The card-not-present balancing act
Protecting consumers against fraud while ensuring a frictionless experience comes down to smart authentication and industry collaboration.
In the early days of the internet, a cartoon appeared in the New Yorker magazine that highlighted the vulnerabilities of online privacy.
The now-famous phrase “On the Internet, nobody knows you’re a dog,” was created a full year before the first-ever ecommerce transaction in 1994. Once money began flowing over the internet, the need to authenticate both buyers and sellers gained even greater urgency.
The last 18 months have witnessed a rapid acceleration in digital commerce. To understand the change, it helps to reflect on the history of ecommerce. Despite the early hype (remember Webvan or Pets.com?), online shopping has enjoyed a steady, but not exactly meteoric rise. In fact, it took 20 years for ecommerce to reach 10 percent of total retail sales in the U.S.1
That brings us to 2021, with the shift to online shopping accelerating in large part because of the COVID-19 lockdowns. Across Visa’s network, card-not-present (CNP) volume, excluding travel, continued to grow over 30 percent in the second quarter of 2021 and was 55 percent above 2019 levels primarily driven by retail spending. Global card-not-present credentials, excluding travel, grew over 20 percent in the second quarter of 2021 versus last year.
While the pandemic served as the catalyst for the accelerated growth of ecommerce, continuous improvements over time in the digital commerce experience paved the way. Swee-May Ngeow, Vice President, Head of North America Go to Market & Solutions at Visa, explains, “Today, consumers can pay with one click at checkout or transact through invisible payment experiences, like paying for rideshare in a mobile app. These digital commerce experiences, combined with advances in security, helped lay the groundwork for the growth we’ve seen in 2020 and 2021.”
Silver Linings and Dark Clouds – CNP Fraud Growth
While Ngeow is quick to celebrate the ingenuity and resourcefulness that enabled businesses of all sizes to serve their customers during the pandemic, she has a responsibility to assess the risks associated with every form of digital commerce.
As the world switched to shopping online, sophisticated fraudsters have redoubled their efforts to exploit vulnerabilities in the payment chain. This has resulted in four times more CNP fraud than card-present with 2021 losses estimated at $6.4 billion.2
Part of Ngeow’s remit is to address CNP fraud so online commerce can continue to grow without compromising the integrity of the payment system. Customers expect the online shopping experience to be as simple and easy as tapping to pay at checkout or sending funds to a friend via a peer-to-peer app. Undue friction in the checkout experience leads to customer frustration and ultimately lost sales.
A total of 18 percent of U.S. consumers said they abandoned an online shopping cart because the checkout experience was too long and/or complicated.3 In other words, it is possible to add multiple layers of security that all but eliminate the risk of fraud, but if those layers add too much friction, there is a risk that consumers will not complete the transaction.
Friction comes with real costs for issuers and merchants. Ninety-five percent of cardholders whose CNP transactions are declined will reportedly take one of two paths: more than half (51 percent) select another card in their wallet and 44 percent shop elsewhere.4
These declines add up to projected losses of $443 billion in 2021, or 70 times higher than the actual fraud losses from CNP transactions.5
“We need to optimize the consumer experience while minimizing fraud,” Ngeow said. Recognizing these aspirations are sometimes in tension, balancing both priorities requires a coordinated effort on the part of issuers, acquirers, processors, and merchants.
There is no “silver bullet” to striking this delicate balancing act, but there is an industry-wide effort to apply technology, expertise, and partnership to tip the scales in favor of a better long-term experience for everyone.
“Continuing to improve the security and simplicity of CNP transactions is one of the most important priorities across the industry right now,” said Ngeow.
Higher Approvals and Lower Fraud: Pipe Dream or Reality Within Reach
The Holy Grail for Ngeow is a state where technology and cross-industry collaboration combine to increase CNP approval rates, while reducing fraud, leading to a more satisfying experience for merchants and consumers.
According to Ngeow, it starts and ends with improving confidence in every transaction and this comes when certainty in the consumer credential is high. In short, how can you verify that it’s a dog on the internet?
Across the industry, there is broad agreement on the strategy required to improve CNP security by:
1. Improving the Credential
The first point of vulnerability that fraudsters exploit is capturing sensitive cardholder data. Fraudsters are alert to the fact that there is an enormous amount of fraud that can be perpetrated with just a consumer’s primary account number (PAN) and expiration date.
