A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

July 08, 2019 • Issue 19:07:01

The 2019 CNP Expo

By Brandes Elitch
CrossCheck Inc

In May of this year, I attended the CNP Expo in San Francisco, and I will state flat out that this event should be mandatory attendance for every merchant with a significant online presence, as well as for payment professionals responsible for safeguarding card-not-present (CNP) transaction data. That's a bold statement, but don't take my word for it. Postpone finishing this article, if you like, and go to the Online FraudCast podcast hosted by anti-cybercrime experts Karisse Hendrick and Brett Johnson. I recommend these three podcast episodes:

  • "Live from CNP Expo" (recorded during CNP Expo's opening keynote presentation)
  • "Merchants are from Mars, vendors are from Venus"
  • "The 'C'-word for online merchants: Chargebacks."

Relentless, pernicious attacks

The current headlines about fraud will be no surprise. Here are some examples:

  • "E-commerce skimming attacks evolve into iFrame injection"
  • "Since 2016, over 4,000 ransomware attacks have taken place daily, or about 1.5 million a year, according to the Department of Homeland Security"
  • "Server software poses soft target for ransomware"
  • "Firmware bug in CCTV software may have given POS hackers a foothold"
  • "Attacks from rogue mobile apps jump 300%, and CNP fraud continues to boom, RSA finds"

You get the idea. One of the most pernicious types of assault is the Magecart "digital skimmer" attack. Fraudsters target Magento ecommerce software and plant malicious code inside the victims' websites. As one expert said, "It really shows that any ecommerce site is fair game" for an attacker. If you are selling in ecommerce ‒ and who isn't? ‒ this means you.

CardNotPresent.com was founded by Casco Media Corp. in 2011, an online publication that subsequently founded the CNP Expo, an annual conference that launched in 2012. In 2015, the organization and its expo were acquired by Reed Exhibitions, a member of RELX Group.

CNP's focus is on ecommerce fraud prevention and global payment acceptance. The show has achieved maturity, with approximately 500 attendees, more than 50 hours of educational offerings, and about 40 fraud-prevention providers and payment processing vendors in the tradeshow exhibit area.

Shifting fraud landscape

Today, fraud is moving to the account level. Some retailers have gotten better at fraud detection and are now focused on false declines and improving revenue. I counted nine areas of concentration at the event. Those working in this space need to be familiar with all of them:

  1. 3-D secure/consumer authentication
  2. Chargeback management
  3. Data security services
  4. Device identification and or behavioral biometrics
  5. Fraud case management tools
  6. Identity documentation authentication
  7. International payment processing/PSPS
  8. Logistics and/or call center support, including fraud-prevention services specific to call centers
  9. Managed fraud services

Serious fraud-management professionals could easily spend the better part of the day just speaking with vendors of these products and services.

Expo planners put significant thought into the sessions offered at the Expo, too. Several topics that resonated with me are: What is the true cost of fraud to your business? (benchmarking survey); Fake is the new fraud; Partnerships R Us: What is a fraud strategist and what do we do?; Compelling evidence: the key to winning first-party chargebacks; Managing your own career in payments and fraud; You've got to be shipping me (re-routes and re-shipping, and did-not-receive claims); and Know your frenemy" (fighting friendly fraud).

AI, behavioral biometrics and machine learning will play a greater role in this sphere as time goes by, but right now, there is an organized body of knowledge that fraud professionals and those tasked with safeguarding sensitive data need to master. That is what this annual show is all about. It is desperately needed, too, and not just because of data theft, but also for false declines and loss of revenue.

The most common attack is account takeover (ATO). Thieves steal legitimate payment credentials via data breaches or phishing. Then they use bots to verify user credentials and identify which ecommerce stores their victims use (this is called "credential stuffing"). Next, the thieves sell the credentials to other fraudsters on the Dark Web or commit ATOs themselves. When merchants think about this, they quickly come to the realization that they need help, and that's what is available in abundance at the Expo.

Takeaways from the show

Here are some take-home points I want to share with readers of The Green Sheet:

  • Fraud is always evolving, and our prevention work needs to evolve too.
  • Merchants and payments enterprises have to balance fraud prevention with the customer experience.
  • Fraud-prevention specialists must collaborate with partners both internally and externally, and include cross-functional teams.
  • Merchants and service providers need to focus on conversion rates to reduce shopping cart abandonment.
  • Merchants and service providers must create a meaningful chargeback reduction strategy.
  • Fraud reduction is most effective when overall traffic has improved.
  • Fraud attacks have grown so sophisticated that machine learning and predictive analytics are becoming more common, and "tagging" is the most important thing to get right in the analytics process. (Tags gather data on websites. They can be pieces of JavaScript code, small pixels or transparent images that enable collection of information about people and their on-site behaviors.)
  • Merchants and service providers need to learn how to convert friendly fraudsters back into good customers. This can be done via training on social engineering and elicitation techniques.

Talking to the vendors and learning what is going on in this space is a worthwhile use of time for any payments professional. The Expo helps clarify the factors at play, as well as enables potential partners to meet and find solutions that meet their specific needs. It is also useful to to meet leaders in the fraud-prevention world and hear what they are doing, as well as what keeps them up at night.

The next Expo will be held May 19 to 21, 2020, at the San Francisco Marriott Marquis hotel. You can pre-register for the event at www.cnpexpo.com. end of article

Brandes Elitch, director of partner acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A certified cash manager and accredited ACH professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at brandese@cross-check.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing