Ever growing credit card and data breaches around the globe often seen in the news past years should be on top of mind of every business accepting CNP (card not present) payments. Fraud remains a growing problem and should be an essential area of focus for any ecommerce and MOTO merchant.
If fraudsters holding stolen card data place purchases on your website, you deliver the product naturally and that's when the problems start. Fraudsters will open a dispute and request a reimbursement (chargeback), which means you're left without the product and without payment. That's not all, in addition the payment provider or acquiring bank will learn about the fraud and terminate your merchant account after breaching specific (very low) thresholds. You'll be put on a blacklist, meaning no chance for applying for a new merchant facility with other banks. Your business may just get destroyed.
Billions of euros lost
In Europe, losses due to fraud reached approximately 1.8 billion EUR in year 2016. UK experienced highest losses, where in 2015 the total loss was 646 million EUR and in year 2016 that increased to 703 million. UK and France alone contribute almost 75% of all card fraud in Europe.
Based on data from Euromonitor International and UK Cards Association, the card fraud losses across 19 European countries show that CNP fraud (card not present) increased from 50% of all fraud losses in 2008, to 70% in 2016.
European Fraud Map (fico.com)
Card Fraud in UK (2017 FFA UK)
3-digit code printed on back of the card is one of the first security measures introduced with rise of fraud with online payments. Payment Card Industry (PCI) compliance standards do not allow merchants to store CVV codes, therefore in the event of card data being stolen these codes will not be obtained. The payment gateway will not accept a payment with missing CVV code, as without it there is a high potential of transaction being fraudulent.
Verified by Visa, and Mastercard SecureCode, the same thing but called differently for marketing purposes. The process is known as 3D Secure and it involves a redirect to cardholder's issuing bank website during checkout, where a special password needs to be entered. This is usually a PIN generated by card reader, or a code sent by SMS. Cardholder can never win a dispute where they claim they never authorized such transaction.
Although pretty obvious, it is still an important tool to verify the card. Typically the credit card issuers set the expiry date of up to 3 years. If the transaction request, received online or via phone order, contains invalid month and/or year, the card issuer will not approve such transaction and it will not be processed successfully by the payment gateway.
Address Verification Service is used to compare the address and postcode, entered by the shopper, with the record at card issuer's side (the address where card statements are sent). If there is no match, or only a partial match, it may indicate the shopper is not the actual cardholder. In Europe, AVS is well supported only within UK.