With more of the world connected to the internet and the popularity of online shopping continuing to rise, it’s no wonder that e-commerce fraud has also increased. One area that is particularly vulnerable to this kind of fraud is Card-Not-Present transactions.
As the name suggests, Card-Not-Present (CNP) transactions are those where the customer and his or her card are not physically present for the transaction. These transactions typically happen over the internet, phone, mail-order or fax. In addition to e-commerce sales, automatic billing or recurring payments are also typically CNP transactions. While this form of transaction offers considerable convenience for shoppers and helps boost companies’ sales, there are some risks involved for merchants and cardholders alike.
This guide addresses best practices for CNP transactions as well as risk management strategies for merchants.
Card-Not-Present Best Practices
CNP purchases typically have higher interchange fees than card-present transactions. Further, a significant amount of credit card fraud comes from CNP purchases – especially as the shift to EMV cards (credit cards with chip technology) makes other hacks harder to pull off.This also can increase costs for merchants.
Given these expenses, it’s important for merchants to follow CNP best practices to safeguard their customers’ information and minimize the fees they have to pay.
- Input Cardholder Data: When merchants obtain card information from a customer, it’s best to input account number, expiration date, contact information and any other pertinent details directly into the payment gateway. Writing it down on a separate sheet of paper or in a separate computer file would increase the risk of someone stealing the data. Data should always meet Payment Card Industry (PCI) data security standards.
Merchants and their payment processor should both be PCI certified, and they should use high-quality end-to-end encryption when sending data (more on PCI and encryption below). It may also be beneficial to restrict who in the company can access this sensitive information.
- Review Confirmation:When merchants get to the confirmation stage of the transaction, they can leverage fraud protection services to help them verify that it is a legitimate purchase by the cardholder. One helpful tool is an Address Verification Service (AVS), which is available with American Express, Discover, MasterCard and Visa. AVS works by confirming that the address provided by the customer matches the authorization request. Any partial or “no match” responses should be investigated.Common signs of fraud include large orders, multiple orders, several orders from the same IP address with slightly different card numbers, orders being sent to an international address, and big-ticket or luxury orders. Depending on the nature of the business, companies can institute a dollar limit at which they would put these orders on hold until further authorization.
- Authorize Payment:When companies authorize the transaction, it’s helpful to have additional built-in security features. There are several different authentication methods businesses could use. Requesting customers’ card verification numbers, the three or four-digit numbers (CVV2, CVC2 or CID codes) located on the back (or front for American Express) of the card that are not part of the magnetic stripe, can cut down on CNP fraud considerably. The only way to know these numbers is if the person using the card has possession of it, meaning the card has been stolen, or has seen an image of it the owner had stored somewhere.Some cards offer services such as Verified by Visa or MasterCard’s SecureCode, which create another layer of protection for cardholders. Using personal passwords, these services can verify identity or block a transaction. Another way to ensure merchants are only authorizing authentic payments is by using negative lists or blacklists. These lists contain details of credit cards that are deemed risky. This designation often comes from when a customer disputes a charge. The negative list will record the card number, contact information and IP address of that charge and block future purchases from cards associated with these details.While this can cut down on fraudulent charges, this method should be used with discretion as it can also result in rejecting legitimate transactions.
- Ensure Timely Processing: It’s important to settle all transactions daily for numerous reasons. During in-person transactions, charges go through almost instantly. Customers expect similar processing speeds for online CNP purchases as well. If they don’t see the purchase until later, they may think there was an error and dispute the charge. This could result in a chargeback to the merchant and higher interchange fees.Credit card companies have structured their interchange fees to incentivize businesses to settle quickly as well. They charge the lowest interchange fees for transactions settled within 24 hours. Also, delays in processing may result in authorizations expiring.
Each company is likely to develop its own best practices, which reflect the unique characteristics of its business and customers. Despite these differences, any merchant with a significant amount of CNP transactions may face many of the same risks.
Typical Risks for Merchants During Card-Not-Present Transactions
The biggest risks for CNP merchants are fraud, customer disputes, and chargebacks. These risks not only cause short-term financial damage to the firm, but they can also harm the business’ reputation, future sales abilities, and long-term success.
Approximately45%of all credit card fraud in the US is the result of CNP fraud. This number has been growing in recent years. There are numerous types of CNP fraud, including:
- Friendly fraud or false chargebacks (more on chargebacks below) where a customer disputes a transaction that actually went through, getting their money back and keeping the product
- Account information theft where a thief has stolen a person’s physical credit card and uses it to make purchases
- Large scale data breaches which result in sensitive information such as account number, address, email, etc. being accessed by hackers
- Application fraud where someone applies for, receives and uses a credit card in someone else’s name
- Digital credit card information theft through phishing, malware, pagejacking or whaling strategies
As CNP fraud grows more sophisticated, so do the tools and strategies for defending against it. This is good news since a recent consumer study suggested that 78%of e-commerce shoppers want more protection for the CNP purchases and 67% were willing to change their behavior to get it. Some of the most common fraud prevention strategies include:
- PCI DSS:Payment Card Industry Data Security Standards can be thought of as a first line of defense against fraud. These 13 objectives focus on securing, protecting and monitoring customer data. Companies that transmit and store confidential information must remain in compliance with these standards. There are fines for non-compliance, especially if merchants are non-compliant at the time of a breach.
