Securing Card-Not-Present Transactions Beyond EMV 3DS
Credit cards with EMV chip technology have been a turning point in the fight against card present fraud. This approach has worked so well that it has pushed cybercriminals to the card-not-present (CNP) space to get their paycheck. Indeed, CNP transactions are already their big go-to target. Nilson Research projects that losses due to such credit card fraud will reach $31 billion by 2020. With more than nine billion records of personal information exposed during the hailstorm of breaches over the last few years – and counting – it is a walk in the park for cybercriminals to obtain personal information and commit card-not-present fraud.
Credit card issuers and other stakeholders are not standing still, however, while cybercriminals go on a spending spree. They have come together and finalized the EMV® 3-D Secure protocol (EMV 3DS). EMV 3DS (commonly known as 3DS 2.0) is a protocol to process CNP payments without the onerous authentication barriers it had in the past. The new protocol is spearheading the verification process by gathering more information around each transaction and giving merchants the choice to share that additional information with the issuer, to help issuers make more accurate decisions and increase approvals.
Authenticating at the Start
EMV 3DS improvements are set to reduce fraud, but there is still work to be done in the authentication space. Intelligent, multi-layer security solutions need to be instituted upstream at the start of an online interaction so anomalous behavior can be detected, tracked, and stopped well before getting to the checkout.
Right from the login, customers can be seamlessly identified by their online behavior and not by static data like credentials, passwords or security questions. This allows companies to spot fraudulent behavior right from the beginning of the interaction. Intelligent multi-layered solutions that include passive biometrics and behavioral analytics can continuously verify the customer throughout the process and also compare it to the user’s previous behavior across all channels to decide if it’s the legitimate user or not. This methodology catches the vast majority of the fraudulent interactions before they get to the checkout.
These new cutting-edge technologies can also discern between script-based and human-based attacks, stopping both well before the transaction is processed. A large number of false positives or customers not identified correctly and declined could result in a severe hit to the bottom line of a company. Increasing the steps and complexity to verify customers to complete a transaction usually leads to cart abandonment. Risk managers play a key role in creating customized rules based on their own traffic to ensure evolving fraud is spotted in real time and, in turn, false declines and false positives are reduced to a minimum.
With passive biometrics technologies, companies repel unwanted automated activities as well as harden their security right at the new account opening, login, and account maintenance functions. This multi-placement security reduces the volume of transactions that require automated and manual review, slashing the company’s operational costs.
The Path to Prosperity
Seamless security for customers as well as multi-layer fraud solutions are paving the path to prosperity. Today, we see beefed up security and fraud protections well before the transaction is completed. As technologies evolve and improve, there is going to be an increasing focus on good customer recognition to offer a better, easier user experience. Known customers will be automatically recognized and offered special incentives or rewards. This will allow online businesses to create and maintain customer relationships as well as having the ability to solidify their brand in the marketplace.
About the Author:
Lisa Baergen is Director of Marketing at NuData Security, an award-winning, passive biometrics and behavioral analytics company. Their flagship product, NuDetect, helps organizations form digital trust by identifying users based on their online interactions – behavior that can’t be mimicked or replicated by a third party.