Card not present fraud can affect anyone no matter how careful they are.
Most of us happily conduct online financial transactions without thinking too hard about what lies behind them and the potential implications.
Are your card transactions really protected?
The Case Study
It’s worrying to receive a text message from your credit card provider requesting you call them urgently. Moreover, the sinking feeling becomes worse when you discover your online account is blocked.
On making the call to your card provider you discover a major online retailer declined a payment of over £500 against your credit card. You are also told a suspicious transaction for 1p from Google Services is showing against your card account.
The person on the credit card provider’s fraud desk is very helpful, double checking it was not you who attempted the purchase. They ask you to confirm you still have the card and it has not been lost or stolen.
They then explain what happens next. A new card to be issued to you and they ask you to destroy the compromised card.
Meanwhile access to your account is restored so you can check the other transactions are legitimate.
After all this, even though the attempted fraud was unsuccessful and you have not lost any money, you still feel upset and, perhaps, even violated.
How could this happen when you are so careful using your credit card?
What is a Card Not Present Transaction?
A card not present (CNP) transaction usually involves mail and telephone orders (MOTO), and Internet purchases. It’s a transaction where the card is not present at the point of sale.
In a mail order transaction the merchant receives the customer order by post. The order will include the customer’s card details, excluding PIN, and signature. The merchant then processes those details through their card terminal.
Telephone orders are similar to mail orders but the details are passed to the merchant over the telephone. In this case the merchant will not have the customer’s signature.
The merchant will be able to ask the customer for extra details especially for the card verification value (CVV) number on their card (that’s the 3 digit number on the reverse of the card). The theory being that knowing the CVV number means the customer must physically have the card with them. (The CVV is also known as CVC, CSC, CVV2.)
The CVV number helps guard against a fraudulent transaction. The merchant enters the customer’s details into their card terminal for processing.
In the case of an Internet transaction there are more technical controls in place. In this case the merchant has to use a payment service provider, often specified by the merchant acquirer (acquirer) and sometimes provided by them, who provides a payment gateway.
Merchant Acquirer – an entity selling acceptance services to merchants and taking on financial risk in acquiring a merchant’s payment card transactions
Payment Service Provider – offers merchants online services for accepting electronic payments by a variety of payment methods including credit card
Payment Gateway – e-commerce application service provider that authorizes credit card payments for merchants
The payment gateway securely gathers the customer’s details and passes them to the acquirer for processing.
There are stringent card scheme requirements placed on merchants for Internet transactions under the Payment Card Industry Data Security Standard (PCI DSS).
Severe financial and reputation consequences can be incurred by involved parties who fail to comply with the standard.
The merchant enrols in the service and adds enhancements to the check out stage of their website. The additional checks are applied at the time of the transaction.
CNP transactions are considered to be high risk as they are particularly attractive to fraudsters. If a CNP transaction proves to be fraudulent the retailer will be financially liable.
Therefore, making staff aware of the CNP fraud risks is essential to avoid losses.
There are some red flags with CNP transactions that retailers and their staff should be aware of:
- Has the customer asked to collect the goods?
- Has the customer requested the goods be released to a third party? For example, a taxi driver or a family member.
- Is the delivery address different to the billing address?
- Have either or both the address verification service (AVS) and CVV checks returned negative matches?
If the answer to any of these questions is “Yes” then it it would be sensible to proceed with caution and conduct further security checks.
The retailer should establish a fraud policy which details actions that should be completed if fraud is suspected.
Staff must be trained in the policy so they know what to look out for. Holding regular training sessions will help reinforce the policy and staff awareness.
Returning to the Card Not Present Fraud Case Study
This was a real incident that happened to someone I know well. I know this person is very careful when using their credit card in all purchasing situations. For online transactions this person only uses reputable merchants and knows what security signs to look for on a retail website.
So how could this cautious, informed, person fall foul to attempted CNP fraud?
It is clear the fraud prevention measures outlined in the previous paragraphs worked in this case. The fraudulent transaction was stopped and the credit card account was blocked immediately.
The card provider initiated checks with the card holder to ensure it was indeed an attempted fraudulent transaction.
The card provider did not go into details about the circumstances surrounding this incident. However, I do know a telephone transaction was conducted with a take away restaurant, from a friend’s address in another town, a few weeks before this incident occurred.
Could it be whoever took the order and card details over the telephone failed to enter them into their terminal directly?
Might they have written down the transaction details and left them lying around?
Did someone then attempt to use those details to commit the fraudulent transaction?
Assuming this is how the scenario played out then the perpetrator might have attempted to use the card and the friend’s address to make an online purchase.
They might have assumed the friend’s address was the billing address and attempted to have their purchase delivered to another address.
What they would not have known was the major online department store was the card provider and that the card was linked to a customer account. Thus there were some additional levels of security in this case.
However they intended the fraud to work it seems to have failed during the online verification process outlined above. This appears to demonstrate that in normal circumstances the security surrounding the CNP transaction works.
So what is the implication of my theory of how this attempted fraud may have been perpetrated?
Trust and Training
Apart from the technical security measures, trust and training are key to the security of CNP transactions.
The customer trusts the retailer to handle their transaction securely. Observing and complying with the requirements of the PCI DSS enables the retailer to fulfill this expectation.
In return, the retailer trusts the customer to be honest in fulfilling their part of the transaction.
However, if that trust relationship breaks down the technical security measures should provide the safety net to protect either party.
The trust relationship will be supported by effective staff training. All staff who have any involvement in CNP transactions must receive training in how to conduct the transactions in accordance with PCI DSS and how to spot the signs of attempted fraud.
So the answers to my two questions about fraudulent CNP transactions at the start of this article:
Could it happen to you?
Are your card transactions really protected?
are a qualified “Yes”. As long as all parties to the transaction fulfill their obligations to the trust relationship then you should have reasonable protection. However, any one flaw in the security processes, technical or human, could cause fraud to happen to you.
This article has been a brief over view of some aspects of card not present fraud. For a more detailed explanation of the fraud prevention measures you could visit Financial Fraud Action UK.