Ai Editorial: Shielding card-not-present transactions with customized KPIs

First Published on 2nd January, 2017

Ai Editorial: Airlines need to create their own fraud mitigation strategy, set up customized KPIs in conjunction with detailed data analysis to protect themselves, writes Ai’s Ritesh Gupta


Are merchants, acquirers, issuers etc. equipped with necessary arsenal to combat card fraud? Is the card-not-present environment still susceptible to fraud?

As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says payment card fraud will always be an issue—it will never be completely mitigated. “Wherever there is a chance for profitability, there will be criminal activity. And, each new technological development introduces a new avenue for fraud, meaning detection and prevention efforts need to be just as agile,” she says. Despite all this, she believes current security situation is the best we’ve seen it since the inception of payment cards. “Our society in general is well aware of the threat and is eager to address it. We aren’t denying the danger—which I think is an important step. The real challenge is to ensure attention to security spans all channels and all sales methods. Unfortunately, to date, security efforts have been inconsistently applied. EMV technology effectively mitigates card-present risks. Biometrics make mobile wallets virtually fraud-proof. But very little effort has been made to protect the card-not-present environment.”   

Improving upon traditional way of securing payments

Just a month back, a research by the Newcastle University in the U. K., indicated that working out the card number, expiry date and security code of any Visa credit or debit card “can take as little as six seconds”.  

For their part, Visa stated that this study didn’t consider other layers of security such as its Verified by Visa system.

Michael Roche, Vice President, Consumer Authentication, CardinalCommerce mentioned that Visa does have mechanisms that track frequency of payments across Card-Present (CP) and Card-not-Present (CNP) orders. “Unfortunately it’s limited by the information within the ISO8583 authorization spec. What Visa is doing though is exposing a whole host of risk and authentication capabilities. You can get to all of these through Visa Checkout right now. In the future you should be able to get direct access. (Checkout Visa Developer). Visa also supplements all their network data through the 3DS protocol. The 3DS protocol provides visibility into all the important info that the ISO8583 spec does not. CVV2 and AVS are antiquated solutions and once you deploy 3DS you’re reliability on them will be reduced. I do agree that these checks are past their prime,” said Roche. He added, “If you have a Rules Based Authentication (RUBA) 3DS solution and you are transacting with a Risk Based Authentication (RIBA) issuer you only need to rely on that RIBA issuers authentication response and it’s yes or no. Doesn’t get any better than that online.”

It’s every ecommerce player for themselves

Monica says it is not advisable for merchants to rely exclusively on card schemes for a safe and secure payment processing environment. “Just like everyone else in the industry, the card networks were initially caught off guard with the explosion of ecommerce growth and were ill-equipped to handle emerging threats,” she says. “Unfortunately, right now, it’s every ecommerce player for themselves. Retailers, airlines, OTAs, PSPs, banks—everyone needs to critique their own individual risk exposure and create a customized mitigation plan. Fortunately, there is an abundance of effective products and services available to choose from that will help ensure success.” In doing so, it is important to consider a few necessities. First, individual tools or solutions need to be incorporated into a comprehensive strategy and evaluated against a profitable level of risk exposure. Second, risk mitigation needs to be dynamic—what worked yesterday might not work tomorrow.   

Hackers are getting better

In the advent of greater tech advances, hackers themselves are also relying on machines to write algorithms to hack systems and crack codes, and they are getting better and quicker at it, Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says. Other than capitalizing on vulnerabilities of a credit card or a debit card, hackers are also creating fake accounts on e-commerce sites to run hacks on the stolen credit cards. Therefore, much greater effort is needed to strengthen the current infrastructure, and it will have to be a combined effort between card schemes, PSPs and merchants to prevent cybercriminals from getting away too easily. Currently, there is a lack of information and transparency between merchants, PSPs and card schemes, while merchants receive almost no protection against fraud losses, since they have to bear the cost whenever unauthorized chargebacks are filed. “This broken line of communication should be fixed, while each stakeholder must understand the fragility of payment card security and where they stand in the ecosystem, or it would be difficult for the situation to improve. In the meantime, merchants themselves should also invest in identity management in authenticating fraudulent accounts (or hacked accounts) to protect themselves,” says Lie.

What to fix?

Monica admits that merchants definitely suffer from the industry-wide lack of transparency. “But I’d actually argue everyone involved in card-not-present transactions experiences consequences. I’ve been saying this for years: a lack of consistently applied standards and compliance with those standards is increasing costs and causing needless revenue loss. This is the problem we need to fix.”

Airlines and OTAs absolutely need to create their own fraud mitigation strategy.

Fortunately, the travel industry has a distinct advantage over many other industries, says Monica. “There is an abundance of personal information available for data analysis. Everything from frequent flyer accounts and past itineraries to in-flight purchases and travel companions can make fraud detection much more successful. Establishing and monitoring customized KPIs in conjunction with detailed data analysis can produce significant results.”


Ai is set to conduct the 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017; Location: Berlin, Germany

For more info, click here


Follow Ai on Twitter: @Ai_Connects_Us