Regardless if a purchase is being processed online or in a physical store using a payment card, payment systems operate digitally, making both merchants and consumers vulnerable to third party attacks.
However, in-store purchases are still considered more secure because of visible proof of card possession as well as chip-and-PIN authentication. E-commerce is considered more vulnerable to third party attacks since it lacks face-to-face interaction. The additional rise in online traffic caused by the Covid-19 pandemic makes eCommerce a greenfield for fraudsters.
According to the American Express Digital Payments Survey in 2019., 27% of online sales are classified as fraudulent online transactions, making the merchants eagerly search for a solution that provides both security and a seamless checkout experience for consumers. The survey also indicates that as many as 82% of merchants feel vulnerable when it comes to mobile transactions and 79% state that they feel the same way about website payments.
Like merchants, cardholders are exposed to payment card fraud, which is confirmed by 42% of respondents who state that they have been victims of attacks directed to the theft of their credit/debit card information. These statistics explain why cardholder confidence in online payments is decreasing, thus causing a spike in cart abandonment rates. At the same time, cardholders are not satisfied with the online checkout processes involving various passwords and PINs, stating that they are oftentimes confusing and cause them to abandon their purchase.
It is evident that major security measures need to be undertaken in order to protect both merchants and cardholders from fraudulent activities. The solution lies in 3D Secure authentication, implementing Strong Customer Authentication (SCA), enabling maximum security accompanied by a smooth user experience. This protocol provides benefits to all of its stakeholders, making it a universal solution that addresses all pain-points present in the online payment ecosystem.
Payment card fraud is a term used for fraud committed using a credit/debit card without the authorization of its genuine owner, the cardholder. Motives behind such activities vary from obtaining goods or services to making payments to other accounts without the cardholder's consent.
Such actions cause tremendous losses, which is confirmed by the data published on merchantsavvy.co.uk. The latest statistics state that fraud losses in 2019 reached $30.07 billion, and the projected loss for 2027 amounts to $40.67 billion. These losses need to be accounted for, putting issuers and merchants in an ungrateful position.
Now that we got the numbers down and realized the severity of this trend let's examine common types of online payment card fraud.
Card-Not-Present (CNP) Fraud is a type of online payment fraud that typically occurs when making either online or telephone transactions. In order to commit such a scam, the fraudster needs to obtain the following details: cardholder's name, billing address, card number, three-digit security code (CVV), and card expiration date. What makes CNP fraud even more alarming is the fact that some processors do not even check the CVV number.
The most common way of obtaining mentioned data is through phishing, i.e., creating a replica of an original webpage, personalized email, or text so that the cardholder thinks that they are interacting with a legitimate business. That way, the cardholder is confident that they are giving away their personal information, such as account number or username and password, to a trusted party. With that information, the fraudster can easily use the data to process online payments without the cardholder's knowledge. Another method is hacking, a direct attack on a system containing financial information for legal purposes, e.g., the computer system of a hotel. Stolen payment card information is usually sold online for further fraudulent use.
In the case of CNP Fraud, the merchant is liable for the loss, which leads to decreased revenue.
Account Takeover (ATO) Fraud involves a hacker who acquires access to an account that does not belong to them, with the end goal of making a profit using the account's value. Account takeover is done in a very sophisticated manner so that the rightful owner of the account cannot notice any suspicious activities. These activities include actions from changing a password, updating a shipping address to processing unauthorized online payments or money transfers.
Fraudulent account takeover activities result in increased chargebacks and customer disputes, loss of customer trust, and damaged brand image. Oftentimes, an eCommerce company is just as unaware of the fraud being committed as the unsuspecting owner of the account, making the scam extremely hard to detect and prevent chargeback costs.
Friendly Fraud might sound harmless, but the truth is, it is as damaging as all other types of payment card frauds.
The main difference between friendly fraud and other types of fraud is the identity of the perpetrator. Commonly, the fraudster uses stolen identity in order to profit from the committed fraud. However, friendly fraud is conducted by the actual cardholder, a person originally authorized to use the payment card. There are a few types of common friendly fraud nowadays, and we are going to describe each of them using a simple scenario.
This type of fraud involves an online purchase scenario made by a family member without the authorization of the rightful cardholder. Another possible scenario is that the cardholder genuinely does not remember purchasing certain goods and opens a customer dispute demanding a refund.
In this scenario, the cardholder initiates a customer dispute regarding a store policy (e.g., the merchant offers credits for future purchases instead of refunds) or because they simply regret their purchase while demanding a full refund.
The goal of Malicious Friendly Fraud is to gain an item without paying for it. This is often done by opening a customer dispute, claiming that the ordered product was never delivered to the cardholder's address, demanding a full refund.
Loyalty program fraud, or reward points fraud, refers to exploiting a loyalty program for personal gain. Since loyalty fraud is often apart of ATO fraud, involving a perpetrator logging into a cardholder's account by using legitimate credentials, it is extremely hard to detect and prevent. But this is not the only way to game the system. Loyalty fraud comes in different shapes and forms, and to explain them, we need to take a look at the main actors when talking about reward points fraud.
In this scenario, the fraudster is an outsider that has nothing to do with the organization which offers a loyalty program. Hackers exploit loyalty program systems by finding their weak spots or simply taking advantage of weak customer passwords. That way, the fraudsters are able to access the account containing reward points and use them for their own benefit (e.g., claim free products, get discount codes, resell the points on the ''hacker bazaar'').
Oftentimes the fraudster is the employee of a business offering a loyalty program. A common scenario would be a situation in which a customer does not use their loyalty card (they did not sign up for the loyalty program, or they simply forgot the card), and a staff member credits the purchase to their own account for personal gain.
Customers who signed up for a loyalty program tend to ''game the system'' in various ways. One way to claim rewards is by buying an expensive item that generates a lot of points, only to cancel the purchase after the prize is redeemed. Furthermore, customers are no strangers to selling their points since most loyalty programs allow gifting points to other customers. This opens an opportunity for a customer to sell their points, which is usually strictly prohibited.
All of the previously mentioned types of payment card fraud have one thing in common, they result in chargebacks. A chargeback is the amount returned to the cardholder after they successfully file a customer dispute regarding a product or a service. Chargeback costs should not be taken lightly since the merchant (or issuing bank) is obliged to refund the amount for falsely purchased goods to the account owner without ever receiving back the product. Another threat lies in the fact that if the chargeback rate is higher than acceptable, processing companies might raise the fees for each transaction. These costs can have detrimental effects on one's business, especially if we consider SMEs and start-ups.
We can't wipe out fraud from the equation, but what we can do is heighten the security measures and protect merchants and issuing banks from chargebacks. The new generation of 3D Secure enables ultimate security accompanied by a smooth user experience, resulting in consumer confidence in online payments and reduced chargeback rates. By implementing Strong Customer Authentication required by PSD2, online payments are enriched with another layer of security while ensuring a seamless customer experience during the processing of online payments.
3D Secure can successfully fight common CNP, ATO, and friendly fraud. However, since 3D Secure can be implemented in non-payment environments and transactions, it can also prevent loyalty fraud by protecting loyalty cards and cardholder authenticity.