Multilayer Authentication Best Practices for CNP

Multilayer authentication critical for preventing CNP fraud

Less than a quarter of 48 national retailers surveyed recently said they have implemented EMV technology. While the migration has turned out to be a marathon rather than a sprint, the impacts have been seen fairly quickly. As 2016 progresses, more CP (card-present) merchants will integrate card chip compatible terminals into their POS (point-of-sale) systems. Although complete migration is expected to take up to seven years, CNP (card-not-present) merchants will struggle with increased fraud as criminals shift online to more vulnerable remote payments.

Multilayer authentication is critical for preventing card-not-present (CNP) fraud. A layered approach enables merchants to safeguard payments at all levels. Combined with the industry best practices outlined below, merchants can offset the detrimental impacts of EMV on CNP payments and fraud.

Multilayer Authentication

Authentication is a way for merchants to validate both the legitimacy of the card itself as well as the identify of the person attempting to use it to make a purchase. Authentication is a top priority in the fight against CNP fraud because the merchant cannot view the actual credit card. There are a variety of ways to authenticate CNP payments:

  • Device authentication – confirms a certain device has been used for the transaction
  • One-time password (OTP) – a password that can only be used once and is often time-sensitive
  • Randomized PIN pad – allows consumers to enter a PIN and use a debit-enabled debit or credit card
  • Biometric factors – a process that validates a consumer from a mobile device using tools such as facial recognition, voice recognition or fingerprint scanners

Experts advise online companies to use a combination of at least two authentication methods. This approach will insulate merchants against CNP fraud more effectively.

“A layered approach to security is essential in the online and mobile environment since fraudsters have proven quite adept at compromising any single point solution,” said Julie Conroy, Research Director with Aite Group, a firm with a focus on technology and its effects on the financial services industry.

Data Tools

Proprietary and transactional data assist with risk management and fraud prevention. Merchants, issuers and acquirers own proprietary data, which consists of lists of high-risk credit cards, email addresses, IP addresses and other similar information. Transactional data is information collected at the time of payment such as name and ship-to address.

Address Verification Services (AVS)

Credit card companies and issuing banks provide Address Verification Services (AVS) to merchants in order to check submitted billing addresses. This is usually done during the authorization process on the credit card. Merchants will receive one of six codes from their payment processor to indicate what areas matched. AVS is very useful as part of a risk solution. Information provided through AVS can indicate whether a transaction is authentic or fraudulent.

3-D Secure (3DS)

Currently, this tool is a secure communication protocol that offers real-time cardholder authentication straight from the issuer during an online transaction. Payment networks have created products to enhance this method of fraud detection. This authentication technology is similar to the “chip and PIN” approach. It asks consumers to enter a unique PIN to authenticate the cardholder’s identity at the time of purchase. 3DS is beneficial to merchants because it can help reduce fraud, particularly when it’s used with other risk management tools.


This method is designed to replace card values with different values called tokens. They are unusable by any outsiders. Also, only specific merchants or channels have access. One of the most important aspects of this approach is that merchants never have to store sensitive data and don’t need to alter how payments are accepted or authorized. Tokenization is an important fraud tool for merchants because the data remains secure. Plus, since the token includes the last four digits of the credit card, it can be verified easily.

New Visa/MasterCard Technology

In the future, MasterCard’s Chip Authentication Program (CAP) and Visa’s Dynamic Passcode Authentication (DPA) are hoped to be considered EMV for CNP transactions. Though not yet available in the United States, the concept is that hand-held EMV readers or even smart phone apps can serve as a layer of protection against fraud for merchants in CNP channels. This method is still in development and could take a few more years before implementation.

Wearable biometrics

Personal devices continue to grow in popularity and aren’t just limited to smartphones anymore. Wearables – from Fitbits to Apple Watches to smart wristbands – are quickly becoming mainstream. The upside is that most of these devices are fitted with the ability to authenticate their owner via biometrics. These devices use the owner’s unique biometrics like heartbeat, fingerprint or even visual/face characteristics to authenticate and log in to online accounts, effectively replacing passwords and PINs.


As EMV continues to be fully adopted by more brick-and-mortar locations, multilayer authentication is a must for every merchant in the online payments channels. With a layered approach in place, merchants have the necessary tools to protect their payments at every stage of the transaction process. By using the best practices featured in this article, e-commerce retailers will be better prepared to challenge friendly fraud successfully in a post-EMV world.

For more information on how to protect your payments in a post-EMV payments landscape, visit Verifi for a number of informative resources on the EMV and multilayer authentication topic.