Nick Cucci

Nick Cucci

November 25, 2019

Credit Cards Surging in 2019 – Fraud Too!

Let's state the obvious. The economy is booming and people are spending more money. Here's a crazy statistic from The Washington Post: only 5 percent of individuals use no credit or debit cards in 2019. To put this in perspective, the figure in 2001 was 22 percent; in 2002 it was 17 percent. We are now at 5 percent! Also, according to FICO, credit card use is most prevalent among 25- to 34-year-olds, at 83 percent.

With more credit cards than ever out in the wild, credit card fraud is also booming. Card-not-present (CNP) fraud has grown exponentially in the United States. According to a 2018 study by the Federal Reserve, CNP fraud rose to $4.57 billion in 2016, up 34 percent from the 2015's $3.4 billion. Analysts expect CNP fraud could break $6 billion in 2019.

Face the facts

There really isn't a way to hide from this. Pretty much everyone at one point or another will use their credit card at a location that exposes them to fraud. For example, if you've swiped your card at a gas station with a hidden skimmer, your information is compromised. Purchased something online at a breached website? Have malware on your device? Compromised.

If that's not enough to concern you, consider this: Markus Bergthaler, director of programs at Merchant Risk Council, a nonprofit organization that educates businesses on how to combat fraud, said, "Recent figures suggest that over 80 percent of credit cards in people's wallets have already been compromised." There is a cost specific to CNP fraud that goes beyond the millions and even billions of dollars lost in merchant merchandise. Small businesses are having to take on the burden of spending money monthly to protect themselves as best they can – and it may not be enough.

Some merchants are hiring security experts, buying software and contracting with companies to monitor transaction statuses. Banks are constantly replacing credit cards, which places a drag on their economic activity. I think we can all agree that our adopted EMV solution just isn't cutting it. It helps with in-person fraud, but to be completely transparent, we did not have a ton of in-person fraud.

Dispense with illusions about EMV

The "EMV shift" was instituted purely to shift liability to the merchants. Signatures are not required with EMV, but it seems every other merchant is still capturing signatures regardless of the dollar amount of transactions anyway. Per Visa back on April 14, 2018, EMV enabled merchants in the United States and Canada to opt to stop capturing signatures as a method of cardholder verification. Those merchants are also no longer required to retain store transaction receipts.

The whole point of EMV is that the chip is specific to the user, so a signature won't do much; when that card is placed in the reader, it is authenticating you are the cardholder. If you have ever had to do a chargeback or been a victim of fraud with an EMV card, you will quickly find that the bank will send you a letter for signature stating that the card is and was in your possession at the time the transaction occurred. This makes sense because the liability shift changes back to the merchant at the end of the day.

Typically, liability will shift to whoever has the lowest level of security, which 99 percent of the time will be the merchant unless the merchant service provider (MSP) can step up to the plate and help the merchant combat "unauthorized" transactions.

Take simple, effective actions

Here are several simple steps merchant level salespeople, ISOs and MSPs can take to protect their merchants:

Check to see the extent of your merchants' PCI DSS validation requirements. Help merchants obtain full PCI compliance (example: complete Self-Assessment Questionnaires). Walk merchants through how terminals/devices can be tampered with and what exactly to look for. Encourage use of devices that are hardened – devices that are cloud-based and can only be triggered from an application in order to process a card, for example. Tampering with these devices is nearly impossible because the device is a technological slave to the system. The only piece your merchant would really need to pay attention to is skimming devices if their device is end-to-end encrypted. Keep a database of attempted fraud and use advanced technology. I would suggest hanging on to information such as customer name, shipping/billing addresses, IP address, and email address if provided. If you're using the right payment provider, this information should now be stored for you anyway and shared across that platform's community. Cutting edge technology companies are now utilizing their own systems to combat fraud. And "communities" are growing through which transaction details can be shared. What this means is that digital fingerprints can be stored and shared from one merchant to another via velocity controls or opt-in communities. Regardless of merchant size, velocity controls are your friends

For example, if Merchant A has been hit with fraud from a specific digital fingerprint, that information can be shared to stop the same fraud from harming other merchants on the same system. Models are exposed to new data, while independently adapting to new data as it comes in. This is where more data equals more security. This is a machine learning algorithm.

Legacy payment platforms will not be able to handle this type of technology because the infrastructure needs to be recent. Having large amounts of data is only half the battle; you need a robust system to support and back it. Keep this in mind when deciding where your merchant data resides.

Detect patterns. If you receive multiple orders with the same shipping address but different billing address or different credit card numbers, this should be an immediate velocity control flag. You may also see the same card submitted multiple times with different expiration dates because this is the only piece the fraudster is missing. Use the Address Verification System (AVS) service. AVS checks whether a cardholder's address and ZIP code match the information at the issuing bank. This, too, should be checked. AVS can and will fail because of certain issues, one known one is address changes.

Create value

Have a goal for 2020? Create value for your merchants. Become sticky, share your ideas, and implement procedures and "health check-ups" to stay on top of everything for 2020. Dealing with thousands of merchants daily and being one myself, I can tell you it makes a huge difference to know there is someone in your corner – and not just another "credit card" company. Loyalty goes a long way these days. Keep moving forward, and best of luck. If you have any questions or just want to chat, please reach out directly to me.