The emergence of new payment methods and the rise of ecommerce has driven an increase of fraud in the card-not-present (CNP) arena, especially as EMV chip technology gains footing in the United States. In fact, CNP fraud losses are expected to reach $7.2 billion by 2020[i]. Now, more than ever, merchants must be diligent in evolving their security strategies and authentication procedures to protect their customers’ data and their own interests as well.
Authentication is the process of ensuring the person using a credit or debit card to make a purchase is who they say they are. Proper authentication validates the legitimacy of the transaction, and its purpose is to guard against unauthorized card use.
This kind of protection is particularly important when the actual credit or debit card is not present at the point of sale. Whether that’s through online purchases, mobile wallets, digital currencies or alternative payment methods, it’s crucial for merchants to be able to enact measures that properly identify the purchaser and accept payment or raise red flags and block the sale. After initial verification, however, the merchant stands to gain customer loyalty as the checkout process will be much easier the next time through.
“Authentication is a tool that helps a merchant validate the card is good and provide insight into the cardholder making the transaction so they can make the decision if they want to do business with this customer or not,” Verifi Vice President of Business Development Chris Marchand said. “It also establishes a baseline and potentially begins a relationship between merchant and cardholder.”
Authentication methods
There are many different ways merchants can authenticate a cardholder. Some of the most common authentication methods during checkout include:
3D Secure—An authentication technique for online transactions, 3D Secure typically requires a password linked to the card before it can be used for a purchase. The problem, however, is this procedure can be tedious for a consumer, and it can lead to lost sales. Common examples of 3D Secure programs are Verified by Visa, MasterCard SecureCode and American Express SafeKey.
CVV—The three- or four-digit number generally found on the back of one’s credit or debit card is a common field today on checkout pages. Many merchants and consumers alike, however, do not believe CVV is an effective authentication method on its own because these numbers can be stolen and/or sold just as easily as the account numbers.
Knowledge-based authentication—Some online merchants ask consumers who create a checkout account with their site to answer personal questions that only the consumers would know, such as the name of your childhood best friend or the make and model of your first car. Similar to 3D Secure, an issue can arise when the user doesn’t remember what they initially entered as answers, and rather than taking the steps to iron it out, they’ll walk away from the purchase.
Biometrics—Predominantly used today with mobile payments—though new developments in this space are advancing rapidly—biometric authentication validates the purchaser through things like fingerprint scans and voice or facial recognition. It makes unauthorized use of a credit card especially difficult, but smartphones, for example, can be hacked, and even fingerprints can be lifted from the glossy surface of a phone with certain adhesives.
Phone number verification—This method will ask for the purchaser’s phone number, then send a code via text message that the purchaser must enter to complete the transaction. It’s a solid authentication measure if the user has a phone number already stored in the merchant system (thus keeping a fraudulent individual from simply entering their own number), but in the case of a stolen phone, it doesn’t do a great deal in the way of protection.
Multifactor authentication—Just as its name would suggest, multifactor authentication (MFA) requires satisfactory completion of more than one authentication protocol to authorize the transaction. While perhaps the most secure way to authenticate a purchaser, MFA can be compromised if a person looking to commit credit card fraud has access to all of the information required (e.g. they know the CVV number and the 3D Secure password).
As illustrated here, none of these authentication methods are fool proof. Moreover, some online merchants—at their own peril—aren’t keen on the idea of slowing down the checkout process, and even if they were, a recent LexisNexis report shows that up to 60 percent of large ecommerce merchants find ID verification to be a real challenge[ii].
“Some merchants are concerned with potential consumer order abandonment,” Marchand said. “They also believe they’ll have reduced visibility into their true transaction volume or fraud issues due to the liability shift that comes with authentication through Verified by Visa or MasterCard SecureCode.”
