By Howard Berg, SVP, UK & Ireland, Gemalto
Payment fraud is an ever growing threat to UK consumers. Since 2010, Card Not Present (CNP) Fraud has cost the UK economy £1.7 billion, with that amount set to grow as UK banks and card providers debate how best to solve the problem. In fact, the majority(70%) of card fraud on EMV -a global standard for credit and debit payment cards based on chip card technology -markets is down to CNP. And the issue isn’t just common in the UK: it’s predicted to cost the US market $6.4 billion by 2018.
The reason that CNP fraud is so successful is remarkably simple – static information.
The information on today’s payment cards doesn’t change throughout the life of the card. This means that, should fraudsters acquire card details through methods like skimming, phishing or even by a “person on the inside” saving information used for a previous transaction, those details are forever compromised and attackers can make purchases without the card-holder’s knowledge.
In other areas of cybersecurity, there are methods that can protect and fight against fraud. For example, consumers are encouraged to regularly change their passwords for computers or email accounts to mitigate the threat of being hacked,so payment security should be no different.
Dynamic Code Verification
The key to any form of security, and technology itself,is consumer convenience. The average abandonment rate at the checkout step online is as high as 68.53%, as consumers will discontinue a purchase if it is too complicated or time-consuming.This is why Dynamic Code Verification (DCV), a solution which allows card issuers to replace the static security (three-digit code on the back of a Mastercard or Visa Card) used for online purchases, with a dynamic code displayed on the customer’s card or potentially in a secure mobile based application, should be considered a front runner as a security protocol.
DCV’s biggest selling point is that it offers the necessary security measures for consumers, without significantly changing the buying processor payment experience.
It does this by changing the three-digit security code on the back of consumers’ cards on a continual basis. The regularity of this is decided by the card issuer, but will normally happen every 20 to 40 minutes. This mitigates the risk of fraud by reducing the amount of time that hackers can use a set of details for before they are changed, but giving enough time for the cardholder to complete the purchase.
For example, should someone have their card details stolen, the hacker won’t be able to use them for long, as the details will have changed. All a consumer will have to do before making an online purchase is check the back of their card and complete it before the code changes.
With the adoption of mobile and online payments growing, and the use of cash declining, the risks of CNP are only going to grow. Both businesses and banks need to look at the options available to them and work in tandem to tackle these issues. Once this is done, it’s crucial they communicate the security protocols they have in place in order to support consumer confidence. With any technology, consumer confidence is key. If consumers don’t trust DCV, or any other security measure, then it will never see mass adoption. As hackers utilisemore sophisticated tactics in their attempts to steal data, providing easy to use methods (such as DCV) is essential in minimising fraud.
Conversations in the banking industry are still ongoing to understand if DCV alone will be enough to meet the Payment Services Directive 2 (PSD2), which requires financial institutions to clearly authenticate their customers in a variety of situations.
What is evident, however, is that card issuers and banks need to educate their customers around the dangers of CNP, and what can be done to mitigate risks. By educating customers, measures such as DVC will become an expected standard amongst organisations, and ultimately result in innovative, consumer friendly solutions for protecting against CNP fraud.