a mandatory part of any good cyber-defense strategy.
Thankfully, new technologies are emerging to put businesses ahead of fraudsters. Biometric authentication for online e-commerce purchases, for instance, is becoming more prevalent. Personal Identifiable Information (PII) scanner technology is growing in use. Some are even experimenting with “tokenization,” the same underlying software technology that makes cryptocurrency transactions unique and secure.
The shift from point-of-sale fraud to card-not-present should come as no big surprise given the trajectory of digital consumer behavior. It’s up to merchants, card issuers, and fintech providers to stay vigilant. Adopting a compliance framework like PCI DSS and exploring technology partners on the bleeding edge of payment security are two great ways to start.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.
1 comment
Great insights on the shift from POS to card-not-present fraud! Your analysis of the evolving threat landscape is both timely and informative. Well done!