Doing business in the modern world comes with a long list of risks. But one of the biggest threats facing companies today is undoubtedly cyber-attacks. With data breaches happening almost weekly, and cyber insurance prices sky-rocketing, it’s important that companies do all they can to protect their customers from fraud.
Card-not-present (CNP) is one of the most common and fast growing channels for fraud In fact, CNP fraud now accounts for 70 per cent of all card fraud, which is unsurprising considering the significant increase in payments made by phone and online.
Interestingly, Europe seems to be suffering the most when it comes to CNP fraud – this may be due to it being the first region to adopt EMV technology or Chip and PIN during the 1990s. In contrast, the US began implementing EMV much more recently, and while the region currently experiences less CNP fraud than others, it is very much on the rise as more merchants begin offering it as an option for more secure payments.
The term CNP payments covers a whole range of multichannel payments. These include all payments made over-the-phone, which remains a popular choice for consumers, despite the rise of ecommerce and online payment channels. In fact, a recent study by Google found that 61 per cent of mobile users call a company when they are ready to make a purchase.
Mail-order payments, though not as common as they used to be, are another form of CNP payment. If you order something through the post via a catalogue, or through a fax machine, these also fall under the umbrella of CNP payments.
CNP payments account for all transactions made over the internet. An exciting new development by Facebook has recently allowed consumers to buy through a chatbot. Although this sort of CNP payment is currently only available in the US, the tech giant expects it be to an extremely successful feature the world over, once it’s launched across the different regions.
But it’s much more than just sales via Facebook, all other online transactions come under the umbrella of CNP payments; for example, when you purchase a t-shirt online from a retailer like NEXT, or do your weekly food shop on Ocado, these are classified as card-not-present transactions.
Research conducted by AXA in 2016 found that in the previous year, 7 in 8 purchases in Europe were made online, and with phone payments and ecommerce on the up, the threat of CNP fraud will continue to rise. According to the Nilson Report, in 2015, fraud losses to merchants occurred overwhelmingly from CNP transactions, and the problem is only getting worse. Worldwide losses from card fraud are predicted to reach and eye watering $31 billion by 2020.
With this in mind, there are some key practices that businesses should be relying on, to protect their customers from CNP fraud. Here are our top six pieces of advice:
1. Use fraud detection software
There are a number of fraud prevention tools that merchants can use to pick up on fraudulent activity, including 3D secure payments and Web Application Firewalls. These can supplement your payment systems and help keep your customers’ data safe by detecting if any illicit activity is taking place. However, when adding levels of security, you must make sure that any new measures don’t also add friction to the sales experience or cause your customers to abandon purchases, as this will affect sales figures regardless of whether it’s online or via the phone.
2. Hide your data
Holding some customer data, however, is sometimes unavoidable. To protect customer information from being hacked when it’s not in use, make sure it is obscured and encrypted. This means that any hacker trying to access personally identifiable information (PII) won’t be able to read it or use it for fraudulent activity.
3. Keep your employees informed
One common way that fraudsters can do a lot of damage is through the use of phishing emails. These refer to emails sent to your employees, pretending to be a colleague or even a customer. These emails may ask your employees to move money into a different account, enter their password, or send a customers’ personal details. It’s important to keep your employees informed about these sorts of risks, so they can always be on the lookout for fraudulent activity – and know when they need to report suspicious emails. Ultimately, you can implement a host of data security technology, but if your employees aren’t educated about the threats that they face, the company will be left exposed and could well suffer a data breach.
4. Be on guard against insider threats
While a hacker can do serious damage, the threats that sit inside your company can’t be ignored. While these insider threats come in many shapes and sizes, one simple practice within contact centres is exacerbating the risk. Pause and Resume call recording, also known as stop/start, is a common data security solution used by contact centres. The technology works by pausing the call recording when your customer is reading payment card details out loud. The recording is then resumed once the sensitive information has been taken. But this practice means that employees could easily write down your customer data to use for their own fraudulent purposes, or even sell it to the highest bidder.
5. Stay on top of regulations
The Payment Card Industry Data Security Standard (PCI DSS) was created to offer increased protection to customers against card fraud. Compliance with this standard is not only compulsory for all organisations that take card payments, but many of its requirements are designed to help safeguard your customers’ card details. With the ever-changing regulatory landscape – the EU GDPR and UK Data Protection Bill are just around the corner – it’s important to stay on top of these regulations to keep customer data safe, and ensure your company doesn’t find itself facing a hefty fine.
6. Protect your contact center
With more customers turning to the phone when it comes to making a purchase, your contact center remains an integral part of your business. Therefore, making sure it has adopts a stringent approach to data security is extremely important. Companies can invest in technologies like Semafone’s Cardprotect, which reduces the risk of fraud by allowing customers to type their card details directly into their telephone keypad while staying on the line with the agent instead of reading them out loud. But even more importantly, it allows companies to pass this data straight to the payment service provider (PSP), bypassing the internal IT system entirely. This means you end up holding minimal card data; a huge benefit when it comes to stopping hackers from stealing customer information.
To ensure your company is fully protected against the potential damage of CNP fraud – whether that’s reputational or financial – you need to have the right data security in place. Implementing these steps will help reduce the risk to your organization.