AVS = Address Verification system
VS Checks are one of the most widely used fraud prevention tools in the avoidance of card-not-present transactions. This was originally developed for use with webmail and catalogue orders, however, it is now used by online retailers primarily as a method to verify the validity of an order they receive.
So, how does it work? An AVS check will compare the billing address that is used in a transaction with the issuing bank’s details on file for that cardholder. Therefore, depending on whether they match fully, partially, or not at all, the merchant can make conclusions on whether or not to accept or cancel the order/payment.
The strength here is that even if a fraudster can obtain all the details on a card, they would also need the address details amongst other aspects when entering a payment request in order to successfully utilise an individual’s stolen card details. These details when matched against the bank are often to a high level of accuracy. Therefore, not only would the individual need to know aspects such as your address, but also exactly how you would have written it, without any missing information.
An AVS results in a code that signifies how close the details were to what is in the banking system. This ranges from a full match to no match and allows the eCommerce system to know whether to accept the payment. It is at the discretion of the merchant as to their level of risk, and whether they accept partial matches or not.
3D Secure Payment
3D secure was designed to provide an additional security layer for online card transactions and payment services.
One of the main advantages of 3D secure is that it reduces fraud, but it also makes shopping online safer and can have benefits to brand loyalty for merchants who decide to integrate it. However, there are some limitations, in that not all card providers are participating in the program.
From the perspective of a merchant, a 3D secure process will work as follows:
- Customer enters their card details into the form
- Merchant contacts a directory server and gets a message that the card is registered
- Customer will see a 3D secure page to authenticate themselves by entering a password
- Results of the 3D secure authentication is then submitted to the acquiring bank
- Transaction is authorised
Open banking leads to customers initiating a payment to a merchant using their mobile banking app or online banking web portal, in the same manner, that they would pay with a bank transfer.
Funds are then transferred to the merchant immediately using real-time banking rails.
In the UK, it is required for Open Banking companies to do their own transaction monitoring on top of the checks conducted by banks. This additional check adds extra value to the security and elimination of fraud risk.
Open banking is a process of using software and security systems in order to connect your bank to a merchant via an API. This means that you’ll never be asked to give access to bank login details or a password, other than directly to your bank or building society.
This means there is no data input into a merchant or online platform outside your bank, and the risk of that data being stolen is reduced. Only websites and apps which are regulated by the FCA (or European equivalent) are able to utilise Open Banking, which means that users of this are already heavily regulated, and should be taking good care of all data they hold.
One of the key safety nets of Open Banking for the user is that the bank will pay their money back if a fraudulent payment is made through Open Banking. Furthermore, users are protected by data-protection laws and the Financial Ombudsman Service.
CVV or CVC
It is a common misconception that those three numbers on the back of your card (or the front four on an AMEX) are a required process to make a payment. You will often be asked for them when making a payment, but why?
The CVV/CVC has one single purpose, and that is to verify that the cardholder has the card in their possession. If you enter an incorrect code, the payment/transaction will be declined.
So, technically, the code isn’t required in order to make a payment, but it is utilised by merchants as a safety check to make sure that the cardholder is who they say they are.
Merchants are prohibited from storing a CVV/CVC code on their database, and the code also isn’t stored within the magnetic strip/EMV chip on your card either. Therefore, if a database is hacked and the credit card numbers are stolen, then the hackers still would not have the code in order to complete eCommerce checkouts.
Interestingly, despite the increase in card fraud in 2020, there was actually a reduction in stolen card data that contained a CVV or CVC code. This is likely a direct correlation between COVID and our changes in habits. As stated, it is unlikely that a hacker can obtain your CVV/CVC code from a database, and therefore most theft which is inclusive of a code is more likely to happen in person.
As we’re leaving our houses less, not going out for dinners, shopping in brick-and-mortar shops during lockdowns, we’re opening ourselves up to fewer scenarios where somebody could take a mental note or a picture of our card details. Therefore, we can likely assume that stolen card data containing these codes will rise as the pandemic limitations are reduced.