Fraud exists – has always existed. Whatever the method of payment or the value attached, there is a way to steal.
Our job should be to make it as hard as possible to steal… but at the same time we are pressured to make it easy to pay for things.
From cardholders to merchant to banks, card payments are a fantastic and easy way to make stuff happen like buying a coffee, booking a dream holiday or that late night takeaway. Where we need to introduce friction into the buying journey the industry has been thoughtful, methodical but not always entirely sensible in making payments easy. Let’s break this down into card present and card not present:
Card Present Fraud
Magnetic stripe is decades old technology – a £5 card reader and a little bit of creativity could create a counterfeit card which could spoof the system undetected. As card payments had grown, so did the prevalence of this type of fraud. The solution was simple, upgrade to Chip to prove the card is genuine and then enforce PIN to ensure the cardholder is genuine. Pretty expensive at the time and now historic in the UK, but a very live issue in markets like the US.
The fraud migrated to markets which did not enforce Chip – mainly the US or Asia. Moving the liability for this fraud to the least secure party has achieved global Chip roll out and very low fraud rates.
Card Not Present Fraud
As card not present transactions become a mainstream method of payment, fraud ballooned. All a fraudster needed is a card number and an expiry date and the deed is done. So the industry came up with solutions.
First – you can now ensure that the person paying has the card by printing a card verification value (CVV) on the signature panel. This generally works great, but then these have a value to fraudsters and can be bought, sold, traded and so the value as a fraud prevention tool is diminished. CVV is not terribly disruptive to cardholders other than them either remembering it or pulling their card out of their wallet when paying online.
Secondly, in instances when CVV became less helpful or reliable, the industry came up with 3D Secure – commonly known as Verified by Visa or Mastercard Securecode. This technology does introduce a disruption in the payment process as the cardholder has to enter a credential of some kind when paying online. 3D Secure is not well loved: customers hate it (they have to remember a password), merchants hate it (interruption of the checkout flow and associated drop out outflanks any chargeback shield they get) and banks don’t especially like it because, despite fraud being low, it costs money to administer and some customers just don’t like it. 3D Secure is evolving in that most issuers are using data to make smart decisions about when to challenge or disrupt the cardholder. With that said, and online payments becoming easier, the regulator got involved.