ECommerce has been growing by leaps and bounds, but so has the threat posed by hackers and cyberthieves.
Cardholders are concerned about the safety of their data when conducting online transactions. And card issuers face the dilemma of the damage that can be done by payment fraud, while in the meantime they are also concerned about the potential to lose revenues if transactions fall by the wayside and are not completed.
A recent white paper by CA Technologies, titled “How Do I Balance Robust Security with a Frictionless Online Shopping Experience for Cardholders” found that card not present transactions are “fraught with risk,” and that of course is tied to the fact that the “traditional” forms of identification (and thus security) are not part of the online transaction – and these include tangible forms of authentication such as driver’s licenses, signatures, or other types of photo-based IDs.
Chip-based cards, with attendant PINs, noted CA, are useful, but as has been noted throughout the industry, adoption in some countries, such as the United States, has been lagging.
The costs are substantial. As CA noted in the publication, just three years ago, in North America alone, companies reported losing as much as 0.9 percent of total revenues derived from online sales to fraudulent activity, with the end result being a whopping $3.5 billion in losses from fraud. Some industry estimates state that card fraud could as much as double by 2018, with the global tally reaching as much as $6.5 billion.
The fact that EMV technology will help “card present” transactions become more secure may in fact have an unintended consequence of driving more attempts by cyberthieves to hijack CNP transactions. And, as mobile commerce sales have grown at a double digit pace over the past several years, and those sales have a relatively higher incidence of fraud, the stage is set for redoubled efforts to compromise CNP activity.
The movement toward CNP fraud comes as recent research, from ABI, shows that EMV payment card shipments topped 2 billion units last year, with more than 40 percent of those cards issued finding their way into China and the United States.
One key technology that can bridge the gap between fraud concerns on the part of payment card issuers, and their customers, is the protocol known as 3-D Secure, according to the CA Tech white paper. Under the terms of that platform, there is continued verification of cardholder identity throughout the CNP transaction. That means that even before the transaction is authorized, the cardholder must be able to satisfy several requirements, ranging from, say, a password entry or providing an answer to a “personalized” question.
But one consequence of this multi-step authentication process through 3-D Secure is user abandonment. Having to enter and satisfy the security requirements may cause “friction” that causes frustration, and so a transaction falls by the wayside, and ultimately means lost revenue to the card issuer. In addition, hackers can in fact bypass the basic 3-D protocols by fraudulent tactics such as password cracking, and phishing, which can lead to “fully-authenticated” fraud.
CA noted that while 3-D provides a base layer of protection in CNP, there are other avenues of identifying legitimate cardholders that provide better levels of safety. Key among those options, according to CA is risk analytics.
By using risk analytics, according to the white paper, transactions are segmented into low, medium and high risk buckets, a process that allows the level of authentication needed for the transaction to be tailored to that risk profile on an individualized basis.
As might be expected, the higher the confidence level in the user (and the safety of the transaction), the more “easily” the transaction will be allowed. CA noted that its own risk analytics, dubbed “CA Transaction Manager,” is in turn verified by Visa, MasterCard SecureCode and AmEx’s SafeKey feature. By reporting back to the issuer in real time, risk analytics allow companies to react to fraud via a “case management” system in which customer service and other departments can react in real time, managing transactions and fraud alerts.
CA stated that authentication can be enhanced, for transactions deemed “moderate” risk, through the use of a mobile device. In this case, the device itself becomes a conduit for creating a PIN using a one-time password.