The most effective way to reduce fraud and thereby improve the CNP payment experience is by reducing access to PANs either stored temporarily at a merchant, acquirer, or processor. One of the most effective ways to reduce that risk is through the use of digital tokens.
Tokens replace a cardholder’s 16-digit account number with a unique dynamic identifier. So, even if a transaction is intercepted by criminals, the information they have access to is useless. One way to think about tokens is akin to an armored truck filled with promissory notes, rather than cash – even if you can get into the truck, the notes can’t be used. A recent Visa study shows a 3.2 percent authorization lift on average for tokens compared to PAN.6
2. Enhancing the ID and Verification the Credential
A key enabler of decreasing fraud and increasing approval rates in digital transactions is sharing data that can help verify the consumer between merchants and issuers. The more that both merchant and issuer can be confident that the consumer on the end of the transaction is the actual account holder, the more confident they can be that the transaction is a good one that should be approved.
To help this, industry leaders including Visa have developed and evolved a standard called EMV 3-D Secure (3DS) to help merchants and issuers authenticate CNP transactions. The most recent evolution of the standard enables merchants and issuers to share more than 135 data points to improve decisioning and fraud detection.
Visa Secure, which is based on the EMV 3DS standard, provides a way for sellers and issuers to share, compare and validate this data – like recognizing the mobile device is the same – and then attach the results to the authorization message.
Visa reports a 1.1 percent increase in approval rates and a 35 percent decrease in fraud vs non-3DS transactions when U.S. merchants send 25 percent or more of CNP transactions through 3DS.7
Visa has also expanded on the capabilities of secure tokens to develop a framework that gives card-not-present tokens an effective way to enhance the consumer ID & Verification (ID&V). Visa’s Cloud Token Framework (CTF) does two main things:
- Allows for the association of a CNP token to a user’s device or devices with issuer-driven consumer verification, and
- Captures that device data for use in the authorization data flow. This combines the more secure credential of tokens with the ever-important ID&V of the consumer, strengthening overall confidence in the transaction.
At its core, CTF enriches the card-not-present transaction data flow. Until now, the transaction data would flow from the merchant through to the issuer with little reference to the device being used. With quality device data in the cloud token framework, issuers are enabled to tie the transaction to a known customer’s device, which leads to better data decision-making, and ultimately increased authorization rates.
And it’s not just for associating the token to a single device, but the token can actually be tied to multiple devices, ultimately enhancing cross-device payment experiences. Now, not only do you lower the risk of account takeover fraud, but you reduce the friction in a user’s experiences across their devices as well.
Gaining Momentum With Room to Grow
Ecommerce and CNP have come a long way from the early days of dial-up modems and multi-step form filling. What was once a niche activity has become the default way to shop for millions of people across North America. With the advances in online shopping, it’s easy to think we are nearing the end of the evolutionary curve.
Not so, said Ngeow. She likened the current state of ecommerce to early adolescence. In other words, there is a lot of potential and growth, but there are plenty of kinks to iron out. Not least of which is applying technology, expertise, and collaboration to strike the right balance in favor of robust authentication, authorization, and seamless commerce. “We have the wind in our back; it’s up to the industry to ensure the momentum generated and accelerated is not lost.”
Last updated: October 2021
Stay current with the latest payments insights from Visa Navigate North America – subscribe today.
All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.
1 Source: U.S. Department of Commerce. https://www.census.gov/retail/mrts/www/data/pdf/ec_current.pdf
2 The E-Commerce Conundrum: Balancing False Declines and Fraud Prevention, July 2019, Aite Group survey of 100 U.S. e-commerce merchant executives
3 Source: https://baymard.com/lists/cart-abandonment-rate
4 Addressing the Threat of False Positive Declines, Javelin Strategy & Research, Oct 2018
5 E-Commerce Conundrum: Balancing False Declines and Fraud Prevention, July 2019, Aite Group survey of 100 U.S. e-commerce merchant executives
6 Visa Token Service Fact Sheet, June 2020
7 Source: VisaNet, Auth Time period: 01/21 – 03/21 , Fraud: 10/20- 12/20 comparison of ECI 5 & 6 vs. ECI 7 transactions. Data normalized for risk by applying Visa Advanced Authorization (VAA) distribution - real-time inflight risk score on Visa authorizations
Share Feedback