While the online retailing environment has provided businesses with an unparalleled opportunity to expand their customer bases and improve profits, it has also increased the
vulnerability of businesses to credit card fraud. The AVS (Address Verification System) was designed to battle fraud and chargebacks. It cross-references the numeric elements of the billing address provided by the consumer with the numeric elements of the billing address saved on the issuer’s file. This enables merchants to verify that the consumer is the rightful cardholder. However, a correct AVS match does not determine that a transaction is not fraudulent.
Australia, with surprising foresight, took preventative measures in 2014 hoping to avoid the fates of the US, the UK and other markets by adopting EMV (Europay-Mastercard-Visa) payments, with ANZ bank being the first major Australian bank to take steps to adopt this technology. EMV-enabled payments are supposed to reduce fraud, thanks to certain security features. In Australia, signature-based methods of authentication have been removed in favour of PIN codes. Merchants do not retain the PIN entered at the point of sale by the consumer, and instead use cryptographic algorithms to authenticate the cardholder and transaction. But as is the case with any security system, EMV is a long way from perfect.
A number of different ways to hack EMV have been known for some time. Researchers at the University of Cambridge have shown that the card-reader terminals can be hacked to accept any PIN the criminal inputs. Furthermore, contactless payments are growing exponentially in the region. Chip and pin based authorisation systems like EMV are being outstripped by contactless near field communications (NFC) technology, which is embedded in all cards issued nowadays. There is also a greater push towards mobile payments. Millennials have readily adopted contactless payments, driven by their need for speed and convenience, pushing Australia to lead the world in contactless payments.
But with this convenience and speed comes a whole set of downfalls. Rising costs motivated by a fast-growing rate of CNP fraud and its resulting chargebacks raises the necessary question: Who foots the bill? According to a report by The Strawhecker Group, small and midsized merchants saw a 31 per cent increase in the number of chargebacks right after they upgraded to accept chip-based cards. Issuers have been passing on costs, and surcharges on goods have risen in the last few years.
Furthermore, with EMV and chip technology providing strong protection for face-to-face fraud, CNP fraud is increasing dramatically. The rise in total card fraud is driven by CNP fraud, which accounted for 78% of all fraud on Australian cards, an increase to $417.6 million lost in 2016. Fraudsters use a variety of techniques, including malware and phishing attacks to capture sensitive data or passwords, as well as masking tools to try and bypass the security systems.
But there is hope. Given that CNP fraud accounts for more than three-quarters of Australia’s credit card fraud, the payments industry has commissioned significant research to better target preventative measures. The research indicates that easy-to-use emerging technologies like biometrics, geo-location, and social media analytics are providing new ways of authenticating transactions. New measures like compliance with the Payment Card Industry Data Security Standard (PCI DSS), tokenisation, and dedicated, real-time analytics tools are being explored. Even strong authentication techniques used for online banking, such as one-time passwords (OTPs), are being considered.
Preventing payment fraud and chargebacks requires coordinated effort and focus at every level, from issuers and merchants to consumers. The world of payments is changing every day, and it is only with rapid technological innovation that we can combat fraud in this highly connected digital environment.