Card-not-present fraud occurs in fraudulent transactions where a cardholder does not present a card to a merchant in person. It includes internet, phone and mail-order transactions. In most cases, this type of fraud happens after a crook steals card information such as a card number with hacking, skimming or phishing. That stolen card data then enables a fraudster to carry out unauthorized transactions even if the legitimate card is never lost or stolen.
This contrasts with a card-present transaction, when a consumer presents a physical card to a merchant, such as at a supermarket or clothing store.
This type of fraud accounts for billions of dollars in losses worldwide for online merchants that accept credit and debit cards, and it causes headaches for cardholders.
How Serious Is Card-Not-Present Fraud?
Around the world in 2017, all types of fraud tied to payment cards triggered an estimated $24.26 billion in losses, according to The Nilson Report, a newsletter that tracks the payment industry. That figure is projected to rise to $34.66 billion in 2022, according to Nilson.
Card-not-present fraud is increasing because some crooks have turned to card-not-present transactions following the rollout of more secure chip-enabled cards for card-present transactions. It also stems from the growth of e-commerce.
Madeline Aufseeser, co-founder and CEO of Tender Armor, a provider of fraud prevention technology, calls card-not-present fraud a huge problem that’s “growing exponentially and unabated.”
Card fraud is growing overall, but the type of card fraud carried out is largely shifting to card-not-present transactions. A 2018 study from the Federal Reserve said the amount of card-present fraud in the U.S. declined from $3.68 billion in 2015 to $2.91 billion in 2016, while the amount of card-not-present fraud jumped from $3.4 billion to $4.57 billion during the same period.
A study released in 2018 by Javelin Strategy & Research said card-not-present fraud is now 81 percent more likely to occur than in-store, or card-present, fraud.
“I don’t know that we’ll see an end to card-not-present fraud in the U.S.,” Aufseeser says.
[Read: Cash Back Credit Cards.]
How Card-Not-Present Fraud Affects Consumers
Research indicates one of the key impacts of card-not-present fraud on consumers is anxiety about the safety and security of their credit and debit card information.
In a 2016 survey conducted as part of the study from Tender Armor and Sparks Research, 56 percent of U.S. consumers said they’d change their online shopping behavior after an incident like card-not-present fraud. This included switching online retailers, cutting back on online shopping, decreasing use of payment cards or shutting down a payment card account.
Fortunately, if you become the victim of card-not-present fraud, your liability is minimal.
Under the federal Fair Credit Billing Act, you’re not liable for unauthorized transactions when your credit card number (not the card itself) has been stolen.
In the case of a debit card, if a crook makes unauthorized transactions with the card number (but not the actual card), you’re not liable for the transactions as long you report them within 60 days of your bank statement being sent to you. That’s spelled out in the federal Electronic Fund Transfer Act.
How Card-Not-Present Fraud Affects Merchants
In addition to consumers, card-not-present fraud haunts merchants.
“The merchant needs to provide all the right evidence to prove it was the actual customer who placed the order,” says Suresh Dakshina, co-founder and president of Chargeback Gurus, which provides services for merchants. “If for some reason the merchant is unable to prove this, the liability, by default, falls on the merchant, and the consumer can get their money back.”
Here are just a couple of ways that a chargeback can hurt a merchant, according to Chargebacks911:
— Each time a consumer requests a chargeback, the merchant absorbs a fee ranging from $20 to $100 per transaction.
— If a merchant’s monthly chargeback rates exceed a certain amount, the merchant faces fines of roughly $10,000.
Merchants face more risks from e-commerce because these transactions lack the sort of safety provided through in-store, anti-fraud practices, like checking a customer’s ID, adopting payment technology that reads chip-enabled cards or authentication by personal ID number.
[Read: Travel Rewards Credit Cards.]
How Does Card-Not-Present Fraud Work?
A crook relies on stolen data from a real card to execute a card-not-present scam. Chargebacks911 says this is the data that’s generally involved in card-not-present fraud:
— Card number
— Card expiration date
— Card security code
— Personal billing information (such as the cardholder’s address)
What follows are three of the common methods that a cyberthief might employ to collect data for card-not-present transactions.
Hacking. A hacker invades a computer system to grab, alter or destroy information, often by installing malware, short for malicious software. Often, a hacker gains this data by breaking into computer systems operated by places such as retailers, restaurants, hotels, banks, schools and government agencies. With this stolen data, cybercrooks can produce cloned credit cards or commit other kinds of fraud, such as card-not-present fraud. They also can sell the data via underground marketplaces online.
Skimming. A crook will install a device called a skimmer at a gas pump, ATM or other location to copy data from credit or debit cards that have magnetic strips. Also, a waiter or store clerk with a portable skimmer might steal card data when you’re not watching. What happens to the data? A crook typically uses it for fraudulent activity or sells it to other criminals.
Phishing. As the name suggests, a phisher goes fishing for sensitive data by posing as a legitimate organization, such as a credit card company or bank, via email, phone or text to reel in information like card data or passwords. This data can be gathered, for instance, by urging an email recipient to open a malicious attachment or click on a malicious link.
What’s Being Done to Stop Card-Not-Present Fraud?
Here are three innovations that the payment industry is embracing to cut back on card-not-present fraud.
3-D Secure 2.0. This technology seeks to prevent card-not-present fraud and speed up e-commerce through quick, secure authentication of transaction data. 3-D Secure 2.0 lets merchants and payment providers securely transmit an array of data, such as the shipping address, the customer’s device ID and the customer’s purchase history, to aid a card issuer’s decision about approving a transaction.
Tokenization. Tokenization substitutes sensitive account data, such as the card number, with a temporary, one-of-a-kind digital identifier, or “token.” This way, online, in-store and in-app payments can be processed without exposing account details.
Biometric authentication. Biometric authentication — including voice, fingerprint, facial, retinal or heartbeat recognition — offers a method for validating payments.
[Read: No-Annual-Fee Credit Cards.]
How to Reduce Card-Not-Present Fraud Risk
Visa offers these tips for consumers to avoid becoming a victim of card-not-present fraud:
— Don’t share usernames and passwords with anyone.
— Use only those internet browsers that securely transmit data. You can see whether a browser is secure by making sure the web address begins with https:// and looking for a closed-padlock symbol in the browser.
— Thoroughly review your monthly card statements.
— Don’t respond to unsolicited email requests for personal account information, even if the source of the request looks trustworthy.
— Don’t send payment information by email.
What can merchants do to combat card-not-present fraud? Chargeback Gurus and Chargebacks911 give these recommendations:
— On e-commerce order forms, always ask for a card’s security code.
— Adopt customer verification products such as Verified by Visa, Mastercard SecureCode and American Express SafeKey.
— Use a service that verifies a cardholder’s billing address.
— Pay close attention to first-time customers, as fraudsters regularly prowl for new victims.
— Be suspicious of larger-than-normal orders. Criminals with stolen card data frequently try to make big purchases in a brief period before someone detects the fraud. Likewise, be on the lookout for purchases of big-ticket items that a thief might wind up reselling.
— Watch out for repeated attempts at entering a card’s expiration date. This could mean a criminal is taking a stab at figuring out the number.
— Trust your gut. If something doesn’t feel right with a transaction, then ask for more information from the customer or call to verify the purchase.
More from U.S. News
What Are the Different Types of Credit Cards Available Today?
How Much Credit Card Debt Is Too Much?
What Is Card-Not-Present Fraud? originally appeared on usnews.com
