Evolving security for online payments.
Worldwide, card not present (CNP) fraud continues to be a challenge in the payments industry. We have seen the warnings. Such fraud typically rises as countries migrate to EMV/chip cards in an effort to reduce other types of fraud like point-of-sale fraud and card cloning. This is indeed happening now in the United States. However, do not think industry players (e.g., issuers, networks, acquirers, merchants) are sitting idly. Following are a couple evolving tools to combat CNP fraud and/or the theft of personal data.
One-time Passwords
Perhaps you have experienced one-time passwords or passcodes (OTP) already. My payment card processor utilizes this functionality. After I provide my ID and password for their site, I also have to enter a one-time, six-digit number that they send to my mobile device as part of the login process. It expires in five minutes.
Julie Conroy, Research Director, Aite Group Retail Banking Practice, is someone who has studied security over the years. She stresses, “A big security weakness is our reliance on static passwords and the fact that most people use the same password for multiple sites. The industry must transition from static passwords to dynamic ways of confirming the identity of a user.”
There have been countless reports of fraudsters obtaining access to one account of an individual and using the stolen credentials to access other accounts belonging to that person. They are often able to gather enough personal data to commit more crimes like applying for a loan.
As individuals, we can do our part by not using the same password for multiple applications and sites. Also consider the strength of the passwords you use. One of the most common passwords continues to be password. Many organizations train their employees on strong passwords and other aspects of security. Further, it is a best practice to address security within your card program policies, procedures and training.
3-D Secure
Despite being an international security standard for online card payments, 3-D Secure (3DS) has not received a lot of press, nor extensive use, in the United States. This is starting to change as CNP fraud makes more headlines and 3DS continues to improve. It provides another method for verifying someone’s identify during the online checkout process, but it requires participation from the merchant and their acquirer/processor, and the cardholder and their card issuer/bank. You might be familiar with the different names, depending on card brand; for example, Verified by Visa, Mastercard SecureCode and American Express SafeKey.
The first iteration of 3DS relied on static passwords. During checkout, the purchaser (cardholder) would click a link to access a designated webpage by their card issuer, in which they must enter an additional password (previously established) to authenticate the transaction. Opponents of this arrangement argue it can result in the abandonment of legitimate purchases because of the extra step. However, as Julie Conroy shares, “The evolution of 3DS now gives merchants greater control—through a metrics-based approach—over which transactions are pushed down the 3DS path.” She also notes that many of the large issuers have moved to either risk-based authentication, which requires no interaction from the purchaser, or dynamic authenticators, such as a one-time passcode (OTP). Some countries are even mandating 3DS to some extent or are considering a mandate. Within the Commercial Card realm, 3DS is primarily used outside the United States.
Naturally, every fraud prevention strategy should include a multi-faceted approach to increase effectiveness. This post only references two of many.
What's Next
Stay tuned to this blog for a related, upcoming post on a new security solution for Commercial Cards.
About the Author
Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…
Subscribe to the Blog
Receive notice of new blog posts.