by Adam Feber
With the recent rollout of EMV technology in the United States, many merchants are particularly concerned with how the new technology will impact card not present (CNP) fraud.
And if you’re not, you should be.
For subscription-based businesses, such as SaaS companies, CNP fraud can impact your recurring revenue. Below we will cover:
- What are EMV cards?
- How will EMV cards lead to more CNP fraud?
- Best practices to reduce CNP fraud (and churn) for subscription-based businesses…
Wait, EM-what? What are EMV cards?
EMV actually stands for Europay, MasterCard and Visa. In the 1980’s, the standards were defined by these three companies.
EMV is a global standard for cards equipped with computer chips and the technology that ensures secure and seamless operation between the chip-cards and terminals.
The magnetic strips on traditional cards contain data that never changes, so once someone has that data they can use it again and again. This is typically the case with counterfeit card fraud.
Every time an EMV card is used for a Point of Sale (POS) purchase, the chip creates a unique transaction code that can’t be used again. If a hacker gains access to the POS data and transaction codes, they can’t use the one-time-only codes to make additional purchases. If they attempt to, the card will be denied.
If you didn’t notice Point of Sale (POS) in those sentences, you need to.
If a hacker is able to steal any card number and expiration date (EMV or not), they can still use that information to make Card Not Present purchases (the livelihood of a subscription-based business). Or at least they can attempt to — we’ll go into CNP fraud detection in a minute.
How will EMV cards lead to more CNP fraud?
While always a problem, card fraud has doubled in the last 7 years and the United States is introducing EMV in an attempt to reduce it. Smart Card Alliance estimates that approximately 120 million EMV credit cards have already been issued and that number is projected to reach nearly 600 million by the end of 2015.
According to the other 80 plus countries in the world who already use EMV, United States merchants can expect a decrease in overall card fraud losses following the EMV rollout.
From those same countries we know we can also look forward to an increase in Card Not Present fraud as a direct result of implementing EVM.
ZDNet.com reported, “Data from the UK, France and Australia show CNP fraud accounting for a greater portion of overall fraud during and after each country’s respective EMV migrations. In the UK, where the EMV liability shift occurred in 2005, CNP fraud increased almost 40 percent over a span of 10 years.”
It is estimated that CNP fraud losses in the United States will exceed $6 billion by 2018.
FICO explains, “Criminals will continue to pursue the weakest link and with the introduction of EMV they will target new channels.”
Non-POS purchases are already more prone to card fraud so they aren’t necessarily new channels, but experts (and history) agree they will be hit harder now that EMV has been implemented.
Best practices to reduce CNP fraud (and churn) for subscription-based businesses:
First, don’t panic. “Panic leads to risk-averse, highly conservative policies, which might be great at blocking fraud, but which will be equally great at blocking genuine customers.”
There are many precautionary steps you can take to help combat CNP fraud concerns while keeping your subscription business running smoothly.
Ask for as much billing information as you can stomach:
Many companies try to remove friction by asking for the bare minimum when it comes to billing information. While that works for conversion rate optimization, it can leave you more vulnerable to CNP fraud. Above and beyond the basics, ask for the CVV and billing address:
- The Card Verification Value (CVV) is the 3 or 4 digit number that only the cardholder should have. Requiring and verifying this number will help eliminate fraud.
- Address Verification System (AVS) is a system used to verify the address of a person claiming to own the credit card. Verifying the billing address is just another precaution to help eliminate fraud.
Familiarize yourself with your payment gateway’s policies and tools available:
All payment gateways provide some degree of fraud detection and prevention. It is good to know your payment gateway’s policies, tools, and services available to help combat fraud. For example, Address Verification System (AVS) mentioned above is usually something that needs to be enabled via the payment gateway’s settings.
And with the flood of new cards being issued in the United States, many payment gateways provide an account updater service that may need to be enabled. While these services only work for certain credit card companies such as Visa and MasterCard, they will check monthly for newly issued credit cards and automatically update card numbers, expiration dates, etc.
Effective dunning is key to help reduce churn:
Not only are there a lot of new cards being issued, payment gateways are becoming more stringent with validation guidelines.
Most declined transactions are due to an invalid card number, expiration date, or CVV, but a decline can also be related to suspicious activity, a suspended card, or various other reasons.
Dunning is the process of communicating with customers to resolve billing issues prior to account cancellation. So when a card is expired or declined, retry logic and communication are key to correcting issues and reducing unnecessary churn:
- Set up system emails that let a customer know their card on file is going to expire soon. Give the customer ample time to update their billing information prior to the next scheduled transaction.
- Don’t just cancel or suspend an account after the first failed transaction. Use smart logic to retry multiple times before taking action.
- Have dunning emails in place to alert the customer each time a transaction fails with instructions on how to check and update billing information.
For more information on dunning best practices, check out our post on “Dunning 101: The Art of Retaining Past Due Accounts.”
If a transaction looks suspicious, do your homework:
While you can’t manually analyze every transaction, sometimes suspicious activity stands out. In this case, a few minutes of investigative homework can help identify fraudulent activity.
Here are a few red flag examples:
- Is the shipping address in a different country than the billing address?
- Did you get a large conversion from an account that never interacted with sales or support?
- Is a paying account not using your product/service? i.e. no logins, account not configured, etc.
At Chargify, we recently had a large conversion from a customer that never interacted with our team. This is out of the ordinary so we did our homework. We called the provided phone number which led us to an escort service! We immediately knew something was up, and got in touch with the actual company the customer was trying to impersonate – they were very appreciative of our outreach.
Stopping the spread of fraud starts with security:
In order to prevent CNP fraud from happening, it is mission critical that your company make security a top priority to protect yourself and your customers.
- Always use SSL encryption when passing ANY account information, even if it’s not sensitive billing information. If someone can gain access to an account, they may be able to steal billing information. Always use HTTPS!
- Make sure you are PCI compliant or your recurring billing services are! Chargify takes great pride in being Level 1 PCI Compliant, maintaining the the highest level of security for a service handling sensitive payment data.
EMV chip cards are here to stay. Hopefully we shed some light on what the EMV buzz is all about and how you can combat CNP fraud issues while keeping business operations (and recurring revenue!) running smoothly.