RISE WITH FIS

5 best practices for credit unions to counter contactless fraud

Jeff Robbins | Senior Director, Business Strategy, Risk & Compliance, FIS

August 03, 2020

While the United States was on COVID-19 lockdown and turning to contactless payments due to personal distancing, fraudsters were working 24/7 to find nefarious ways to capitalize on the opportunity. Many of the fraudster targets included grocery stores, online music services, electronics, online shopping, restaurants and automated fuel dispensers. While many industry experts anticipated a slowdown in mobile P2P or tap-to-pay fraud due to COVID-19, the opposite has been true. In fact, there were nearly 7,500 more fraudulent authorizations from January to May 2020 versus the same period in 2019. Tap to pay and digital wallets have accelerated in popularity with consumers and it is critical for credit unions to offer members these contactless payment options.

Credit unions offering contactless payment options also need to balance the potential risk associated with them. Merchants that typically facilitate the acceptance of contactless payments become a target at the end of the day, and it should not come as a surprise that fraudsters know which merchants offer contactless payments and which ones do not.

Here are five best practices to help you counter fraud

The battle to beat fraud may seem never-ending. It was only a few years ago that card-present fraud was a major problem until EMV chip cards became commonplace in the United States, effectively stopping card-present fraud in its tracks. Vigilance is key, along with fraud rules and tools that will help you prevent or defend against payments fraud. Here are five prevention and defense best practices that you can deploy to make sure you and your members are protected.

  • Develop fraud rule sets behind the scenes. To help prevent fraud, look for specific attributes that can be highly indicative of fraud. Recent provisioning requests, for example, followed by large dollar authorizations could be a sign of fraud.
  • Establish actionable intelligence based on what's taking place in your footprint. Consider whether contactless behavior patterns match the customer’s general behavior. What is the age of the account? Does the member’s mobile wallet ID have a clean history and what purchase amounts have been attempted in the past? These are all factors that FIS or your own analytics team can work into a rule set to make sure there is a proper fraud trap in place to stop as much fraud in this space as possible.
  • Revisit your authentication process. If a person is constantly calling into your branches on the wrong number, they should be flagged. Offer a one-time passcode approach. Within your operation, it's important that you have strong countermeasures to safely and securely validate your members. Look for things such as member ID, which is unique. Taking these steps on the front-end can certainly frustrate a fraudster and keep them from getting through and taking a block off an account. If necessary, you can go deeper in the authentication process if members have a mortgage or car loan with your credit union.
  • Educate your members about fraud and what to look for. Train your members on how to identify contactless fraud attempts. Explain what constitutes a contactless fraud trend. Communicate by publishing information on your website or sending out letters that contains this critical information. Make sure your employees are fully versed about fraud as well.
  • Turn on the security switch. Some credit unions have some of these features turned off. If you're going to participate in contactless, it's imperative that you leverage all the security features identified by the card brands as best practices for contactless payment. So that’s validating the ARQC values, CVV2, ICVV, dynamic CVV2, PoS entry and any service codes that may be coming through a valid token indicator. Some authorization platforms will give you the ability to completely turn off contactless if you're not offering it.

Tap to pay and mobile wallets are tokenized and are considered a secure method for conducting transactions. Criminals are simply exploiting known configuration vulnerabilities to perpetrate fraud via this channel. The good news is, contactless fraud is a small piece of the overall fraud pie. It accounts for 2% or less on a quarterly basis of all attempted fraud, according to FIS data. It is proving to be very secure and inching closer to the performance of an EMV chip from a security standpoint. But it is critical that credit unions remain vigilante and have a multi-faceted plan in place to counter fraud attacks that includes validating their authorization and security settings for contactless payments.

To learn more listen to our recent webinar on Keeping Members Safe in a Frictionless World.