Getting Ahead of the Curve: Assessing Card-Not-Present Fraud in the Mobile Payments Environment
The U.S. retail payments industry is undergoing significant change to secure card payments by migrating to EMV chip cards for card-present or point-of-sale (POS) transactions. Effective October 1, 2015, card network operating rules changed to shift fraud liability to the merchant if it was not enabled to accept EMV chip credit or debit cards. As a result, merchants have been upgrading their terminals to comply. Enabling EMV chip card acceptance at POS reduces card-present counterfeit fraud by removing the opportunity for fraudsters to compromise payment card credentials. However, this is driving fraudsters to attack the more vulnerable online and mobile card-not-present (CNP) 1 channels with weaker authentication protocols, at a time when consumers are increasing their use of mobile phones to make CNP purchases. According to a 2016 Javelin study, consumer use of the mobile browser to make online purchases doubled from 2011 to 2016, and the availability of mobile apps to make online purchases is adding to that trend. 2
Recognizing that these trends are predictors of future CNP growth, industry stakeholders are closely monitoring the CNP landscape and assessing existing security controls for gaps to understand what is needed to protect against new risks and threats. This whitepaper describes the work of the MPIW 3 to identify and analyze potential areas where mobile commerce is vulnerable to fraud and other threats. The analysis was conducted within a framework of four use cases to which existing wallet models were mapped. The group identified potential risks and threats for each model and then compared risks across models. They completed the analysis by outlining key controls and tools to enhance security for the wallet models within the use cases.
The whitepaper first provides an overview of the current CNP landscape (Section III). Context is based on the impact of CNP fraud in European countries and Canada after they migrated to EMV chip cards, and also shows the growth trends for e-commerce and m-commerce transaction volume. It then describes the framework used to analyze the four mobile CNP use cases and the subsequent comparative analysis across functions and risk factors (Section IV). The paper concludes by describing several gaps and issues associated with security approaches, as well as recommendations for industry stakeholders to consider for improving CNP payment security.
About the Authors
Marianne Crowe
Susan M. Pandy
David Lott, Federal Reserve Bank of Atlanta
Endnotes
- Card-not-present payment occurs when a cardholder/card is not physically present when making a purchase, preventing the merchant from validating the cardholder as the card owner. Examples of CNP payments include internet (via mobile or PC/laptop), telephone, or mail order.
- Javelin Strategy & Research. (2016, October.) Mobile Online Retail Payments 2016.
- The Mobile Payments Industry Workgroup (MPIW), convened by the Federal Reserve Bank of Boston Payment Strategies group and the Federal Reserve Bank of Atlanta Retail Payments Risk Forum, meets several times per year to discuss trends, developments, and barriers to adoption of mobile and digital retail payments, with a shared goal of building an efficient, secure, and ubiquitous mobile/digital payments environment in the U.S. For more information, see https://www.bostonfed.org/payment-studies-and-strategies/digital-mobile-payments-innovation-and-applied-research/mobile-payments-industry-workgroup.aspx.
Resources
Site Topics
Related Content
The Future of Mobile Security: Understanding the Risk Environment for Mobile Payments
Mobile / Digital Payment Industry Trends in Distributed Ledger Technology, Cryptocurrency, Mobile P2P Payments, Fraud, and Authentication
Mobile Payments in the United States: Mapping Out the Road Ahead
Want less mobile or digital payments fraud? Boston Fed paper says merchants should try tokenization