Credit cardholders are generally protected from liability if unauthorized transactions are made with their credit cards because of consumer protection laws and card policies. This leaves merchants and financial institutions on the hook for losses related to credit card fraud. According to an October 2016 Nilson Report, card issuers were burdened with 72 percent of fraudulent losses in 2015 while merchants were left with 28 percent of the losses.
With the advent of EMV chip technology in the US, the expected result was that credit card fraud would be reduced and liability for fraudulent transaction would shift to card issuers rather than the financial institution hosting the merchant account. However, after the United States began using EMV, existing credit card fraud dropped, but there was an almost 113 percent rise in new account fraud. This type of credit card fraud is responsible for 20 percent of losses. So what went wrong? It’s is the CNP factor.
What is CNP?
CNP stands for a card not present transaction. This type of transaction is used very often, primarily with online purchases, mail-order transactions and payments made over the phone. When conducting a CNP transaction, the merchant is not presented with the customer’s physical credit card. The merchant cannot verify if the customer is the actual cardholder. So even if the card does have an EMV chip, it’s not going to do any good if it is not being swiped to read the chip and verify that the transaction isn’t fraudulent.
Because of this problem, financial institutions are still liable when a credit card fraud is committed with an EMV card used in a CNP transaction. If the card had been swiped and was found later to be used fraudulently, the onus for restitution would fall on the card issuer. CNP transactions do carry a higher risk of fraud, and because of this, some card issuers charge higher transaction fees to merchants who mainly process CNP transactions.
Global increase of loss due to fraud
The 2015 Merchant Risk Council (MRC) Global Fraud Survey found that the average global fraud rate for E-commerce sales was at 0.53 percent. European countries were among the first countries to adopt EMV chip cards, but some are still experiencing high levels of credit card fraud (though comparatively much less than the US). CNP fraud is the most common type with being responsible for between 41 to 85 percent of fraudulent credit card transactions in Europe.
In 2015, the United States began their migration to EMV cards. Currently the United States experiences a 16 percent growth each year in E-commerce sales and it’s expected that this growth will contribute to a surge in frauds related to CNP transactions.
3D Secure and device fingerprinting could be the answer
EMV technology on payment cards is limited in the ways it can guard against unauthorized use and fraudulent transactions. Tracking these frauds has relied on key performance indicators such as charge back and confirmed fraud rates because e-commerce sales fraud is becoming harder to identify. This is because of the prevalence of “clean” frauds where the fraudster is able to provide accurate and complete personal data that makes fraudulent orders look legitimate. As a result of an high profile international survey, the US-Payment Forum reports that fraud scoring models and device fingerprinting were the most effective tools; whereas 3D-Secure (3DS) and device fingerprinting were being deployed the most quickly.
3D Secure is a three party protocol designed to help combat CNP fraud and more importantly introduce a liability shift from the merchant/acquirer to the issuer side. For example, MasterCard SecureCode and Verified by VISA are two examples of 3DS being in use. When making a transaction with an e-commerce site that utilizes 3DS, the cardholder is redirected to the website for the bank that issued their card. The cardholder is then prompted to enter their password (or partial password) in order to be authenticated. 3DS helps create consumer trust and confidence while making purchases and helps reduce fraudulent activity and disputes.
A device fingerprint is information that is obtained about a remote computing device for identification purposes, which can be used in combination with 3DS. This method has been proven to be successful in detecting and preventing credit card fraud and online identity theft. A device fingerprint can also be used as an indicator as to whether a user is likely to commit fraud before they commit fraud based on their signal profile. Cryptomathic offers a very high level of reliability for device fingerprints, using the "biometric" pattern of the camera of the mobile phone, for 2-factor and two-channel authentication.
Enhancing security and non-repudiation with digital signatures
3D-Secure or digital fingerprints alone do not provide EMV-grade security. It simply strengthens the cardholder authentication as long as issuers and merchants are ready to support the initiative. The underlying protocol does not guarantee strong non-repudiation and does not ensure the user´s sole control (as it would be required) in card present transactions.
This is why Cryptomathic advocates to integrate digital signatures in processes related to online payments, as they are a strong means of establishing non-repudiation. When using remote digital signatures, the process is based on secure sole-control protocols and gathers an extensive audit trail. This provides a much higher degree of certainty substantiating the authentic user really intended to make this transaction - and not some fraudulent third party.
1. Card-Not-Present Fraud Around the World (2017) by US Payments Forum
2. Selected articles on Key Management (2012-2016) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen and more
3. EMV Key Management – Explained (2015) by Cryptomathic