The after-sale safety net
Simply because a transaction passes through the aforementioned authentication methods, it doesn’t mean merchants are out of the woods when it comes to the potential for suffering great losses. Fraud and non-fraud chargebacks are a huge problem. In fact, chargebacks are a $40 billion problem that affects every merchant’s revenue. Whether fraud (identity theft or stolen payment cards) or friendly fraud (buyer’s remorse or disputing a legitimate charge), if you aren’t actively preventing chargebacks, they’re going to hurt your business.
Authentication is used on the front end of the sale to protect the merchant and cardholder, and that same care must be placed on post-sale strategies intended to detect fraud and resolve disputes quickly before they become chargebacks. That’s why it’s important to integrate with third-party networks and systems that serve as a safety net of sorts for merchants.
These systems, such as Verifi’s Cardholder Dispute Resolution Network, are designed to provide near-real-time notifications of customer disputes so they can be resolved before they turn into chargebacks and negatively affect your brand reputation and cash flow. The chargeback alone can be costly, but when you add in the fees and penalties for elevated chargeback rates, not to mention the operational costs of manual reviews and the expenses involved with fighting chargebacks, things go from bad to worse in a heartbeat.
Protection after the sale will never be effective if merchants and issuers don’t communicate. Merchants should seek platforms that allow for better collaboration with the issuers to further protect themselves from unnecessary chargebacks, protect the issuers from expensive write-offs and increased operational costs and protect the cardholders from fraudulent purchases.
“Merchant-issuer collaboration can help make a merchant aware of certain fraud patterns or processes that are popping up,” Marchand said. “It also provides the merchant with the visibility to adjust and correct processes going forward, which can also help reduce chargebacks.”
Additionally, these platforms could establish an information bridge that gives the issuer access to greater purchase details than they currently have. Sometimes a person might simply be confused about a billing descriptor on their credit card statement. Or, maybe their credit card was stolen or they claim they didn’t make the purchase, but in actuality they did.
Whatever the case, today’s consumer calls their card company—not the merchant—to inquire about or dispute a charge. It’s in the best interest of the merchant to share purchase details with the issuers to better equip them to resolve disputes as quickly as possible, otherwise they’ll generally move forward with a chargeback in an effort to keep the cardholder happy regardless of if the sale was legitimate or not.
The shared information might show issuers specific merchant details, the device used to make the purchase, a detailed description of the product or service, unique customer information such as IP address, phone number and email address associated with the purchase/account. This mechanism helps all parties identify true fraud and avoid friendly fraud, and it serves as an additional means to authenticate the user through their transaction post sale.
The underlying risks of no authentication
Merchants have to resist the temptation to ignore authentication practices. The loss from a few abandoned carts is far better than the cost of mass fraud and skyrocketing chargeback rates. Authentication is but one of many ways merchants must protect themselves, and their customers, from fraud. If merchants aren’t able to authenticate payments, they will see losses from not only fraud, but also from chargebacks, the expensive representment process and reputation damage that results in lost sales.
The inability to ensure authorized use of a credit or debit card opens the door wide open for disputes and a higher chargeback rate, which, if left unattended, can be catastrophic to any business. The penalties and fees stemming from an unacceptable chargeback rate alone can be a serious burden, and as new payment methods flood the CNP arena, the risks involved with inadequate security and fraud prevention initiatives have never been greater.
The full-spectrum approach
In 2016, every $100 in fraud losses costs merchants $240 in chargebacks, fees and merchandise replacement[iii]. You’ve heard it a million times, but the fact of the matter remains: there is no silver bullet to complete eradication of fraudulent transactions. However, the best approach for merchants is a multilayered security strategy that makes use of various tactics, platforms and experts that protect merchants and their customers throughout the entire transaction lifecycle. These solutions often give merchants better insight into what’s working and what isn’t in terms of their security, and ways to detect fraud, resolve disputes early and avoid and reduce chargebacks before they spiral out of control and become too much of a financial burden to handle.
[i] http://aitegroup.com/report/not-your-father%E2%80%99s-3-d-secure-addressing-rising-tide-cnp-fraud
[ii] http://solutions.lexisnexis.com/17057
[iii] http://solutions.lexisnexis.com/17057