Digital Payments: Where Are You Most Vulnerable?

The EC’s Digital Single Market strategy is a great opportunity for digital retailers; effectively creating a streamlined digital economy where currently 28 national markets exist.

As a result, this policy should not only make cross-border trade easier but also increase online sales by promoting eCommerce across the EU.

However, it also creates opportunities for criminals. With other forms of card fraud being tackled effectively (Card Present Fraud and EMV), a buoyant eCommerce market may provide exactly the right opportunities for criminals.

Online Payment Fraud Figures

In the UK card fraud losses rose by £29 million in 2014, consistent with the average 6% seen across the 19 European countries featured in data from Euromonitor International*. Whilst domestic losses remained flat, this increase can be directly attributed to cross-border and Card Not Present (CNP) fraud. The UK has the highest source of CNP losses in Europe, according to Visa, accounting for 36.5% of the total fraud.

A similar picture can be seen in the rest of Europe. In Germany 80% of the credit card fraud is as a result of cross-border fraud, and 70% of card fraud is CNP.

Elsewhere in Europe the fraud landscape changes according to whether EMV has been fully adopted, and consequently criminals have been driven to find other methods of card fraud, and how developed the eCommerce market is in specific countries.

It is expected that there will continue to be an increase in CNP fraud as the US has only just adopted EMV (October 2015). Historically, when one payment fraud opportunity closes, criminals target another weakness in the system. The US accounted for 51% of global payment card fraud costs in 2013, according to BI Intelligence estimates. Until now this payment card fraud has focused on offline activity, now with EMV we could see a significant move to online card fraud.

As well as CNP and cross-border fraud, criminals are also targeting alternative payments and chargebacks, as a means of defrauding merchants and their customers.

For those online retailers who sell digital products, rather than products that require conventional shipping, this is particularly problematic as some credit card companies, and service providers such as Paypal, refuse to provide any kind of Seller Protection.

Here are four key payment card fraud vulnerabilities for the digital retailer.

1. Card Not Present (CNP)

Online CNP fraud takes place when criminals have access to credit or debit card details; a stolen card or card data obtained criminally through a data breach or procurement of stolen information.

The criminal uses this stolen data to make online purchases and, if insufficient checks are in place, fraudulently acquires goods. CNP transactions can include eCommerce and mobile payment transactions, online bill pay, over-the-phone transactions and ‘card on file payments’ such as for subscriptions.

Many consumers are vulnerable to CNP fraud because they do not take sufficient measures to protect their card data, devices and their online security.

Unfortunately, even if the customer is at fault, it is the merchant who suffers when the customer discovers a fraudulent transaction, as they can expect a costly chargeback.

2. Cross-Border Card Fraud

With the boom in eCommerce and predicted continued growth in this sector, many merchants are taking advantage of cross-border trade. However, with this comes a need to protect your business from cross-border fraud, requiring an understanding of the data security and consumer protection legislation in each country and its impact on how fraud prevention measures can be implemented.

Card authentication methods vary from one country to another, which can mean merchants may find legitimate transactions are turned down because the cardholder’s country does not support their method of verification. Alternatively, to enable cross-border trade insufficient card verification checks are put in place, opening up the merchant to fraudulent transactions.

Another clear challenge to eradicating cross-border card fraud is that for criminals it is often less risky to operate cross-border than in their domestic market. Effective cooperation is needed between card fraud agencies in different countries, to ensure that there is a sufficient deterrent to cross-border card fraud.

3. Alternative Payments Methods

Alternative Payments Methods (APMs) incorporate a range of schemes including bank transfers, direct debits, eWallets, vouchers, prepaid cards and mobile-based schemes. Globally there are an estimated 230+ types of APM, with popular schemes including AstroPay, ELV, GE Money, iDEAL, Ikano, PayPal, SmartCheque, SOFORT Banking.

Without a doubt accepting APMs is an effective way of providing customers with their preferred payment methods. Of course it also has an element of risk and although APM fraud has been relatively low, there are pitfalls that merchants should be aware of.

First is the risk that the APM is compromised: a criminal gains access to an account and makes purchases using the payment card associated with that account. Some APMs do not require any further card verification once the user is logged in.

Direct debits set up through APMs are another potential area for fraud. In some countries direct debits are more commonly used than payment cards, even for one off payments. This presents an opportunity to a fraudster who may take advantage of lax set up arrangements and the onus on the account holder to monitor their bank account.