- E2EE:End-to-end encryption is another foundational security practice. In this method, data is encrypted during transmission, decrypted during processing, and then encrypted again for storage. Data is at risk during the decryption phase but E2EE still helps secure data beyond PCI compliance.
- 3DS:3 Domain Secure, or 3D Secure is the name of the security protocol used in Verified by Visa and SecureCard from MasterCard. This process adds extra protection by asking customers to set up a unique password that will enable them to verify when they make transactions with that card.
- One-time Passcode: This process can be considered a next-gen 3DS. While customers who access sensitive information in their careers or who have had accounts in Europe may be used to this technology, it is still relatively new for US credit cards. It uses a safekey technology, which produces a random series of numbers that is only good for a certain period of time. Customers have to enter this passcode in order to authorize a transaction.
- Tokenization: Tokenization is a method that uses third-party generated tokens in place of credit card details. This additional level of security addresses the merchant’s data vulnerability while storing account information. It is typically less costly to encrypt and decrypt data using tokens.
- Biometrics:Biometric indicators such as facial or voice recognition and fingerprints can be used in place of a signature or pin to authorize a transaction. This technology is still relatively new, but it could see increased adoption. A study from Visa indicates that 80%of consumers are interested in verifying transactions or paying by fingerprint.
- Machine Learning:Machine learning is another new technology whose full impact is yet unknown. Instead of manual reviews of cardholder information and transactions, machine learning can detect patterns and anomalies to alert merchants to potential instances of fraud quicker than many other methods.
While PCI is the foundation of every business’ fraud prevention strategy, they will likely need to supplement that with one or more methods above. Customers are becoming more educated about fraud and how companies can prevent it. They may only seek out merchants who provide strong security protocols.
Customer Disputes and Chargebacks
In addition to fraud, merchants also face considerable risks from customer disputes and chargebacks. Disputes can arise for a number of reasons, including unauthorized charges, being charged twice, billing errors, not receiving the correct order, failure to send bill to customer’s current address and being charged for an order you returned.
Resolution of these disputes is overseen by the Fair Credit Billing Act. Each of these situations could result in increased expenses for the merchant through refunds, credits, billing adjustments and interchange fees. Beyond the direct costs, each scenario also could hurt the company’s long-term relationship with its customers.
In each case, customers have two options: go to the merchant or go to the credit card company (payment processor). If the customer goes to the merchant, he or she may be able to work out a solution with the company. If the customer goes to the credit card company, this will likely result in a chargeback to the merchant. Merchants can fight chargebacks but are required to provide proof that the sale occurred.
Chargebacks result in interchange fees, and if companies have a pattern of frequent chargebacks they may face higher fees from their payment processor and risk not being able to maintain their merchant accounts.
To counteract the potential negative effects from customer disputes and chargebacks, there are a few risk management solutions companies can implement.
- Controls to Avoid Duplicate Charges: Making changes to the checkout process can help avoid duplicate charges. Having customers hit a button on the screen and not just pressing the enter key makes the purchase decision a deliberate, one-time click action. As the payment is processing, on-screen prompts reminding customers not to refresh their browsers as well progress bars showing the payment is processing can avoid unnecessary duplicates from thinking the transaction has frozen. Merchants should also routinely review their orders for potential duplicates and reach out to customers to verify purchases if needed.
- Proactive Customer Service:The more proactive businesses are in interacting with their customers, the more likely they are to avoid chargebacks and difficult disputes. Companies that provide status updates around delays or issues or reminders for recurring charges may stay in customers’ good graces longer. Customer service also means companies should be easily accessible to customers. Clearly displaying contact information and providing around-the-clock support can build customer loyalty. Another angle of proactive service is offering accurate product and service descriptions and clearly communicating policies that affect customers such as refunds and anti-fraud statements.
- Prompt Action:Another way merchants can build goodwill with customers is through prompt action. This includes processing refunds, credits and cancellations as quickly as possible. Even during situations where customers are dissatisfied, swiftly responding to their requests and resolving their issues can help preserve future sales potential.
The ability to process CNP transactions has revolutionized the commerce and internet-based business landscape. Almost anyone is able to set up an online business and access a global customer base. As sales are growing, however, so are cases of fraud as well as merchant expenses as they attempt to prevent and resolve these issues. Using CNP best practices and risk management solutions can help keep merchants and their customers safe.