As e-commerce continues to grow in popularity, so do the ways in which it can be used to create fraudulent financial transactions. E-commerce and phone transactions do not require a physical payment card to be present to initiate the transaction. Instead, the customer just has to give the card number and other easily obtainable information in order to complete the transaction. As a result, these types of transactions are referred to as "card not present" transactions. The need for information and not a physical card makes e-commerce an easier avenue for initiating fraudulent transactions than those which take place in a physical store.
Global financial losses related to payment cards amounted to an estimated $24.26 billion in 2017 and are estimated to reach $34.66 billion in 2022. A 2018 study from the Federal Reserve also showed that card-present fraud in the U.S. declined from $3.68 billion in 2015 to $2.91 billion in 2016, while e-commerce card not present fraud jumped from $3.4 billion to $4.57 billion during the same period.
Here is an overview of card not present fraud; what it is, how it is perpetuated and what can be done about it.
Any time a customer purchases something online or over the phone, they merely have to enter their credit card number and a few other details to complete the transaction. These details may include a CVV number that is found on the back of the card, as well as their billing address. Unfortunately, this is all information that is easily obtainable now, thanks to an ongoing series of high profile data dumps. Cybercriminals will often buy entire lists of credit card and CVV numbers, which can then be matched up to the limited amount of personal data necessary to use the number, such as a home address.
The reason this type of fraud is so prevalent is that many victims may not even be aware they have been victimized. Unlike stealing a physical credit card, card not present fraud only requires the perpetrator to have the card information, not the physical card. This means the victim remains in possession of their physical card and they have no idea anything has been stolen. If they were to lose their card or realize it had been stolen, they would cancel the card. Because they are unaware the information has been stolen, however, they are susceptible to becoming a victim.
There are a number of ways that cybercriminals obtain payment card information. The three most common ways of obtaining payment information is through hacking, skimming or phishing.
Once cybercriminals have payment card information, they can use it in a variety of ways.
Unlike many other types of fraud, the main burden of stopping card not present fraud lies with merchants and card issuers. Merchants can use a growing variety of authentication tools to ensure the buyer is a legitimate cardholder or agent. Multifactor authentication requires buyers to verify their identity by either receiving a code sent to a verified phone number or email address or use biometric scanning to confirm their identity. Tokenization also helps prevent data theft by generating a temporary, one-of-a-kind digital identifier, or "token" rather than submitting account numbers to be stored, which can then be subject to theft. Merchants can take advantage of this protection by accepting payments via Apple Pay and other products that create these tokens and also use biometric scanning for verification.