ANSI - X9 TR 48
Card-Not-Present (CNP) Fraud Mitigation in the United States: Strategies for Preventing, Detecting, and Responding to a Growing Threat
|Publication Date:||8 March 2018|
Purpose, Scope, and Stakeholders
Card-not-present (CNP) fraud, the unauthorized use of a payment card for any transaction where the cardholder does not physically present the payment card, poses significant risk to today's payments ecosystem comprised of primary stakeholders such as issuers, merchants and their acquirers, processors, payment gateways, payment networks, PIN debit networks, and other relevant businesses. This Technical Report presents guidelines for the mitigation of CNP fraud for all relevant impacted industry stakeholders, such as merchants, acquirers, issuers, payment card networks, online payment service providers, payment processors, and hardware and software providers. This Technical Report addresses the environment of payment cards, such as credit, debit, and prepaid, but does not extend to private label cards, which are out of scope. Given the high cost of CNP fraud in the U.S., these guidelines are designed to help stakeholders understand the: 1) landscape of CNP fraud attacks; 2) how to protect against data theft; 3) how to detect and prevent CNP fraud using mitigation tools and processes; and 4) how to respond and implement an adaptive CNP fraud mitigation model. These guidelines are intended to provide a benchmark checklist of the CNP mitigation tools, procedures, and strategies that should be considered for effective CNP fraud mitigation.
According to the U.S. Department of Commerce, U.S. online retail sales nearly quadrupled in the decade from 2005-2015, and in 2016 accounted for $394.9 Billion and 8.1 percent of total retail sales. 1 As of the third quarter of 2017, U.S. online retail sales accounted for 9.1 (adjusted) percent of total retail sales.2 In the third quarter of 2017, U.S. mobile commerce spending was 23 percent of the total e-commerce retail sales, according to Statista. 3 In the U.S., CNP fraud accounts for approximately 50 percent of total fraud losses sustained, according to various industry resources. This increase in CNP fraud can have significant consequences for small and medium businesses as well as large enterprises, requiring all companies to be prepared with the proper fraud mitigation tools and strategies.
The U.S. payments industry is preparing for a significant increase in card-not-present (CNP) attacks. With the migration from magnetic stripe (magstripe) to EMV chip cards at the point-of-sale (POS) and the anticipated shift in fraud to the CNP channel, it is important to understand how this will impact e-commerce and m-commerce. Card-not-present channels include e-commerce, m-commerce, interactive voice response (IVR) units, telephone orders, and mail orders. Consumers are also buying more goods online, using their traditional desktop computers or mobile devices and commerce is expanding across digital channels, creating more opportunities for fraud.
Although these guidelines are less restrictive than a standard, they offer suggestions on the recommended considerations to achieve enhanced security practices for adoption, as appropriate, by all relevant stakeholders within the payment card system. This Technical Report also provides information for assessors, auditors, and regulators to evaluate fraud risks and controls in the overall card payment ecosystem. Proactive implementation of these guidelines by industry stakeholders will help them to mitigate CNP fraud and reduce fraud losses within the U.S. payment card industry.
All recommendations described in this Technical Report are compatible with and supplemental to existing standards as outlined in §2 - Normative References. Certain recommendations may be outside the scope of current standards as referenced in §2 - Normative References. In addition to CNP fraud mitigation tools and a checklist of commonly used mitigation strategies, this Technical Report also includes references to relevant existing standards and a description of the transaction use cases within scope of this work effort.
1 U.S. Census Bureau (2017, Feb. 17). ) Quarterly Retail E-Commerce Sales 4th Quarter 2016. U.S. Department of Commerce. Retrieved from https://www.census.g
(2017, Nov. 17) Quarterly Retail E-Commerce Sales 3rd Quarter 2017. U.S. Department of Commerce. Retrieved from https://www.census.g
2 U.S. Census Bureau (2017, Nov. 17) Quarterly Retail E-Commerce Sales 3rd Quarter 2017. U.S. Department of Commerce. Retrieved from https://www.census.g
3 Statista (n.d.) M-commerce share of total digital commerce spending in the United States from 2nd quarter 2010 to 3rd quarter 2017. Retrieved from https://www.statista