Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud
Publication Date: Version 2.0, July 2016
The ongoing U.S. migration to EMV chip payments is a move that will benefit the entire payments ecosystem by preventing in-person counterfeit card fraud and securing the card-present payment channel. At the same time, securing the card-not-present (CNP) channel is critical. CNP transactions are defined as payment card transactions where the cardholder does not present the card for merchant examination at the time of purchase, such as ecommerce purchases, and purchases or payments made over the phone or by mail.
The white paper, “Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud,” developed by the EMV Migration Forum Card-Not-Present Fraud Working Committee, provides an educational resource on the best practices for authentication methods and fraud tools to secure the CNP channel as the U.S. migrates to chip technology.
As the U.S. migrates to EMV chip technology, it’s important that the payments industry makes a concerted effort to protect against the redirection of fraud from in-store to the card-not-present channel. No single security mechanism can protect against all possible fraud scenarios. Instead, the best practice to protect against card-not-present fraud is to use a systematic, multi-layered approach using tools that work together to create a successful fraud reduction program. This white paper provides guidance for merchants, issuers and acquirers to construct solutions to strengthen their systems against vulnerabilities and to better protect transaction data from attacks and fraud as part of their overall EMV implementation strategy.
- Authentication methods: device authentication; one-time passwords; randomized PIN pads; and biometrics
- Fraud tools: proprietary data and transactional data used for fraud analysis and risk management; and validation services
- 3-D Secure: messaging protocol that enables real-time cardholder authentication during an online transaction
- Tokenization: technique which replaces card data with surrogate values (i.e., “tokens”) that are unusable by outsiders and have no value outside of a specific merchant or acceptance channel
This white paper provides information from which merchants, card issuers and acquirers can construct security solutions in order to strengthen their systems against various vulnerabilities and better protect systems from attacks and fraud. The white paper also summarizes the impact on the affected stakeholder groups for each authentication method and fraud tool.
Version 2.0, published in July 2016, adds two appendices — one providing industry definitions of CNP, related industry terms and high-level use cases and one providing a comparison of 3D-Secure Version 1.0.2 and Version 2.0.
About the EMV Migration Forum
The EMV Migration Forum is a cross-industry body focused on supporting the EMV chip implementation steps required for payment networks, issuers, processors, merchants, and consumers to help ensure a successful introduction of more secure chip technology in the United States. The focus of the Forum is to address topics that require some level of industry cooperation and/or coordination to migrate successfully to chip technology in the United States. For more information on the EMV Migration Forum, please visit http://www.emv-connection.com/us-payments-forum/
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, any of which requirements may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.