Risk alert: Understanding the risk of card-not-present fraud
Today, many cardholders use their card number in a card-not-present (card absent) environment mainly over the internet. The question asked is: what is the risk for the internet merchant versus the cardholder’s card issuing credit union? This educational alert will help your credit union understand the security tools available to the internet merchant and why it is extremely important for your credit union to support these security tools. Also, there are additional security tools that are gaining popularity that should also be looked into and supported as well to help combat card-not-present fraud risk.
As the bad guys identify who is using EMV (Europay/MasterCard/Visa) to help combat and prevent magnetic stripe fraud, they are moving to card-not-present fraud. Many of the other countries that have implemented EMV to address the card present – magnetic stripe fraud have seen a jump in card-not-present fraud. If you are experiencing card-not-present fraud today and the credit union is retaining the fraud loss, the first question you should be asking yourself is WHY?
Below is a brief list of the merchant security tools your credit union as the card issuer should be supporting in the event the authorization message contains them. If your credit union does support these security tools and is retaining the fraud loss, dig deep to find out why.
Merchant Security Tools the Credit Unions Should Support
- Address Verification Service (AVS) – This security tool may be used for card present or card-not-present. The authentication uses the cardholder’s billing address. Depending on a partial or exact billing address, determines if the merchant retains the fraud loss or if the merchant can represent the fraud loss to the credit union as the card issuer. For more information on AVS, refer to the card association(s) rules and regulations.
- Card Verification Value/Code 2 (CVV2/CVC2) – This security tool may be used for card present or card-not-present. It is the 3 digit code found on the back of the physical card. If the merchant opts to ask the cardholder for this three digit number and it authenticates, it may allow the merchant to represent the fraud loss to the credit union as the card issuer. For more information on CVV2/CVC2, refer to the card association(s) rules and regulations.
- Verified by Visa (VBV) and MasterCard SecureCode (MCSC) – This security tool is only used by internet (online) merchants. The credit union may offer the cardholder the option to sign up for VBV/MCSC. If the cardholder opts to sign up, they will create a password. If the credit union is having this type of fraud represented to you by the internet (online) merchant, we strongly suggest you expand your cardholder’s enrollment (token) criteria to make it more challenging for someone else to enroll your cardholder.
Watch for another Risk Alert in the future that will talk about enhanced security tools to help combat the increased card-not-present (card absent) risk.