Home » Understanding – And Preventing – Retail Card Not Present Fraud
The continuing rise of online shopping brings a whole new level of convenience to people’s lives, and enabling thousands of Canadians to run a retail business from the comfort of their own home. But it has its downsides. One of those is the fact that credit card fraud is a multi-billion dollar problem and can be incredibly hard for online retail businesses, especially smaller ones, to detect in real-time.
Credit card fraud nearly doubled from 2020 – 2021 in North America, when there were nearly 950 reports of fraud per day. CNP – card not present – fraud makes up a large proportion of those scams, meaning CNP fraud prevention is one of the most important actions you can take to keep your business and your customers safe.
CNP, or card not present, is a type of credit card transaction that literally means the card is not physically presented to the merchant at the time of its use. This obviously covers online retail purchases, but there are other times when it applies too, such as in the case of subscriptions and recurring purchases.
CNP fraud generally occurs when scammers obtain credit card details illegally and use them to make purchases online or over the phone. It’s estimated that CNP fraud could cost retailers nearly US$35 billion globally in 2022.
CNP fraud is particularly hard to detect online when there are no extra measures in place to verify a purchase is legitimate. In saying that, there are a range of e-commerce fraud prevention techniques that can be implemented to identify and prevent CNP fraud from occurring.
One of the first problems credit card holders have as victims of CNP fraud is realizing it’s happened in the first place. A victim will often still have the debit/credit card with them, but its details will have been obtained by bad actors in some way. This often happens through skimming, hacking, and phishing:
Skimming is when the card details have been obtained off the physical card itself, often when it’s been used legitimately. ATMs are a common place where this happens.
Hacking is when computer systems are illegally accessed and the stored details of credit cards are stolen. Those details can then be used by the hackers for CNP fraud, or they can be sold to other criminals.
Phishing happens when scammers present as legitimate companies or authority figures and convince credit cardholders to give out their card details. It commonly occurs through email or phone scams.
As a smaller retail business, CNP fraud prevention both protects your customers and yourself, especially your bottom line. By preventing CNP transactions in the first place, you can save yourself the embarrassment of having to tell your customers they need to cancel and renew their credit cards.
You also don’t have to go through the process of issuing a chargeback. Your accountant will thank you for that one, as it’s a long, involved process that can involve a lot of rebalancing of the books – and some nasty financial surprises – if it becomes a regular occurrence.
These are the most effective techniques you can use to prevent CNP fraud:
The more you know about your customers, the more information you can use to see if a purchase is legitimate. As well as being an effective security measure against CNP transactions, this information is also useful in your business’s marketing and sales efforts.
Knowing your customers’ email, billing and IP addresses, as well as phone number, and information about the device they usually use to buy from you, is a good place to start. When you have that information, you can quickly see if their credit card is being used to perform a transaction from a different device, or if it’s shipping items to a different address.
For example, if a transaction uses a credit card number that’s familiar to your system, and seems to be associated with an existing account, but is coming from an IP address based in another part of the world to where you’ve sent good to before, then that can be a red flag. Then, you can simply have the system send a verification email to double-check with the customer that the purchase is valid.
Well before CNP payments are processed, it all starts with scammers obtaining credit card information. As mentioned above, that can come through hacking.
As a business that regularly processes credit card payments, you could be a target for hackers looking to steal the details of those credit cards, among other things.
It’s important to use the latest data encryption and online security in order to protect both you and your customers. No business wants to be the victim of theft, and the private information you have about your customers is highly valuable to criminals. It can also cause hard-to-repair damage to your brand’s reputation, as if customers feel it’s not safe to buy from you, they won’t.
By utilizing basic tools such as SSL, particularly on payments pages, you can stop credit card information from falling into the wrong hands. And the very fact that it is in place will help shoppers feel more secure in shopping with you in the first place.
Online shoppers generally follow similar processes as they work their way through their purchases. However, the online behavior of CNP fraudsters can be highly irregular, which makes them easier to spot if you know what to look for.
For example, if you have 15 account users all shopping on your website at the same time, and they all are coming from the same IP address, then there’s a significant chance there’s something fishy going on.
While extremely large transactions can be a red flag for CNP fraud, very small purchases can also be a sign of something irregular too.
Scammers will often start out using a stolen credit card on a small, seemingly innocuous purchase. Just to see if it works. Once the card not present transaction process has successfully been completed, and they know that yes, the credit card works, they can go on to make much larger transactions.
Spotting CNP fraud from a small transaction alone can be incredibly difficult, but if you receive a much larger purchase from that same credit card soon after, that’s a big sign of a potential CNP fraud.
When you know a few more things about your customers, you can use that information to check that it’s really them who are buying things from you by asking them where they live, or what their phone number is.
You can also use analytical tools to streamline the authentication process and identify when it is and isn’t necessary.
For example, if a customer is using their account from an IP address they’ve used before, they’re buying something they’ve previously bought, and they’re shipping their purchases to a physical address they’ve used before, then there probably isn’t a need to authenticate the purchase. This offers a much smoother customer experience too.
However, if a customer is accessing their account from another country, has changed their billing address immediately before purchasing a high-value item, or has behaved in other ways that could suggest a CNP transaction, then it can be worth checking if it’s really them.
A risk scorecard is what allows you to build a model of common behavior that can suggest either a potential CNP transaction or a low-risk customer. You can create these scorecards manually based on common behavior you see from scammers, or you can use an automated solution.
Creating these scorecards manually can be challenging without a high degree of expertise, but it is possible.
Once you have your scorecard, you’re able to group users together based on their risk profile and provide appropriate CNP fraud prevention for different groups.
CNP fraud prevention is fast becoming a standard security measure for any business with an e-commerce function.
Businesses too are victims of fraud, and a customer whose credit card is used in a CNP scam can come to associate the businesses through which the scam occurs with that bad experience. Not only that but for retail businesses the items that are purchased by CNP scammers are often never recovered.
Preventing these fraudulent purchases before they’re carried out is now much easier than ever, and it saves a whole lot of problems later on. And as cybersecurity gains even more importance in the minds of consumers, businesses that can differentiate themselves based on their ability to reduce scams and protect their customers’ information are increasingly likely to be seen in a positive light.