During the COVID-19 lock down, a whole new generation of users discovered the joys and convenience of online shopping. Worldwide, online debit or credit card fraud, better known as card-not-present (CNP) fraud, has increased exponentially during these challenging times, costing companies and individuals billions in losses. Card-not-present fraud occurs when a scammer attempts to make a false debit or credit card transaction while not in physical possession of the card.

In the past, cards were stolen and used at Automatic Teller Machines (ATMs), at shop check-outs or cloned. But since online purchases have become a practical alternative to having to deal with traffic, parking, and long check-out queues, card-not-present fraud has escalated at an alarming rate. Studies by BlueSnap, a United States-based global payments company, found that by 2023, worldwide retailers will lose about $130 billion in revenue on falsified card-not-present transactions if they fail to keep up with digital fraud prevention measures.

Traditionally, financial institutions have always advised their customers to protect their Personal Identification Number (PIN). However, in the world of online shopping, all information on the card should be deemed confidential and be protected.

Security measures in place

The Card Verification Value (CVV), a three-digit number on the reverse of a debit or credit card, is an important security feature when making a card-not-present payment purchase over the phone or online. The system was instituted to reduce the incidences of debit or credit card fraud. Used as a security feature to validate and confirm that you are in possession of the card – and therefore, its legitimate owner. Never share the three-digit CVV number on the back of your debit or credit card with anyone, except during a legitimate online transaction.

The Payment Card Industry Data Security Standard (PCI-DSS) prohibits CVV and other sensitive authorisation data storage. The Standard applies globally to anyone who stores, processes, or transmits cardholder data. PCI-DSS, a regulatory compliance model, was established in 2004 and

worldwide implementation became compulsory in 2007. PCI-DSS is obligatory for banks and other financial institutions supplying payment cards, as well as merchant accepting card payments. However, customers should also understand the basic principles of card data security.

Practice vigilance at all times

In 2015, the financial industry introduced chip cards to replace mag-stripe only cards worldwide. The initiative has significantly reduced statistics on counterfeit fraud. Unfortunately, it has stimulated card-not-present fraud on the internet, as this became the ‘easier’ way of committing fraud. Fraudsters no longer need to steal a payment card; they only need the card information.

The information on your bank card – the full card number, known as the Primary Account Number (PAN); the expiration date on the front, and the three-digit CVV on the back; is all that is needed to conduct a payment transaction on the internet.

Websites have no way of confirming that the person entering the card information for an online purchase is the card’s actual owner. Therefore, it is crucial to keep the card information confidential. Even during card related queries with your bank, never communicate the full PAN in any format. Sharing only the first six and the last four numbers of the PAN, known as masking the PAN, is vital in protecting confidential card data. Below are more suggestions:

· Use [services such as] Bank Windhoek’s AlertMe service notification, which notifies you whenever transactions occur on your accounts, be it debit or credit transactions. Never take a picture, or allow anyone to photocopy your Bank Windhoek debit or credit card.

· Do a little research to confirm that a web site you consider transacting on is legitimate before continuing. Never make direct payments, especially on websites you do not know; instead, use a trusted third party payment mediator like Pay mate or PayPal to conduct online shopping.

· Be wary of emails requesting personal or payment card information and never click on links in random emails of unknown origin. Regularly check your bank statements to confirm all card transactions. Discovering fraud sooner increases the chance of full compensation.

· Never allow a site to cache (save) your confidential card information.

· Do not share your full card number, CVV or expiration date in any format with anyone outside of a secure payment transaction.

To stay a step ahead of fraudsters, Bank Windhoek continues mitigating customer’s risk of exposure to such fraud by regularly adding features to its payment platforms. One such feature is 3D Secure – a global standard adding a much needed layer of additional security during CNP (online) transactions. As

part of a transaction, a confirmation code will be sent to a client’s cell phone. Acceptance of the message is a prerequisite to completing an online transaction. Watch the media for details on this feature that Bank Windhoek will be rolling out shortly.

By Capricorn Group’s Information Security Specialist, Riaan Viljoen