Fraud is a constant factor that we are all aware of. We must keep up to date with new fraudulent behaviour and how best to combat it.
We asked Steven Jones Commercial Director of Gala Technology to give us his insight into the world of fraud; how the way in which card payments have changed over the years to how Gala Technology’s SOTpay solution to CNP is there to help merchants in their fight against fraud.
Merchants have always faced challenges with criminals, whether it was with shoplifters or dishonest employees. In more recent times the sophisticated and organised threat
of faceless cyber criminals has continued to rise, coupled with the increasing threat of fraud of both true and ‘friendly’ natures.
Prevented fraud totalled £1.38 billion in 2016. This represents incidents that were detected and blocked by the banks and card companies and is equivalent to £6.40 in every £10 of attempted fraud being stopped. Sounds like a great result.
However, on the news that financial fraud losses across UK payment cards, remote banking and cheques totalled £768.8 million in 2016, an increase of 2 per cent compared to 2015, it doesn’t read quite as well, especially for those merchants who has experienced the pain.
When EMV® Chip and PIN was initially rolled out in the United Kingdom in October 2003, it pioneered the fightback against fraud on lost, stolen or counterfeit payment cards.
EMV® is the global standard for credit and debit payment cards based on chip card technology taking its name from the card schemes Europay, MasterCard, and Visa the original card schemes that developed it.
With magnetic stripe technology open to abuse from fraudsters, who both ‘cloned’ counterfeit cards and used lost or stolen cards in shops, fraud levels continued to rise and in 2004, card fraud rose by 20%, costing banks and retailers more than half a billion pounds.
Widely regarded as the biggest change in the way we conduct payments since the decimalisation in 1971, and by replacing the 18th Century system of putting a signature on a piece of paper to validate a payment Chip and PIN became an essential payment method. It’s adoption to provide consumers with a consistent global payment experience was aided by the use of verification with a PIN, already commonly used to withdraw cash from ATM machines.
In 2005, the Association of Payment Clearing Services (Apacs) announced the immediate success of Chip and PIN as fraud losses fell by £65m, with the use of cloned or skimmed cards down 25% and the use of those lost by, or stolen from, their rightful owner fell by 22%.
In February 2006, the option for merchants to use the magnetic swipe and sign option was withdrawn and replaced by verification by EMV® Chip and PIN technology.
Whilst the success of EMV® Chip and PIN was being celebrated in the fight against ‘card present’ criminals, fraud levels where the card was not present (CNP), such as telephone, internet or mail order purchases, continued to rise and was up by 21% in 2005 to £151m.
A year after the migration to EMV® Chip and PIN, CNP fraud had nearly doubled to £290m and this worrying trend has continued for over a decade with the latest results in 2016, published by the UK Card Association calculating CNP losses at £432.3m.
It appears that the criminals may have simply moved from the risky use of counterfeit cards within a physical environment to the faceless card not present channels.
To counter the danger of CNP fraud, 3D Secure authentication (3DS) is encouraged to provide security for both retailers and customers who are shopping online.
3D Secure authentication is a system backed by major card providers, originally launched by Visa in 2001 as Verified-by-Visa, Mastercard has also adopted its own version (Mastercard Secure Code), and American Express launched American Express SafeKey in 2010.
By using 3DS, an interaction between the retailer, the retailers bank and the customer takes place to ‘verify’ the identity of the cardholder, usually by password or authentication code.
This verification process means that the fraudsters chances of a successful transaction are reduced as they would require the individual password of the compromised card in addition to the standard long card number (primary account number (PAN)) , expiry date and security 3 digit code (CVV2 or CVC), thus providing genuine customers with extra level of security when making purchases.
From a retailers point of view, having 3DS activated, should reduce the amount of fraudulent transactions that are conducted. Once a transaction has passed through the 3D Secure authorisation process, the liability for the purchase is transferred from the retailer to the card issuer.
