Matt Neale, eStar chief technology officer, discusses Card Not Present Fraud.
Let’s talk about fraud - card-not-present fraud - to be specific.
It’s 2019 and retailers are still struggling to control and mitigate the risks posed by this, and the numbers released recently show this remains a growing problem in Australia.
The wider impact of this is that Australia, as a nation, now has the 4th highest rate of card not present fraud (CNP) globally (after Mexico, Brazil and the USA), and has been reported as growing at a faster rate than any other country.
The Australian Payments Council states that CNP fraud now accounts for 85% of all fraud on Australian cards. The most recent Nielson Report states that globally, CNP fraud accounts for more than 50% of all payment fraud losses, even though CNP transactions account for less than 15% of the volume. It’s small wonder then - that something needs to be done.
Whilst the numbers imply we are a nation with a few too many criminals, the truth is more nuanced – some serious breaches of card security have occurred in Australia, and have resulted in a disproportionate number of compromised card details in circulation, but as well, we’ve too long had a generally relaxed attitude to fraud losses in both retailers and banks, accepting that as a cost of business.
Banks are nowhere near relaxed about this however, with some eye-watering fines being absorbed, and lesser fines being passed on to merchants. That’s simply not sustainable, nor is it good business.
Before we discuss the solution, let’s take a bit of a flashback.
Some time ago, a number of retailers in the region were mandated to use the then-nascent 3D-Secure technology (known more commonly as Verified by Visa or MasterCard SecureCode), as an attempt to eliminate CNP fraud. This was a fairly disastrous, if well-intentioned attempt, but was derailed by a lack of customer education and some particularly poor implementations. The resulting customer confusion ultimately saw significant volumes of lost sales almost overnight.
As a result, many of these initial implementations were rolled back as merchants called “foul”, and even the ACCC weighed in and opposed the mandatory use of 3D-Secure for CNP transactions.
And so not much changed.
Of course, it’s not a total loss – more astute retailers are using the sophisticated fraud management tools either built into their eCommerce platforms or integrated to 3rd party offerings – and generally see much lower fraud volumes than those who go without.
It’s those retailers who ignore or accept the losses without managing them that are driving the numbers.
As many of you will already be aware, AusPayNet (formerly APCA) has recently finalised the Card-Not-Present Fraud Mitigation Framework. This outlines the industry approach to mitigate CNP fraud for merchants, consumers, Issuers, Acquirers, card schemes, payment gateways, payment system providers, and regulators.
As well as providing a framework for technical solutions to follow, it provides a framework around the reporting, notification and sanctions that will be implemented.
It is very much a “measure, understand, improve” approach to proactively manage fraud down to “acceptable” levels across the industry.
From a merchant and eCommerce perspective, the framework centres on mitigation through a combination of customer behaviour and risk analysis driving mitigations through varying levels of customer authentication.
In essence, it’s going to bring 3D-Secure (with allowances for alternatives) back into play, but allowing some control, based on customer risk and fraud levels, as to when to demand that level of protection.
Over the next 18 months, this will become more widely communicated to merchants, and I would predict that over that timeframe we will see a drive for new and more convenient mechanisms for digital authentication.
The framework is genuinely very good. It’s a pragmatic step, allowing the use of existing technologies and techniques in a completely vendor-agnostic manner, whilst leaving plenty of room for innovation and new technologies to emerge and fit within it.
Merchants would be advised to review their fraud levels, educate themselves on the upcoming changes, and discuss with their banks and vendors what options exist now and what options they have in future.