While it is known that retail e-commerce sales reached approximately US$ 5 trillion worldwide in 2021, this figure is expected to increase in the coming years and reach US$ 8.1 trillion by 2026. With the growth of e-commerce, Card-Not-Present (CNP) is also growing. Every $1 in CNP scam costs US merchants $3.50. CNP fraud is also rising rapidly due to the lack of preventive measures to help combat digital financial fraud. The CNP scam is estimated to cost retailers $130 billion by 2023.
What Is Card-Not-Present (CNP) Scams?
Card-Not-Present (CNP) is a type of fraud that occurs when the seller receives customer information remotely rather than in person.
Common CNP fraud situations;
- When submitting card details via an online payment page,
- When you fill out the payment form and send the form via e-mail/mail,
- When you give card information over the phone,
A transaction occurs in which the card is not present.
CNP fraud occurs after the information on the payment card or card itself (name, address, account number, security code, expiration date) has been stolen. Card information theft can be carried out with various types of fraud.
The 3 Most Common Methods for Card-Not-Present
Card-not-present can be performed over and over without the victim knowing what is happening. Because the card is still with the victims physically, they cannot predict that their information processing.
There are three most common and basic ways for fraudsters to obtain card information to commit this type of fraud:
- Hacking Hacking exploits these weaknesses by identifying weaknesses in the computer system to access personal or corporate information. Information stolen by hackers can be used for cybercrime.
- Skimming Skimming is a fake identity copying process. The information is stolen and collected directly on a physical card. Skimming devices can be installed in ATMs or petrol pumps and are challenging to detect. According to a report by UK Finance, 52,782 cases of fraud were seen in UK credit and debit cards in 2020.
- Phishing Using misleading e-mails, messages, advertisements, or sites similar to the sites the victim uses, scammers steal personal information or interfere with online accounts by pretending to be authorized by a credit card company or bank. In 2020, 25,000 websites that went into the guise of a bank were removed, which is almost four times more than in 2019.
How to Detect and Prevent Card-Not-Present?
Risk-reducing measures should be taken into account for detection and prevention. It can be started by understanding the fraudulent games and attempts of bad actors.
- The address provided by the customers must be verified when making the purchase.
- The billing address on file must match the address provided by the credit card company.
- The validity of the CVV should be checked.
Know Your Customer (KYC)
Financial institutions should know who they are working with to be able to conduct risk assessments and prevent money laundering. Just as financial institutions use it to reduce financial crime, the e-commerce industry must adopt KYC requirements to assess risks. When opening an online account, it is very important to carry out the identity verification process for each new customer. There are strict rules for authentication. KYC is important to see if the person is synthetic.
Identity checks include:
- Searching for the e-mail address.
- Calling the phone number.
- Approval of the person on social media.
- Checking various identity data points, including IP address and mobile phone number.
- With video KYC, performing biometric face verification and real-time document verification.
Transaction monitoring means the evaluation of past and current customer information and interactions, as well as the monitoring of customer transactions. Understanding customers' transactions and interactions can help organizations detect fraud. While there is a possibility that small businesses will be able to monitor all transactions, large companies need a transaction monitoring program.
Monitoring should determine:
- New customer
- Unusual transaction
- Inconsistent information in the transaction
- Multiple transactions
- The transaction amount is much higher than normal
- Different shipping address
- Transaction from different IP addresses
Payment Card Industry (PCI) Data Security Standards
Encrypted and protected data is less likely to be intercepted by fraudsters.
According to the Payment Card Industry (PCI), an organization should carry out several steps:
- It must establish and maintain a secure network to protect payment card information.
- It should protect cardholder data.
- It must maintain a vulnerability management program.
- It should monitor and test networks regularly.
- It should implement strong access control measures.
- Information security policy should be maintained.
Paying Attention to 'Test' Procedures
Paying attention to small transactions will help prevent large fraudulent payments from affecting the business later. Scammers often test the card information they have stolen by making small transactions. If these small purchases are successful, they will move on to larger ones. The sooner this card testing practice of fraudsters is detected, the faster they can be prevented from using stolen card details to complete subsequent purchases.
Identifying Unusual Behavior
Scammers often behave differently than legitimate customers to avoid detection and increase their earnings. Scammers work fast and use multiple stolen card details ensuingly to maximize their earnings. Too many login attempts, multiple customers over a single IP address, high refund requests, and many password resets are indicators of potential fraud.
Collecting Customer Information to Detect Unusual Transactions
Having more information about the customer will help in detecting a fraudulent transaction. Because of this, more information can be requested to verify transaction details when identifying suspicious transactions. The following information may be collected about the customer; e-mail, billing address, phone number, which devices he uses, and IP addresses.
3D Secure for Card Payments
3D Secure is a system developed to ensure card security in payments made by card over the internet. When making the payment, the screen opens with 3D Secure, and the confirmation code is sent to the card number registered in the bank. If the code is entered on the 3D Secure transaction screen and approved, the payment will not occur.
With our AML Screening and Monitoring tool, companies can efficiently perform Customer Due Diligence and Enhanced Due Diligence KYC procedures by all obligations. All operations also provide Sanction Scanner with solid API support. With Sanction Scanner, scans can be done in seconds via the web, API, or batch search.