In this day and age, credit card breaches seem to happen on a regular basis. Card numbers are compromised and sold on the dark web. Banks, concerned that the card numbers will be used to make fraudulent charges, then have the huge expense of reissuing cards and handling customer calls. Meanwhile, consumers have the hassles of reporting bogus charges and updating credit card numbers on all of their accounts. Despite all of the security measures that have been taken, such as PCI compliance, chip-enabled cards, robust fraud tools, and back-end fraud review teams, cards continue to be compromised and losses continue to mount. Furthermore, because of chip and PIN technology, more of the fraud that occurs is happening over the Internet, forcing online merchants to tighten their risk parameters. Unfortunately, when they decline a credit card transaction, it is often a false positive – meaning that the real consumer is declined, while true fraud continues to slip through. Perhaps the approach is all wrong. What if credit card companies and merchants (who are now facing the liability of fraud/chargebacks) had a way of making sure that the credit card being used was really in the hands of the consumer that should be using it; and detecting when it was in the hands of someone else? Then, perhaps it would be less critical to replace cards when card numbers are compromised, because such situations would be detected and fraud charges prevented, so cards can be replaced in a routine manner rather than urgently.
Well, there is a way – and it is a two-pronged approach:
- Identifying whom the card belongs to. Traditional tools for identifying whom a card belongs to are relatively weak. Address Verification Service, or AVS, only verifies that the street number and zip code are correct, but do nothing to verify the name on the card. New approaches are available to better verify identification, including services which search the consumer’s credit file using the name and address provided to see if the credit card actually appears on the credit report. If the card is not found, then it is likely that the name and address is not a match to that card. Zumigo, though a partnership with Equifax, is an example of such an approach.
- Making sure that the person is with the card when it is being used. Now that consumers take their mobile phones everywhere they go, it is possible to use the mobile phone as beacon for where the cardholder and credit card should be. Through partnerships with mobile operators, Zumigo and others offer real-time information about the ownership and location of the phone readily available (with the consumer’s consent, of course.) This type of approach is important in mitigating fraud in both face-to-face and consumer-not-present transactions.
Regarding brick and mortar purchases (face-to-face), most cardholders have experienced the inconvenience of having their card declined either while traveling or after a big day of shopping, but this doesn’t have to happen. Services are available that provide two ways to verify that the consumer is in the same location where the credit card transaction is attempted. First, an SDK can be incorporated into the bank’s mobile app, which causes the device to automatically send notifications when the consumer is traveling. If a consumer flies to New York on business, for example, the financial institution will automatically be notified that the consumer is in a new location. This way, any credit card transaction attempted in New York can be approved. Second, services such as Zumigo can provide the real-time network location of the consumer’s mobile phone on demand; this technology does not need an app on the phone and uses just the mobile number to determine location based on the cell tower the phone is attached to. The financial institution can send a request based on the consumer’s mobile phone number on file to determine if the transaction is occurring in a location that is near the consumer’s mobile phone in near real time.
With online purchases (consumer-not-present or card-not-present), by simply asking the consumer for a mobile number during an online purchase, merchants have a new point of reference that can be used to detect fraud. First, the name and address on the online purchase can be compared to the name and address on the mobile account. Discrepancies may highlight a possible fraud attempt. Second, and more importantly, the location of the phone can be obtained using the phone number. The location can then be compared to the location of the purchasing device, the billing address, and the shipping address. If John Smith makes a purchase and says he lives in Los Angeles, but the phone number provided belongs to Sally Jones and the phone is currently in Phoenix, then those would be red flags that something isn’t right.
There are several proactive ways to mitigate credit card fraud when a consumer’s card number gets into the wrong hands. Long before a breach is announced and before a credit card can be reissued, new approaches in mobile identity allow the consumer, the merchant, and the financial institution all to be protected.