The Changing Face of Card Fraud: How to Manage Fraud and CX in the New Normal

When it comes to credit, debit and pre-paid card use, consumer behaviour is changing – not least because of COVID19. There are changes to channels, authentication and volumes, but there is also the rise of real-time payments eating away at card dominance in consumer payments.

Like most change, this provides both opportunities and threats. To stay ahead and respond to these changes, the time to invest is now.

Card Fraud on the Rise

According to the latest Nilson Report, worldwide card fraud losses reached $27.85 billion in 2018 and are projected to rise to $35.67 billion in five years and $40.63 billion in 10 years. Of this, the amount attributed to issuers was $19.21 billion, or 67.9 percent of gross fraud losses. Merchants, merchant acquirers and ATM acquirers accounted for the other $8.64 billion or 31.03 percent of the total. 

But these numbers hide differences between regions. In the U.S., card losses were $9.47 billion in 2018, making up 34 percent of global losses yet only 21.5 percent of card volume – an outsize loss. 

What’s Driving the Losses?

In markets with high EMV (Eurocard/Mastercard/Visa) penetration, losses to Cardholder Not Present (CNP) are the predominate type of card fraud, making up 76 percent in the UK and 90 percent in Australia compared with 61 percent in the U.S. in 2018.

As EMV migration completes in the U.S. (63 percent of transactions vs. over 90 percent in most other regions) this reduces opportunities for counterfeit cards to be used. This will increase CNP fraud as a percentage of losses. We are already seeing that fraudsters are pushing on the weak links ahead of the full rollout, with gas/petrol stations being hard hit. With liability shifts coming, this will move these losses to merchants from issuers.

The key cause of CNP is compromised data from merchant compromises and through social engineering. This shows no sign of let up with multiple large compromises in the last 12 months. Not only do these compromises cost issuers from a loss perspective, they also mean that cards need to be replaced more often and impact that card being top of wallet, reducing income.

This means it’s increasingly important for issuers to monitor and detect compromises, as well as bring in external intelligence to make fast and accurate decisions on when to decline and when to re-issue, while minimising impact on genuine card holders.

With low levels of 3DS use in the U.S., most CNP losses are currently borne by merchants rather than issuers as these transactions can be charged back. However, this is likely to start to change.

As CNP fraud continues to rise, 3DS2.1/2 rollout and a mandated merchant take up is likely to increase. Indeed, 3DS2.1 and above offer better data for fraud profiling, but provide low friction forms or authentication, along with native mobile app support, both missing from 3DS1.

These counter the main drawbacks of 3DS1, which includes dropped baskets and therefore lower income for merchants. The higher conversion rates along with the ability to shift liability for fraud losses to issuers will make take up increase. For those merchants using 3DS2 in the U.S. (now for MasterCard and from 31 Aug 2020 for VISA) the shift in liability takes effect. 3DS1 liability shift drops away in October 2021 for VISA.

Changes in Card Use

The use of physical cards themselves are also starting to change. The use of contactless, either native to the card or through X-pays and wallets, driven by tokenisation is on the rise. These bring additional fraud challenges, particularly with enrolment of the card in a device or wallet being the area with the biggest risk to manage.

Not only that, but Open Banking, particularly in Europe is also changing the environment, with new services replacing cards in e-commerce such as NatWest’s Payit and the announcement of the European Payments Initiative.

These and other use cases, such as Request to Pay, all start to move payments from cards to push payments, which again impacts fraud prevention, blurring the difference between rails. This also means that models will degrade faster as both genuine and customer behaviours change. The time for all the payment rails in one fraud detection system is upon us.

These points coupled with COVID-19 driving increases in e-commerce and contactless/xpays means that the pressure on fraud teams to manage not only the fraud risks, but also the customer experience is unprecedented. Bringing new users to e-commerce increases transaction volumes and alters the way both genuine customers and fraudsters behave, lowering the performance of old models and rules.

This means that issuers need to invest in solutions to combat the risk of fraud from this changing environment, as well as the increased volume of transactions and inevitably alerts.

Addressing the Issues

The current systems architecture for card fraud is littered with multiple systems and end point solutions and myriad case managers for them all.

Bringing all the transaction types together in a fraud hub will help meet these challenges. This means removing the silos between these systems, helping to mitigate cross channel frauds by having all the customer transactions in one system.

A focus on entity profiles as well as customer profiles means that relationships between cardholders, wallet or open banking providers and merchants can help reduce fraud at the enrolment of the card and as it is used over the first weeks and months. This can also be used to reduce false positives rates and drives better customer experiences.

Further, as 3DS use increases, the ability to enrich the authorisation messages with data from 3DS and third parties such as device profiling and behavioural biometrics is very powerful. This is particularly the case if the same systems are used across plastic and non-plastic and as part of a multi-factor authentication strategy. This also brings with it the ability to build better ML models and provide improved fraud detection at lower false positive rates.

The fraud hub concept also works on the operational side, where one case management for any fraud system can bring together alerts from multiple systems. This helps reduce the burden on operational staff and allow for better decisions, providing the investigator with all information in one place.  

While cards are not going away anytime soon, customer behaviour is changing and combatting fraud across all payment rails while supporting these customers is key. By starting the integration and investments now, it’s possible to support reducing fraud, lowering costs and providing a better customer experience.