August 19, 2016
FICO Identifies Growing Threat of CNP Fraud
By D.J. Murphy, Editor-in-Chief
For nearly 20 years, predictive analytics firm FICO has gathered information on millions of payment card transactions per year to form a picture of card fraud in the U.S. In an analysis of credit- and debit-card losses in 2011, FICO, the company that set the standard for measuring consumers’ credit risk, found that overall fraud ticked up, but fraud in card-not-present transactions increased significantly. FICO found in a recently released fraud study that CNP-fraud losses increased at twice the rate of counterfeit-card losses.
While the same trend has been attributed in other countries to the introduction of Chip-and-PIN cards, in the U.S.—where the EMV standard has yet to be implemented—other factors are at work, according to Doug Clare, vice president of product management at FICO. Prominently among them is the explosion of debit use, even online where consumers traditionally have been reticent to pay with debit.
“We’ve been seeing this shift for a while,” Clare said. “Clearly there are more transactions, especially on the debit side. Debit transactions have increased pretty significantly as consumers have gotten more accustomed to using debit for darned near everything.”
In addition to growth in online transactions in general, and debit transactions, specifically, Clare said part of the increase in CNP fraud can be explained by the relatively safe environment e-commerce provides to fraudsters who need to test stolen card data. Fraudsters are collecting the data itself via highly publicized data braches and, during the year examined in the report, increasingly by skimming.
“So the breaches happen the way they do,” Clare explained, “but when they happen now, it’s more likely that the card data that has been breached and is now out in the black market will be used in online fraud than somebody punching out plastics. It’s easy, anonymous, cheaper and it works.”
Testing and using stolen data online rather than using it to counterfeit plastic cards is a natural for fraudsters, Clare said. Not being required to produce a physical card eliminates a piece of evidence that could implicate a thief.
“If you don’t have a bunch of white plastic in your pocket, it’s going to be harder to prove you’re a fraudster,” he noted.
Clare said the shift from counterfeit to CNP fraud has been underway for several years and, with the U.S. on the road to implementing the EMV standard for payment cards, will only accelerate.
“What we saw in Europe as EMV rolled out over a few years, CNP fraud as a proportion of total fraud increased pretty substantially,” he pointed out. “Our anticipation is that the same thing will happen here. As it becomes really difficult to produce a piece of counterfeit plastic, CNP fraud here in the U.S. will accelerate as it did in Europe.”
So what’s an e-commerce merchant to do? The expectation is that fraud will continue to steadily increase in the CNP environment. FICO has worked mainly with issuers throughout its history (though its merchant client base is expanding) and Clare noted that financial institutions have compelling reasons to employ sophisticated anti-fraud solutions. But merchants, who have a bit more skin in the game, should not rely on issuers to fight that battle, he said.
“How businesses utilize analytics and how they approach detecting fraud depends on how they carry the liability,” he said. “The advice we give to merchants is you need to have a program in place yourself that utilizes advanced analytics to detect fraud. Issuers are doing it, but their interests and your interests are not aligned in every case.”
Regardless of how big or small a CNP merchant is, they ultimately are responsible for protecting themselves from what FICO has identified as a growing threat.
Said Clare: “Don’t leave the job to the issuers.”