As the United States slowly adopts EMV, criminals are taking the opportunity to capitalize on their vast stores of data. At the moment, it’s hard to attribute any rise in CNP fraud directly to EMV migration, but if we look to other countries for signs of what’s to come – it’s possible that CNP fraud could increase post-migration. With eCommerce steadily growing and the opportunities for counterfeit fraud dwindling, CNP fraud in the United States may follow the pattern of that in the U.K., Australia, and France following their EMV transition and rise.
EMV is going to attack POS fraud, but for those transactions that occur where the card is not present, a different approach to authentication is required. It’s a much tougher solution to find, as standard authentication methods have not been issued for CNP transactions in the way they have for traditional face-to-face ones. For these virtual POS scenarios, a new way of approaching fraud is in order.
Authentication typically relies on three main factors: ownership, knowledge, and inherence. These three factors work together to create a situation where a person owns or has the card, knows the PIN, and can further authenticate through an additional method, such as a fingerprint. With CNP transactions, things are a little bit different.
The authentication methods have to shift in order to facilitate the nature of the CNP transaction. For example, we might not be able to verify ownership in the same way we did at the physical POS by establishing the person has the card, but we may be able to identify their IP address. Additionally, we can use tokens or single-use account numbers in order to establish ownership.
Passwords, PIN numbers, and security questions can help establish the knowledge factor during CNP transactions. There are a number of options for this, including random passwords and one-time passwords. For IVR transactions, voice verification could be utilized. This information ensures that the cardholder authenticates their identity by sharing information that they know and can be verified.
Additionally, methods like risk scoring can be used, where browsing history and card activity is assessed to help determine whether or not the CNP transaction is likely legitimate or fraudulent.
While there are a number of authentication options to help combat potentially increasing CNP fraud in the post-EMV migration environment, it will take detailed analysis to determine which routes are the most beneficial for each merchant. For many, a layered approach that isn’t too costly will be the best option.
CNP fraud isn’t going anywhere, and analysts forecast that the numbers are only going to surge after we adopt EMV in the U.S. Now is the time to evaluate your CNP authentication methods and make some choices.
For more information on EMV and CNP fraud, contact our payment professionals today at 866.290.5400.