Fighting credit and debit card fraud is a shifting battle as would-be thieves regularly roll out novel schemes, but credit unions can look to new defenses from card issuers and processors built on sophisticated data analytics.
For merchants who completed the EMV chip upgrade, card fraud at the point of purchase has declined 76% since 2015, which marked the liability shift to merchants not equipped to process chip card payments, says Doug Leighton, head of community accounts for CUES Supplier member Visa, based in San Francisco. Now credit unions must remain vigilant and look for fraud prevention and detection tools in the card-not-present environment, where the threat of fraud persists in e-commerce, online billing and mail order.
“Generally, across our business, growth is happening in card-not-present transactions at roughly four times that of face-to-face growth rates,” he says. “Credit unions need to be talking to their network partners and processors to make sure that they are enabling the latest technologies to combat that fraud”—and, in the bargain, head off additional operational costs and member inconvenience.
Expand Your Toolbox
No single solution can prevent all fraud, but several tools deployed in “layers of protection” can significantly reduce those threats. For example, Visa’s Advance Authorization, which uses artificial intelligence to quickly assess each card transaction and provide the credit union with a risk score, can be used in conjunction with security systems offered by processors and other third parties.
“AI and big data are not terms you should be afraid of,” Leighton says. “The amount of data now available in a network such as Visa provides scoring that goes into Visa Advanced Authorization, which can be utilized to make those transactions frictionless, efficient and safe and secure.”
The 3D Secure 2.0 protocol is another tool to improve authorization decisions. Credit unions should be talking with payment partners and providers about how, if and when they should consider upgrading to it, Leighton suggests. It provides additional information that enables credit unions to make more precise authorization decisions.
The new iteration of 3D Secure takes a different approach than its predecessor, and Visa is working with its partners to determine how best to roll it out in the United States, he adds. Credit unions that enrolled in 3DS 1.0 should be working with their partners to discuss how they will make that transition as well.
The advent of 3DS 2.0 will mark an important step forward in how the industry takes on ecommerce fraud, says Patrick Davie, VP/risk solutions, card services at CUES Supplier member Fiserv, based in Brookfield, Wisconsin.
The early versions of this fraud prevention tool, originally launched as Verified by Visa or Mastercard Secure Code, were “full of friction,” requiring cardholders to sign up and remember their password in the middle of an online transaction, Davie notes.
“Consumers didn’t even always know what it was, and not every merchant was using it, so there was a very high abandonment rate. It turned merchants off very quickly,” he adds.
The system was upgraded a couple years ago with version known as Secure 1.0.2, which removed the need for a password in the middle of a transaction and introduced more sophisticated authentication models from access control server providers. Those changes have enhanced the experience for merchants and consumers and improved security; 3D Secure 2.0 will offer another big step forward, Davie says.
“What 2.0 does is introduce even more data elements that can be used by the issuers, as they work with ACS providers, to authenticate that the transaction is valid and not fraudulent,” Davie explains. “The most important data elements are around the device itself. The model attempts to ascertain: Where is the user? What device are they using? What are they trying to do? Rolling in that information from the device—a PC, phone or tablet—was not available until 3D Secure 2.0.
“More data means better decisions,” he adds. “We’re pretty excited about the concept of more data, better models, better clarity and more scrutiny around each of these authentication attempts.”
A small number of transactions are going down the 3D Secure rails right now, and the authentication rate should increase as more merchants sign on. Most U.S. card issuers have done the work required on their side, or their card processors have done it on their behalf. Mastercard’s deadline for implementation was in October, and Visa’s is August 2020.
The big change for credit unions with 3D Secure 2.0 should be “a lower incidence of fraud, fewer abandons and higher approval rates,” Davie says. “All things being equal, it should be a more positive step for the entire ecosystem.”
Focus on Smart Authorization
Credit unions should be monitoring the impact of security measures to ensure that they facilitate “the best authorization decisions, ones that do not decline good transactions but catch the bad transactions and decline them outright, stopping fraud before it happens,” Leighton says.
Because card-not-present authorization rates are generally lower than at point of sale, it’s incumbent on credit unions to ensure that their authorization tools and strategies are state of the art and tailored to each of those environments, especially the one where the most significant growth in transactions is occurring. Channel-specific authorization strategies recognize and optimize the differing types of information available in EMV vs. e-commerce transactions.
“A one-size-fits-all authorization strategy tends to decline more valid transactions in the e-commerce realm, and that creates a poor member experience,” Leighton notes. “Recognizing that online transactions are the source of growth, you don’t want members to pull out a competitor’s card because that card has a higher authorization rate online.”
Card-not-present debit transactions traditionally have a lower authorization rate than credit, and that’s a concern as members may start moving more of their everyday purchases, which they typically do with debit cards, to e-commerce, such as advance orders of groceries and online prescriptions.
Monitor the Impact of Data Breaches
The potential for information theft of consumers’ private details through data breaches, like those against Equifax in 2017 and the more recent Capital One incursion, are another continuing threat. Davie cites stats from the Identity Theft Resource Center that the number of records exposed through data breaches increased 126% in 2018 over the previous year.
“Breach activity is still a driving force in U.S. fraud. Even if it’s more challenging for fraudsters to use cards in a card present environment, card accounts are still for sale on the Dark Web,” he notes. “It’s a trend that’s not going away, so credit unions need to be sure they’re working with their partners to make sure they’re making the best tools available. There are refined analytics to determine that even if a card was exposed, what’s the likelihood it’s actually going to be used fraudulently? Not every account that gets exposed ends up being used illegally, so you don’t need to reissue every card.”
Fight Fraud on Multiple Fronts
Fraudsters are committed and inventive, often operating in large networks to extend their reach and ability to wreak havoc, cautions Carol Logan, director of client services for CUES Supplier member Member Access Processing, Kent, Washington. After EMV cards were introduced, these networks immediately started looking for ways to get around the built-in protections offered by chip card technology. Now, card-not-present fraud and scams to subvert mobile payments are on the rise.
“The more fraud mitigation strategies they can deploy on those various fronts, the better off credit unions will be,” she advises.
An emerging threat is synthetic ID fraud, in which scammers grab bits of pirated information from different people—a name from one, a social security number from another, an address from someone else—and mash them all together to apply for a new card account, Logan explains. Those fraudulent accounts may be mimic normalcy for a few months with on-time payments before they are used to charge up large amounts.
To combat these Frankenstein accounts, she recommends more diligence in vetting new members and reviewing card applications. Additional restrictions on cards issued to new members, such as lower limits for a set period, can also help reduce the impact of this type of fraud.
Karen Bankston is a long-time contributor to Credit Union Management and writes about membership growth, operations, technology and governance. She is the proprietor of Precision Prose, Eugene, Oregon.