Merchant Account Types

Merchant Account Providers

News & Advice

Merchant Account Tools


Merchant Account Guide > Merchant Account News > 6 ways online merchants can combat card-not-present fraud


Print this article: 6 ways online merchants can combat card-not-present fraud Print 
Email this article: 6 ways online merchants can combat card-not-present fraud Email 

6 ways online merchants can combat card-not-present fraud

The coming adoption of EMV credit cards in the U.S. could signal some challenging times ahead for online merchants.

In Europe, where EMV chip cards have been in use for several years, brick-and-mortar merchants have enjoyed a significant reduction in fraud. Unfortunately, according to July 2013 predictions from Javelin Strategy & Research, the thieves in those countries have simply shifted their attention toward a softer target: online merchants, who can't benefit from chip-and-PIN technology. Those merchants, according to Javelin's insights will have to get creative in fighting this new wave of criminals.

Fortunately, there are plenty of ways to keep fraudsters at bay. Some may be familiar to merchants, while others are only recently being made possible by the latest technology.

The basics
Chances are, if you're an existing e-commerce business, you already have these measures in place. If you're just starting your online business, you'll need to educate yourself about them.

1. PCI DSS compliance: Credit card companies have adopted Payment Card Industry Data Security Standard (PCI DSS) protocol as the global data security standard for any business that processes, stores or transmits credit card data. Becoming PCI DSS-compliant is basic, and all merchants, whether online or brick and mortar, should already be doing this. online-shopping-security

There are 12 basic requirements for PCI DSS compliance. In general, they include the need to build and maintain a secure network, protect cardholder data, develop and maintain secure systems, strictly limit access to card data, regularly monitor and test networks, and maintain an information security policy.

2. Basic transaction authentication: This type of security, which many merchants already use, includes the utilization of:

  • Static passwords or security questions.
  • Address verification systems, which match the address given by the customer during the transaction with the address that the card issuer has on file.
  • Card verification value 2 (CVV2), which requires the customer to enter the three-digit security code on the card during the transaction. This helps ensure that the person making the purchase is actually holding a legitimate card.

An extra layer
These security measures go beyond the basic methods and may require a few extra steps for your customers during the checkout process.

3. Three-domain secure protocol (also known as 3-D Secure or 3DS). Visa and MasterCard are pushing for this extra level of security, which takes place during the online checkout process.

Visa's 3DS service is called Verified by Visa; MasterCard's is known as MasterCard SecureCode. They work in the same way.

Cardholders sign up for the service with the bank that issued their credit cards and select a special password for online transactions. When cardholders go to make a purchase at a merchant that has installed the VbV or SecureCode plug-in software, they are asked to enter the previously-selected password into a separate box that links directly to the credit card issuer. If the password is correct, the transaction goes through.

Merchants who use these systems are protected from fraud-related chargebacks, as the credit card issuer is the one that does the authentication. The credit card companies say that consumers like these services because they feel that their card information is more secure.

4. Third-party fraud detection service providers. According to Visa, third-party companies can offer you the technology and tools that will help you detect fraudulent credit card transactions. Visa recommends contacting your merchant bank for suggestions on providers that can provide these types of services.

State of the art
These final security measures are just emerging. Both require extra cooperation from consumers -- and assume that the shopper has immediate access to a mobile phone.

5.  One-time passwords for mobile devices. With mobile phones becoming more prevalent among consumers, this layer of security confronts thieves with a constantly moving target. Consumers are asked to provide their mobile phone numbers to their credit card issuers. When shopping online with a business that has enabled that technology, the issuer then sends the customer a text message with a one-time password after entering their card information. Once the cardholder enters that password on the merchant's site, the transaction can go through.

The texted password is valid only once and then only for a short time.

6. Biometrics. This involves recognition of some physical characteristic of the cardholder before a credit card transaction can go through. A biometric device might read cardholders' fingerprints or palm prints, scan their faces or the irises of their eyes, or check the pronunciation of some words against something the cardholder has previously recorded. A biometric device might even be able to recognize customers' typing patterns and verify their identities in that way. The smartphones and tablets many consumers already use for online shopping already have some of these capabilities.

Although credit card companies are not currently using biometric authentication systems, there are many companies working on their application for both online and brick-and-mortar credit card transactions. Plus, the proliferation of smartphones may make the technology relatively easy to roll out, predicts Al Pascual, senior analyst at Javelin Strategy & Research in a July 2013 article for Digital Transactions.

"It's not a lot to ask consumers to use something like a mobile device," he told Digital Transactions, "since they carry one everywhere and often go out of their way to retrieve it when they leave it behind." 

Knowing the signs of fraud
Another way to combat fraud online is to educate yourself about the warning signs of credit card fraud. According to Visa, you may want to be wary of accepting an online credit card transaction if it involves:

  • A first-time shopper
  • Larger-than-normal orders
  • Multiple orders of the same item
  • Rush or overnight shipping
  • Shipping to foreign countries
  • Multiple transactions on one card within a very short time
  • Transactions placed on multiple cards and shipped to the same address
  • Multiple cards from the same IP address
  • Customers with Internet addresses from free email services. These days, many (if not most) consumers use free email services, so merchants (or third-party fraud protection service they're using) should verify other details, such as geographic location or order history, to determine authenticity.

Many of these warning signals can be picked up by automated software available from third-party providers, which should also be able to pull out any questionable transactions for further fraud review.

See related: Options for streamlining your online checkout, How to prevent skimming and other POS terminal attacks

Published: September 8,2020

Comments or Questions, Library of Stories

Three most recent Data security stories: