It can be tricky to keep up with card not present fraud trends, as criminals are constantly coming up with new schemes as technologies and processes change. But some standard practices can help to prevent CNP fraud. Here are a few examples.
Maintain Payment Card Industry (PCI) security standards compliance
The PCI Security Standards Council consists of officials from major credit card brands. It’s responsible for setting data security standards (DSS) that any organization wanting to process credit card transactions must follow. The PCI’s current 12 main DSS standards are:
- Use firewalls to block unauthorized access to data
- Set and occasionally change secure passwords for all relevant devices
- Encrypt cardholder data with algorithms secured by encryption keys
- Only send cardholder data to known locations, and always encrypt it in transit
- Install antivirus software on all relevant devices
- Keep all relevant software on all relevant devices up to date
- Restrict access to cardholder data for entities that don’t require it
- Require unique IDs for entities that do need access to cardholder data
- Keep cardholder data in a secure physical location
- Create a log record whenever cardholder data is accessed
- Test all relevant software, physical locations, and employees for security vulnerabilities
- Document all equipment, software, and employees that can access cardholder data
Monitor transactions and data for unusual behavior
Use checkout processes and data enrichment tools to collect extra customer information such as email addresses, phone numbers, device fingerprints, IP addresses, and transaction histories. This allows for analyzing not only a particular customer’s behavior but also the whole marketplace network, for behavior that’s out of the ordinary. For example, criminals may attempt unusually low-value CNP transactions to “test” if a payment card’s credentials actually work.
Use 3DS and other multi-factor authentication
Sometimes called strong customer authentication (or SCA), 3-domain security (or 3DS), and other forms of multi-factor authentication can help stop CNP fraud by requiring customers to identify themselves in more than one way. That can include asking them something only they should know (like a one-time password), having them present something only they should possess (such as an ID document), or scanning something inherent to them (like a fingerprint). Remember how much friction this can add to a checkout process, though.
Require Card Verification Values (CVVs)
CVVs are 3-digit codes on the back of Visa, MasterCard, and Discover credit cards. They also appear on American Express credit cards but are 4 digits long and appear on the front of the card. They are not always required for credit card transactions, so they are not always included in stolen credit card credentials.
Requiring this number for a CNP payment can trip up fraudsters, since they may not know this information unless they have the actual physical card. While it’s not foolproof, it’s an added layer of security for merchants and financial institutions conducting card-not-present business. It also protects merchants from being liable for authorizing fraudulent transactions, as they’ve performed the necessary due diligence by requiring this information.
Use an Address Verification Service (AVS) system
An AVS system is a method used by major credit card companies to combat online CNP fraud. It checks whether the billing address entered for a credit card matches the address registered with that card at its issuing financial institution. AVS can be set up to automatically reject CNP transactions that fail to meet certain criteria, or simply escalate the case for investigation to let the merchant make a judgment call.
Unit21’s Tools Help Guard Against CNP Fraud
Card not present fraud prevention requires extra due diligence when verifying customer identities and watching for suspicious transactions. Make Unit21’s Transaction Monitoring and Case Management products part of your anti-fraud arsenal: aggregate and analyze both transaction data and contextual information and use it to spot shady activity or fraud trends.
Contact us for a demo, and let us show you how we can help.