This means that if the customer claims they didn’t authorise the transaction, or the payment was indeed fraudulent, the card issuer is responsible for refunding their money.
Merchants are therefore protected against unauthorised transaction chargebacks, and won’t lose out if there are any fraudulent issues regarding a payment. Beyond the financial benefit, it also means retailers have fewer potential disputes to settle with customers – saving time and money.
Whilst there continues to be a debate by retailers as to whether customers will abandon baskets when faced with additional authentication, recent reports from Juniper Research, suggests that $71 billion will be lost by retailers globally to CNP fraud in the next five years.
With CNP fraud in the UK rising by 49% in the last decade, coupled with other evidence which suggests that 58% of consumers would be receptive to ‘whatever security measures are necessary’ to eradicate fraud, surely there must be a time when the industry needs to insist on two-step authentication?
So, whilst physical businesses are protected by EMV® Chip and PIN and e-commerce can be protected by 3D Secure authentication, what measures have been introduced to secure other CNP channels, such as telephone or mail order (MOTO) transactions?
There appears to be a myth that MOTO transactions are not an integral part of how we still pay for products and services in the UK, however with the UK Card Association revealing that 557 million MOTO transactions took place in the UK in 2015, equating to nearly 9% of the total spent on debit and credit cards, can a business really afford not to take secure MOTO payments?
A common frustration for merchants is that an authorisation from their payment service provider does not guarantee against chargebacks, as there is no physical way of checking the card or the identity of the cardholder via the CNP MOTO channel and therefore the risk of fraud is greater.
The merchant is responsible for ensuring that CNP transactions are not fraudulent. If a transaction is fraudulent, they will be liable for the loss.
The current ‘secure’ method for processing CNP MOTO transactions, is via a virtual terminal or chip and pin machine, where the PAN number, expiry and CVV2 or CVC are entered in by the telephone agent who on the majority (72% of contact centres) collect the information by asking the card holder to read aloud their sensitive card information, raising questions as to whether it is actually secure at all, as there is little in place to stop a rogue employee from writing down the supplied information and using it fraudulently in the future.
To prevent this human interaction with the confidential data, the Payment Cards Industry Security Standards Council (PCI SSC) have suggested that merchants should look to limit the amount of sensitive data entering or being stored in their environment, thus meaning solutions such as interactive voice recognition (IVR) and Dual tone multi frequency (DTMF) have entered the market place, but with costly integration hardware and time consuming installation amendments required to the existing telephony set up, they have not been adopted by the masses, with many merchants simply priced out of the option, despite having the same Payment Card Industry Data Security Standards (PCI DSS) requirements as larger organisations.
The PCI-DSS is a set of requirements for protecting payment account data security. These standards were developed by the PCI Security Standards Council, an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis.
PCI DSS compliance is a contractual obligation, generally between a Merchant and their Acquiring Bank. It applies to ALL entities that store, process and or transmit payment card data, irrespective of the quantity of payments processed. PCI DSS also applies to Third Party Service Providers, who support entities that may have outsourced the payment handling process. Outsourcing does not release an entity from their obligation to be certified as compliant. The requirements apply to all acceptance channels including retail (brick-and-mortar), MOTO and e-commerce.
Whilst both IVR and DTMF support PCI DSS compliance by removing the data from the environment, what is to stop a fraudster, dictating the card information or typing it in to a telephone keypad and completing the transaction? Without the equivalent fraud protection of two-step authentication down the CNP MOTO channel, the merchant is still exposed and liable for chargebacks.
This is why Gala Technology have developed their secure and compliant omni channel solution SOTpay, which was recently presented to members of the BVSF at their AGM, arming merchants with a tool to negate fraud related chargebacks, reduce processing costs and simplify compliance.
SOTpay even enables the merchant to deliver to an alternate delivery address, increasing customer satisfaction and enabling the business to accept more transactions.
If you would like to find out how Gala Technology can help your business, visit www.sotpay.co.