Combating Card-Not-Present Fraud: A Rising Risk for Retailers

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

Card-not-present fraud is gaining popularity with nimble criminals who are increasingly stymied by the rise in chip-based credit card transactions. Cardholder data is more secure on a chip cards than on a magnetic stripe cards, as the chip cards support dynamic authentication for payments, while the magnetic stripe cards have static information, which can be used to create counterfeit credit cards.

The growth in chip-based credit card transactions is significant. Visa reports more than 500 million Visa chip transactions in July 2017, up 1050% since the same period in 2016. EMVCo, the organization facilitating the interoperability of EMV cards (most cards with chips fall into this category) reports that in the U.S. in 2016, 18.6 percent of card-present transactions were with EMV cards, up from 1.98 percent in 2015.

With the proliferation of chip cards and chip-card readers, retailers are more cyber resilient against payment card information theft than many holiday seasons prior. But cyber attackers are famously quick to find new vectors for their gain. As a result, cyber criminals have been increasingly targeting “card-not-present” transactions. This predominately applies to online shopping, as there’s no chip reader at checkout, and transactions online and in store using gift or rewards cards. As we gear up for holiday shopping season, below are some risks and recommendations to consider to stay secure.

Rapid detection is central to card-not-present ecommerce fraud

A common attack in ecommerce requires minimal code to execute, and without strong detection mechanisms, a retailer may never know it happened until a bank or a law enforcement agency comes knocking on the door. Here’s how it works:

Starting with the basics, in ecommerce transactions, the static credit card number written on the card is the only one that consumers can use, and once stolen, this data can be re-used in other card-not-present payment environments, such as at any other ecommerce site. Increasingly cyber attackers are hacking into retailers’ checkout pages to add code, often a JavaScript injection, directing that a copy of the purchaser’s credit card data be sent to a system controlled by the attacker. The credit card data is then sent both to the attacker and for processing by the retailer. This data could include credit card number, name, expiration date and three-digit security code.

Tip: Retailers who maintain their own payment processing software should use a file integrity management system to automatically flag any changes to code, specifically on web pages in which customers can input their payment information.  This way, if there are any erroneous changes, the enterprise can identify it ASAP. Retailers who use third-party software to perform transactions should ask their provider how they detect changes to code.

Resist gift card fraud by reducing the risk of account takeovers

This risk scenario applies to gift card systems and any loyalty programs in which monetary value is stored on a customer’s account. Many online shoppers use the same credentials on multiple sites, which helps the attackers. In this scheme, attackers are accessing retailers’ consumer website accounts using stolen credentials from other data breaches. Then once the attacker gains account access, they can use the consumer’s store credit to make purchases sent to themselves.

Tip: To reduce the risk of account takeovers and cyber gift card fraud, retailers should implement multifactor authentication. This way, attackers need more than a username and password for access, and customers will be alerted if a new device attempts to access their account. Another tip is to invest in online fraud monitoring programs, which monitor for any shipping address change or email address change to the accounts. Once a change is detected, the customer is alerted. Retailers could also use website analytics to detect signs of illicit activity. For example, if a single IP address accesses multiple accounts within a certain time frame, it could be flagged as suspicious activity.

Protect gift card databases with close monitoring for anomalous activity

Attackers are also committing card-not-present cyber theft by intruding on gift card databases, whether that’s at the retailer or on the network of third-party gift card issuers. Once inside the database, they can identify what gift card numbers have been issued and not spent, and then they can spend these gift cards themselves. This kind of cyber fraud leaves the genuine gift-card owner with a zero balance. In most cases, retailers themselves cannot detect these transactions as fraudulent, as any purchase will appear as a usual and expected transaction.

Tip: Gift card issuers must closely monitor their networks for unauthorized access. If this is a third-party, retailers should approach service providers with questions about their gift card database security protocols.

Card-not-present cyber attacks can happen to any retailer with an online store, who sells and accepts gift cards, or who uses online store credits. Retailers who have not migrated to 100-percent chip transactions also have to continue to protect themselves from the cyber risks associated with mag stripe use. (Last year, I highlighted key cybersecurity tips for legacy risks such as cardholder data dumping on Point of Sale systems, available here.) Risk for retailers is not only driven by the volume of transactions, but also the variety of payment types accepted. Mag stripe cards, chip-and-pin cards, chip-and-signature cards, retailer gift cards, bank brand gift cards, card-not-present transactions, and reward and loyalty programs with monetary value are already common payment types. This is not to mention more cutting edge online payment services and new currencies that create even a broader environment for attack. The most resilient retailers will be those who are well informed of the current threat landscape and stay a step ahead of the criminal element, while still maintaining top-of-the-line security protocols for current payment processing technologies.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.