What you can do to stop CNP fraud

As EMV chip cards decimate fraud at physical points of sale, criminals have online retail in their sights. What can community banks do to help their merchants and cardholders beat back the growing threat of card-not-present fraud?

By Karen Epper Hoffman

It’s a truism of criminal activity of all kinds: If you put stronger locks on the door, thieves will just start coming in through the window instead.

So it is with card fraud. U.S. banks have moved the majority of their credit and debit cards from magnetic stripe to the more secure EMV (Europay-Mastercard-Visa) chip over the past five years. Nine out of 10 cards are predicted to have chips by 2020, according to the Federal Reserve System.

This has cut fraud at brick-and-mortar stores’ points-of-sale (POS): Visa reports that in the U.S., counterfeit card fraud has decreased a whopping 70 percent in September 2017 compared to December 2015 at physical retailers that accept chip cards.

But rather than give up, criminals have done what they always do. They’ve moved on to easier targets. In particular, card-not-present (CNP) transactions, where chips have little impact on security.

Quick stat:

3 in 4
Banks that experienced fraud losses in 2016

According to the 2017 Financial Institution Payments Fraud Mitigation Survey from the Federal Reserve Bank of Minneapolis, released earlier this year, three out of four banks experienced fraud losses in 2016. Almost all debit card issuers (96 percent) faced card fraud losses. And 63 percent of banks reported increased fraud loss for debit cards in 2016 compared to 2015.

Why all the card fraud despite the fast-growing acceptance of chip cards? And what can community banks do about it?

Canaries in the coal mine
This pattern has been seen before. After the United Kingdom introduced EMV chip cards in 2001, card-present fraud dropped by roughly 27 percent between 2007 and 2012, according to a white paper, The U.S. EMV Chip Card Migration: Considerations for Card Issuers, written by Mary J. Hughes, senior payments consultant at the Federal Reserve Bank of Minneapolis.

Many community banks are seeing this pattern. At $480 million-asset Athens Federal Community Bank in Athens, Tenn., the migration to EMV chip cards has substantially reduced card-present fraud at merchants who have adopted EMV readers, according to Nicole Gibbs, the bank’s vice president and chief banking officer. “However, we continue to see fraud at automated fuel dispensers where reader compliance is not yet required, and on fallback transactions,” she says.

In Athens Federal’s experience, online fraud has increased, “but not significantly nor more than expected at this point,” Gibbs adds. In her estimation, more fraud occurs in CNP transactions for a few reasons, “not solely due to the EMV card transition,” she says. “First, online fraud is increasing because online transaction volumes continue to rise. When this volume growth is coupled with the EMV card change throughout the United States, card-not-present fraud inherently increases.”

Florida Community Bank in Naples, Fla., started migrating its 30,000 cardholders to chip cards four years ago and saw a subsequent drop in in-person fraud. The chips have had no effect on CNP transactions. Roxanne Mihm, vice president and cross-sell manager, points out, however, that card fraud has typically always been more prevalent in CNP transactions, chip or no chip.

Lynn Acheson, vice president of operations for $214 million-asset Grand Rapids State Bank in Grand Rapids, Minn., has had a similar experience. She says that at her community bank, point-of-sale fraud has decreased significantly compared with the same time period a year ago. “We have not seen an increase in card-not-present fraud at our bank as of yet,” Acheson adds. “However, recent publications we have read, as well as training webinars we have attended, all report an increase in CNP trends. I am sure it will be just a matter of time before this type of fraud escalates.”

How banks can manage CNP fraud
While community banks cannot prevent the increase of fraud in CNP transactions, they can help their merchant-business and consumer-cardholder customers thwart these attacks.

Athens Federal Community Bank works with its core processor “to be aggressive in establishing rules that trigger notifications and blocks of suspicious card activity,” says Kenny R. Charles, the bank’s vice president for information technology. “This approach has proven effective from a bank standpoint. More importantly, one layer of security generates customer notifications when questionable or irregular transactions occur, which has been a helpful measure for customer peace of mind.”

The bank also employs functionality that allows customers to turn their cards on and off easily and in real time, which creates an additional deterrent to potential fraud, Charles adds.

“One layer of security generates customer notifications when questionable or irregular transactions occur, which has been a helpful
measure for customer peace of mind.”
—Kenny R. Charles, Athens Federal Community Bank

Mihm says she is “just starting to see” online merchants requesting and employing technologies to mitigate CNP fraud in the past year, including new forms of customer authentication. “They’re starting to ask, ‘What can I do to protect myself?’” she says. “It is very hard to stay out in front of the fraudsters. And some consumers view that extra layer of protection as an inconvenience.”

Tim Sherwin, co-founder and CEO of consumer authentication specialist CardinalCommerce, says fraud is growing at a faster rate than digital sales in the U.S.: 26 percent versus 20 percent. “Issuers and merchants are declining legitimate buyers when they think transactions are risky,” Sherwin says. “Using more data allows for more intelligent risk decisioning and a better consumer experience. The result? More sales, less fraud and happy consumers.”

Security minded
Grand Rapids State Bank is one community bank in the process of implementing ICBA Bancard’s CardinalCommerce Visa Consumer Authentication Service (VCAS). Announced in September 2017, the ICBA Bancard/CardinalCommerce partnership allows community banks to add 3-D Secure (3DS) authentication protocol without negatively affecting their service levels. Merchants can use the tool’s real-time, secure information-sharing pipeline to send transaction attributes to the issuer, such as the IP address or shipping address used during the purchase, to verify the transaction.

Sherwin says that even with this additional layer of security, the customer experience is seamless. He says 3DS 2.0 eliminates the initial sign-up process and removes the need for cardholders to use static passwords—all things that could slow down the purchase speed and increase the chances of cart abandonment.

Acheson says Grand Rapids State Bank has adopted the service to allow it to measure the fraud risk of e-commerce transactions prior to authorization and minimize its occurrence.

By 2020, Sherwin points out that there will be more than 50 billion devices connected to the internet, “all available and ready to make purchases,” he says. “Merchants and issuers alike want legitimate consumers to be able to make legitimate purchases.

“It is very hard to stayout in front of the fraudsters. And some consumers view that extra layer of protection as an inconvenience.”
—Roxanne Mihm,
Florida Community Bank

“When a cardholder is falsely declined, they usually take the path of least resistance and either use another card or purchase elsewhere,” Sherwin adds. Since the CardinalCommerce product works behind the scenes to evaluate each transaction based on an exchange of data between the merchant, issuer and card network, “it streamlines the authentication process, making authentication fast, secure and friction-free across all devices.”

Acheson of Grand Rapids State Bank believes the next step in combating fraud will be letting consumers be their own security advocates by giving them the ability to control when and where their cards can be used. The bank introduced a mobile application to customers in 2017 that gives cardholders easy access to real-time notifications of card transactions, customized alerts, control options and the ability to turn their cards on or off at any given time. 

“With this technology, the customer is notified immediately of any transaction,” Acheson says, “eliminating the wait to receive their statement before they realize fraud has happened.”

Karen Epper Hoffman is a writer in Washington state.