There is also the issue of the time it takes for a transaction to be complete and payment received from the APM. This is of particular relevance to merchants selling digital products where non-settlement is a possibility if funds are not available. In some cases a customer might revoke or cancel a transaction with their bank, following authorisation from the APM. The merchant may have already dispatched digital goods before receiving payment from the APM.

4. Chargebacks

Chargeback Fraud, also known as ‘Friendly-Fraud’, has seen growth of 41% in Europe. The sale of digital goods online presents the perfect conditions for this type of fraud.

We have already highlighted incidences where a merchant is subject to a chargeback because a customer’s card details have been used fraudulently: in this case the merchant loses both their goods, the cost of those goods and fees, whereas the customer is reimbursed in the form of a chargeback.

However, merchants can also be victim to fraud when a customer requests a chargeback fraudulently: having received the goods, but citing ‘non-delivery’ or that they ‘never placed the order’ as the reason for this chargeback.

Often merchants will be unaware of the request for a chargeback until they receive a ‘forced refund’ from their bank, as customers can instigate a chargeback through their card provider without contacting the merchant first.

58% of cardholders do not contact the merchant and 86% of chargeback claims are fraudulently placed.

Merchant Risk Council

Chargebacks may also incur a fee, depending on your merchant bank. Additionally they can have an adverse impact on your business, potentially withdrawing your ability to take a particular type of credit card, or even closing your merchant bank account. Of course, if you do not respond to a chargeback request you will also face significant fines.

For merchants selling physical, tangible goods there are processes they can put in place to help mitigate against this type of fraud; such as keeping delivery receipts and ensuring that goods are signed for. But for merchants selling digital goods such as e-tickets, subscriptions, downloads, and software it becomes more difficult to prove that goods have been delivered.

Some retailers of digital goods may also find that they are further out of pocket because their goods are then sold on secondary markets, impacting on future sales and their reputation.

How To Protect Your Business From Payment Fraud

Fortunately there are many options for the online merchant to reduce the risk of card payment fraud. However, blanket fraud strategies across diverse sales channels will not optimise conversions. Cross-border transactions require different strategies to those made in the domestic market, mobile transactions will need a tailored solution compared to transactions from a desktop computer.

First and foremost is to ensure that all processes used are as secure as possible, ensuring that you, the merchant, do all you can to reduce opportunities for data breaches and cyber attacks.

PCI Compliance is an important element of this. If your business accepts debit or credit card payments you must comply with The Payment Card Industry Data Security Standard (PCI DSS); keeping your customers’ data safe.

Here are 4 fraud protection measures we would recommend online retailers use:

1. Tokenisation is an excellent tool for protecting sensitive information, reducing damage caused by data breaches and deterring hackers. It can also be beneficial for customer loyalty (it is the technology behind ‘one-click’) and for building trust and a reputation for putting consumer data privacy first.

The process of tokenisation creates a token that is used in place of the payment card details. It has no value to a criminal as it contains no actual data. Instead it removes sensitive data out of your business and into your payment service provider’s PCI compliant hosting environment.

2. 3D Secure can significantly reduce Card Not Present (CNP) fraud. This is the online equivalent of chip and PIN requires the customer to provide an additional password or security code to process the payment.

3D Secure also offer merchants protection against chargebacks. In cases where fraud is kept to an acceptable level, successful 3D Secure transactions cannot be charged back to the merchant.

3. Customer profiling allows merchants to set rules that determine whether a transaction should proceed, be flagged as suspicious, or blocked entirely. These rules may include a requirement that the country where the payment card was issued matches the IP address where the purchase is being made, or you may decide to block a country completely if you experience repeated fraudulent transactions from that region.

Profiling is not just about identifying suspicious transactions; it is also about filtering out good customers and ensuring a smooth payment journey for them. False profiling is one reason for abandoned shopping baskets, one that can be avoided with the right profiling tools and rules.

4. Real-Time Monitoring Of Fraud can be tailored to a merchant’s specific requirements, this is particularly valuable if you operate in a high risk sector, or your customers typically display unusual buying patterns that sit outside standardised counter-fraud processes.

This fraud prevention solution sets fraud detection rules based on the merchant’s business strategy, and uses pattern detection engines, real-time location analysis, historic and chargeback data, and database and negative files to detect fraudulent transactions.

As you can see, there are many ways to tackle online payment fraud without deterring genuine customers. Used sensitively these can both protect your business and improve the customer payment journey, building loyalty and reducing basket dropouts.

For more on cross-border trade, read this post: How To Get Started With Cross-Border Trade