Card-not-present fraud remains prevalent.

One of the many consequences of the COVID-19 pandemic has been a dramatic increase in online shopping and purchasing. Unsurprisingly, this was followed by a large jump in card-not-present (CNP) fraud attempts, actual fraud and false positive declines at checkout. Making matters even more urgent, pre-pandemic fraud was already increasing – in 2019 alone there were over 7,000 data breaches, according to Risk Based Security as reported in CB Insights’ “2020 Cyber Defenders” report. The time to adopt a CNP fraud prevention solution is now.

Credit unions are in the best position to take a leadership role in offering new fraud prevention technology. Some of the primary reasons why people join credit unions is because they know member-focused institutions understand their needs and are more likely to research and adopt technologies that directly benefit them.

When I speak with family, friends and colleagues, e-commerce fraud is a frequent topic – and has grown in popularity over the past few months. One close family friend, a physician, had her credit card compromised three times in less than a month. And while it’s not logical, she decided to switch card brands – and she is not alone. Fifty percent of all cardholders blame either their card issuer or network when the merchant experiences a data breach, according to a 2018 TSYS Consumer Payment Study. Even a cybersecurity analyst who thought he was ahead of online fraudsters had his cards and online accounts hacked in the past few months. E-commerce thieves have flocked to CNP fraud like never before because it targets the weakest link in payments.

The effects of online fraud are most severe for individuals and small businesses that are least able to handle the loss of the use of funds or the financial write-offs. Pre-pandemic, an October 2018 Federal Reserve Board of Governors Survey reported that nearly 40% of Americans would struggle to cover a $400 emergency. The loss of access to any money is devastating for many individuals. Many small businesses were unprepared to move their business online when COVID-19 struck. These are the merchant accounts with the weakest defenses to prevent online fraud, and that can afford the financial loss the least. They need our help.

Some promising new online card fraud prevention technologies are close at hand. 3D Secure 2.0 helps merchants and banks share card authorization data in the background during online purchasing, but suffers from slow adoption as it creates friction at checkout. Biometrics, the technology that allows for fingerprint sign-on for mobile phones, has been in the news lately, but questions around who stores cardholders’ fingerprints and other usage issues linger. Others are experimenting with tokenization, which requires the cardholder, merchant and card issuer to exchange a token rather than the card number itself – but also requires all three to be signed up with the same token service.

A new technology called dynamic CVV2 (dCVV2) is already available for implementation by financial institutions, and early results indicate that the majority of CNP fraud may be prevented through its use. Because it’s a card-issuer solution and is implemented on the card network, there is no merchant involvement. Dynamic CVV2 simply replaces a standard static security code at check-out.

Just this month, The Secure Technology Alliance, a not-for-profit multi-industry association working to stimulate the understanding, adoption and widespread application of secure cards solutions, released a white paper identifying dynamic security codes as the most promising weapon against e-commerce CNP fraud. The white paper’s conclusion read:

“Cards that incorporate dynamic security codes are an effective solution to combat CNP fraud, regardless of the technology used to implement the codes. Dynamic data is by definition more secure than static data, and when it is layered with other security solutions, such as EMV 3DS or SRC, fraud mitigation is greatly improved … The gold standard in security is to use a layered approach. Dynamic security code cards are an easy layer that any issuer can incorporate into their security strategy.”

Dynamic CVV2 solutions include both card and smartphone app solutions. The card solutions replace the static CVV2 on the back of the card with a small LCD that displays the dCVV2 that changes periodically. Software dCVV2 solutions replace the static CVV2 printed on the card with a dynamic dCVV2 that is available on your smartphone. App-based dCVV2 is a more scalable option for wide adoption since it eliminates the need for an expensive card with a battery and LCD.

The timing couldn’t be better, or more welcome, since online card fraud prevention is even more critically important to cardholders, merchants and financial institutions. And credit unions have an opportunity to become the first heroes of e-commerce.

Robert Steinman

Robert J. Steinman is CEO of Keyno, a credit and debit card security provider based in Atlanta.