Security in a new recovery landscape: How to protect customer data

Fraud Rate Declines as Spending Trends Evolve

Digital payment volumes have consistently increased since the first lockdowns began in March 2020 with volume levels stabilizing much higher than historical averages. From early March to the end of May 2020, Card Present (CP) volume declined by ~20 perecent while Card-Not-Present (CNP) volume increased by 20 perecent. If travel is excluded, CNP volume actually increased by 40 perecent.

One year later, CP spend was growing at 4 perecent while CNP volume excluding travel continued to grow over 30 perecent in the second quarter of 2021 (VisaNet). Improving card-present spending did not slow e-commerce, indicating that the e-commerce trend is likely to continue even as card-present spend recovers. While these figures are specific to the U.S. market, we have observed similar trends globally across both mature and emerging markets.

The sprint to digitizing everyday consumer interactions and experiences, along with volatile spend patterns and the emergence of highly motivated and creative fraud rings, created expectations for a significant increase in fraud. While there were spikes in certain segments, such as government disbursements, Visa data shows that the overall global fraud rate in CY2020 actually decreased by 4 percent while payment volume remained flat year-over-year.

This reduction in fraud is partly due to the proper management and transition to digital-first channels by adopting secure technologies like tokenization and contactless. In addition, the shift towards domestic transactions which generally have lower fraud rates than cross-border transactions played a major role in the fraud reduction. In fact, estimates prior to COVID-19 assumed the fraud rate would have increased by 5 percent over the past year based on domestic/cross-border channel mix before the pandemic.

The industry needs to be vigilant to continue to protect the payments ecosystem as recovery efforts continue and commerce grows and expands, both domestically and across borders. Below, Visa offers a look at new threats presented by fraudsters and areas of continued investment for ongoing safety and security of payments, and ultimately a smooth recovery for all involved.

Account Onboarding & Management: Verifying consumer identity became a major challenge given the nature of the pandemic, creating opportunities to engage in application fraud and synthetic identity fraud. Visa observed fraudsters obtaining personally identifiable information (PII), which generally contain the victim’s full name, address, date of birth, social security number, driver’s license, and payment account information. They then use the PII data to fraudulently apply for accounts that are monetized, both domestically and cross-border, through purchases of cryptocurrency, gift cards, electronics, and of person-to-person (P2P) transfers through mobile payment applications.

Visa recommends:

• Leveraging AI to detect irregular use of identity elements during the application process to approve the right applications while detecting fraudulent behavior.
• Providing the ability to set card restrictions and alerts to identify unauthorized charges once the consumer is on-boarded.

Authentication: Impersonation attacks have been popularized, taking advantage of the virtual nature of consumer interactions today. Visa has seen examples of issuers who report that their legitimate customers receive One-Time Passwords (OTP) for 3DS transactions they did not initiate, which were later validated by fraudsters and approved, resulting in multi-million-dollar fraud losses. Threat actors are purchasing, or compromising, payment accounts and other PII, including e-mail and e-mail password, which allow them to enter a legitimate OTP during checkout. Consumers are also being “phished’ with criminals calling them on the phone pretending to be from their financial institution asking for their personal information. Criminals have gotten so sophisticated that they will do their research to make sure they know who a consumer banks with, and manipulate the caller ID to reflect the name of that bank.

Visa recommends:

• Enabling data-led authentication to confirm the customer’s identity through behavioral analytics, device data, etc. while providing access to sophisticated, secure authentication methods such as Biometrics.
• Focus on educating consumers about the latest fraud schemes and ways they can proactively protect themselves.
• Protect Acquirer and Merchant web assets (including APIs) from unauthorized use by bots.

Authorization: Throughout the second half of 2020, enumeration, which is the scalable and automated testing of common payment fields via ecommerce transactions to effectively guess the full payment account number, CVV2, and/or expiration date, remained a leading threat to the payments ecosystem. In fourth quarter of 2020, the number of enumerated accounts identified was up 9 perecent quarter-over-quarter, while the CNP fraud associated with the enumerated accounts has remained flat over the same period, implying a low success rate in fraudulent activity on enumerated accounts. Regardless of their low efficiency, these attacks impose significant operational costs on issuers and merchants. For instance, Visa data shows that the approval rate for a merchant that suffers an enumeration attack does not revert to its normal average until 2 months post-attack, resulting in lost legitimate sales.

Visa recommends:

• Utilizing fraud-detection systems that support device fingerprinting and botnet detection.
• Monitoring the velocity of small and large transactions and using velocity checks for low amounts or authorization-only transactions.
• Providing the ability to link authentication data to the authorization method for smarter decisioning.
• Refining authorization strategies through tailored rules engines and optimized rules strategies.

Dispute Resolution: First party misuse is a significant challenge for the industry, resulting in as much as $50B each year in costs,¹ and the current economic conditions are exacerbating the trend. So Visa is looking at solutions both in the near- and long-term, by leveraging chargeback management tools to facilitate the greater exchange of data between merchants and issuers as well as evaluating potential rules to curb first party misuse transactions.

Visa recommends:

• Facilitating greater communication between Issuers and Merchants/Acquirers to help reduce friendly fraud and keep accounts active thereby avoiding dispute processing & management costs.
• Expedited path for dispute resolution and automated, self-service options for clients.
• Workflow-based dispute processing platform and supporting service for clients to achieve improve dispute recovery rates.

Performance Optimization: Lastly, due to the rush to digitization, a majority of firms have not had the time to stand up their own integrated data infrastructures to maximize their insights into consumer behaviour. The shift from cash to digital payments will require business to rethink their risk models across their consumer touchpoints, and rethink how to optimize the delivery of their services through digital channels to deal with the fraud vectors discussed.

Visa recommends:

• Optimizing performance through peer data benchmarking and data driven insights.
• Developing and implementing security strategies tailored to business objectives and deploying custom developed optimization strategies.