PCI DSS Compliance: Card Not Present (CNP) Fraud – what does this mean?
Card Not Present (CNP) Fraud – why is this so appealing to criminals?
Recently we have seen an increase in companies that have experienced Card Not Present (CNP) fraud. As a result these companies have then ultimately received mandatory forensic investigations, conducted by the Payment Card Industry (PCI) Council, under the guidance of the card brands.
The impact to business is potentially huge and with the reputational as well as financial costs involved affecting organisations locally as well as nationally.
The card brands work very hard and closely with the merchants to ensure additional security procedures are followed when taking CNP transactions. As the merchant has no opportunity to meet the customer, or check the card, it remains highly appealing to fraudsters, who then sell on these goods for cash.
The CVC (Card Verification Code) -also known as CVV, CSC, CVV2- are additional security checks to ensure that there is a data match for the cardholder against the card issuer database, along with the numerics from the cardholder’s billing address. If this data is matched, the merchant will receive an authorisation, detailing the data elements that match.
Merchants can implement this additional security element to allow themselves an informed decision, based on the matching data result, and whether to proceed with the transaction.
Advice for mail order and telephone transactions:
- Check new business clients using the internet, and see if company details match on known company check websites;
- Test contact details;
- Does the telephone number relate to the business customer?
Advice for eCommerce (website) transactions:
- Monitor transactions and identify or flag suspicious activity – The Payment Service Provider may help with this;
- Check repeat orders and patterns that may raise levels of suspicion, such as same email address, IP Address;
- Test your customer’s details, phone and email them to check validity – especially if you have any suspicions.
Train staff how to deal with suspected fraud
Train your staff regularly and have a breach/ fraud process ready, detailing what to do if you suspect fraud, and the key contacts for reporting it.
Don’t make it easy for criminals
This type of fraud appears to be on the increase, and with so many poorly managed websites and hosting providers that ‘claim’ to be fully PCI compliant, the fraudsters are having an easy job of extracting transaction data and ultimately card data to use with this type of fraud.