The payments and fraud mitigation landscape has gone through some major changes since the birth of digital commerce. The biggest challenge in the card holder not present (CNP) space has been “not present”. Payment cards were designed for face-to-face transactions where the authenticity of the card could be verified. Basic details, such as security features, signatures and format, were easy to verify and equally easy to train customer-facing staff in what to look for.
In situations where the card, card holder and merchant aren’t physically in the same place, a range of technologies and techniques to combat fraudulent use of these cards had to be developed.
A number of these activities are now seen as basic “hygiene” factors and, while on their own do not represent a secure payment, together they form a suite of tools that help merchants to reduce the risk of CNP fraud and make decisions on acceptance or review. Typical tools utilised include address verification (AVS), velocity checking, ID verification and 3D secure.
The UK Cards Association reported that in 2012 CNP fraud, including all aspects of distance selling, such as mail order, telephone order and internet, amounted to losses of around £245.8 million, up 11 per cent on £220.9 million in 2011, but still significantly down on the peak of £328.4 million in 2008. Largely, the increase in CNP grew proportionally with the growth of e-commerce.
The year 2008 was interesting in both retail and macro-economic terms. Growth experienced by e-retail websites, as measured by the IMRG/Capgemini e-Retail Sales Index, fell from an average of 38 per cent in the first half of the year to 15 per cent in the second, when the financial crisis hit. Overall year-on-year growth in 2008 averaged 25 per cent. In 2012 the index recorded average annual growth of 14 per cent, down from 16 per cent in 2011 and 18 per cent in 2010.
The decline in fraud levels following 2008 can be attributed to a number of factors including the increase in adoption of 3D secure – Verified by Visa and MasterCard SecureCode – by merchants, improving counter-fraud tools and technology, and the introduction of Payments Card Industry Data Security Standard (PCIDSS). This standard unified existing card scheme rules around how card holder data is handled and protected while also raising the bar in certain areas. For example, how batch processing of payments takes place, securing corporate wi-fi networks and limiting how card holder data is transmitted.
The counter-fraud story isn’t all about direct financial loss. Shrinkage or loss due to shoplifting has long been in the budgets of high street retailers and, just as in online, there is a balance to be had between securing stock and allowing customers the freedom to purchase.
There is an increasing customer awareness and concern around their personal data online, and in particular, how well organisations in the public and private sector look after their payment information. High profile cases of data loss making headlines in the media don’t help with this perception as highlighted in a recent IMRG/eDigitalResearch study which showed that of the 2,000 respondents, 50 per cent felt retailers should be doing more to look after their data.
The challenge for retailers then is to balance financial risk with the costs of implementing these strategies, and the brand impact of getting the balance wrong and upsetting legitimate customers.