“Data breach” is a term no one likes to hear. It causes customers to lose faith in the retailers that put their sensitive payment card data at risk, and it triggers a massive scramble to recover from the fallout for the retailers that are targeted by hackers.
In the wake of what is arguable the worst breach of all time at Equifax, many merchants are re-thinking their data security strategy altogether. On top of that, many merchants must consider the long-term ramifications from breaches, including identity theft and increased fraud.
Card-not-present (CNP) merchants, in particular, face a daunting reality: it is very difficult to be 100% sure that the person using a payment card online is who they say they are.
That said, there are some steps merchants can take to guard against true fraud chargebacks and protect their bottom line.
1. Get back to the basics
Merchants should always use authorization methods like CVV2 verification and AVS authentication. The former ensures the buyer is in possession of the payment card being used by asking for the three-digit code to complete a purchase. AVS authentication allows merchants to verify the billing address provided by the purchaser with the one on file at the issuing bank. These are baseline tools that merchants should always be using to authenticate online transactions.
2. Use social data for authentication
Merchants must become as shrewd as fraudsters when it comes to fighting online fraud. One way to do this is by using social data verification. Merchants can combine social media profile information with other trusted sources of data to verify the identity of someone attempting a purchase online. Given the degree to which the public has become active on social channels, this is becoming a more effective fraud prevention tactic.
3. Device fingerprinting
This can be an effective anti-fraud measure for online merchants. By tracking the characteristics of devices that log onto your website (browser, device model, screen size, etc.), certain patterns can be identified and attached to specific devices. Once a device exhibits malicious behavior, the digital fingerprint associated with that device can be tagged and blocked from making additional transactions on your site. It’s a powerful tool that can put the brakes on repeated fraud attempts from the same device, a scenario that happens when bad actors try to make purchases en masse from a repository of stolen card information.
With the announcement of iPhone X and the included facial recognition technology, biometrics have become a hot topic. As a fraud prevention method, biometrics use a person’s biological features to authenticate and verify his identity. We see this with Apple’s Touch ID, which allows users to confirm payment via their fingerprint to complete online transactions with Apple Pay. Since a person’s biological attributes are unique only to them, it can streamline and improve authentication while eliminating the need for pesky (and forgettable, hackable) passwords.
Geolocation technology enables merchants to detect the location of an IP address and flag any unusual activity. Unusual activity may include an attempted transaction from an IP located outside of a typical range of access. It may also flag transactions that originate in high-fraud areas of the world, facilitating a manual review of those transactions. Geolocation solutions are also able to identify the use of proxies – a notorious signal that online fraud may occuring by a party that wishes to remain anonymous or avoid detection.
Each of the tools and tactics described above should be considered carefully for merchants looking to fight fraud. Each merchant has unique needs and should consider the implications for the big picture.
It’s also important to remember that there is such a thing as overprotection. Employing too many fraud tools (or fraud tools that overlap) can be costly in more ways than one. When fraud controls are too tight, merchants end up driving away good customers and legitimate sales – and risk permanent alienation if the customer experience was a poor one. Additionally, fraud tools that trigger too many manual reviews can bury a merchant in the time and resources it takes to handle the load.
Merchants should understand their unique vulnerability profile from the bottom up to apply the correct set of tools to battle bad actors. Working with a payments consultant who understands your business model and the current fraud landscape can free up resources and help you focus on your core business.