Keeping Online Payments Secure…and Fraudsters at Bay

Protecting “card not present” transactions requires more advanced security methods.

Every time you use a credit card, you want a fast and speedy transaction that’s secure. Like when you’re shopping online this holiday season, you don’t want to be bombarded with multiple authentication requests, especially if you’ve done business on that site before. Those repeated requests for information can cause frustration and – much to a retailer’s chagrin – high rates of cart abandonment. In order to deliver a seamless customer experience, issuers and merchants must balance speed with enough payment security to protect the identity and finances of the credit cardholder.

The payment card industry has put a great deal of work into making sure they can offer an exceptional customer experience to its online consumers that balance security and ease of use. Though it may seem like a straightforward process, there are a number of systems at play powered by underlying technologies that were created to prevent fraud for the cardholder, the merchants and the issuers.

For National Cybersecurity Awareness Month, we’re taking a look at what those technologies are and how retailers can put them in place to accept secure, easy transactions.

The state of payment security

Credit has come a long way technologically since its inception as a concept. The very first credit cards were not even cards at all, but handwritten letters from banks declaring that the bearer had an account and that the shopkeeper could expect payment in a reasonable timeframe, often weeks. This created issues when the letter was stolen or out of date, let alone any issues with forgery or overdrawing on credit. It was not common for banks to go out of business suddenly and leave shopkeepers in the lurch for any payments due.

With the development of modern communications systems, the speed of transactions on credit sped up immensely. Now merchants know instantly whether a line of credit is good and receive payment almost as quickly. Various improvements have made the cards more secure as well.

Not too long ago, American cardholders were baffled by the introduction of credit cards embedded with security chips. Improvements like this have introduced a variation on two-factor authentication that requires not only the account number on the card, but the physical presence of the card itself.

This depth of security has factored into the world of e-commerce, itself enabled by the widespread use of credit cards. In this scenario, retailers must contend with the risk of not having the physical card present, which makes it that much easier for a fraudster to commit unauthorized use of the account. To address this, the payment card industry over the years has employed a number of methods to authenticate users such as: using static passwords, asking a series of security questions, or sending one-time passwords to mobile phones to verify a user. None of these methods are perfect, and some are certainly more effective than others. However, the constantly evolving threat landscape dictates that the payment security industry must continually up their game to get ahead of fraudsters before they strike.

This is why the industry is still hard at work improving security measures, especially for these risky “card not present” situations. Earlier this year, CA Technologies helped enable the processing of the world’s first production-grade online credit card transaction using a new, more secure industry protocol called EMV 3-D Secure. We’re proud that CA Payment Security Suite played a critical role in that pioneering moment that marked an important milestone in the payment industry; not only will it greatly enhance the online shopping experience for consumers, but it will also help banks, merchants and credit card processors thwart fraud, while improving customer satisfaction.

How can you ensure payment security?

Merchants and banks hoping to protect their customers from fraudulent credit card use should make sure they are leveraging the latest and most secure payment security services. For example, EMV 3-D Secure secures the payment authentication process by looking at a broader range of data elements to help make a more informed dynamic risk decision about each individual transaction. Three scenarios fall from this decision: 1) the cardholder is silently authenticated; 2) the cardholder is denied authentication; 3) the cardholder is challenged in some way (biometrics, OTP, push notification) to further authenticate.

The CA Payment Security Suite evaluates these online credit card transactions through a combination of model-based rules and sophisticated neural network models that are optimized continuously by assessing over 50,000 data elements (such as device, geo-location, transaction velocity, merchant id, transaction value, etc.) and analyzing up to 200 different variables.

It also helps to design the checkout experience with the customer in mind. Increasingly, shoppers are turning to their mobile phones to make online purchases. Therefore, issuers and merchants can truly work together to take advantage of advanced authentication methods such as biometrics using one’s fingerprint or face scanners that are not available on desktops and laptops. These options can speed up the entire check out process while making it more secure, making it a win for everyone – the cardholder, the issuer and the merchant.

Speed and security are frequently both at odds, but in the payment security space, we are able to attain both. The good news for issuers and merchants is that much of the work has already been done for them by members of the security and payment card industries. That said, it is important for them to keep up with the trends in the space and make sure their systems are enabled to take advantage of the latest technology advances in fraud prevention and enhance the customer experience.

About the author