Card-not-present (CNP) fraud is of growing threat to travel companies across the globe; action is needed to curb losses and protect consumers and businesses alike.
CNP transactions are those that occur when a card is not physically presented to a merchant – for example those payments made over the telephone, internet or via mail order.
With the growth of eCommerce and move to EMV, fraudsters have turned from counterfeit fraud to CNP fraud.
It is estimated that CNP will cost retailers $71 billion globally over the 5 years from 2017-2021. The travel industry is particularly at risk; fraud levels were reported to have increased by 4% in 2017 from 2016.
Hotels: a fraudsters paradise
Over the past couple of years, there have been many high profile data breaches at hotels, including at large multinational chains.
In its annual Data Breach Investigations Report, Verizon named the hotel industry as the highest sufferer of data breaches with 338 reported – 90% of breaches involved point of sale (POS) intrusions. Stolen card data is at high risk of being used for CNP fraud.
Travel companies may work with hotels using the agency model, where the booking is made via the travel company with the traveler paying the hotel directly after the stay (card details are typically passed through to the hotel by the travel company with the booking details).
According to research conducted on behalf of WEX by FirstPartner, the agency model is most prevalent in Europe and Asia.
If there is a data breach at the hotel, through hacking, malware or poor internal procedures, the traveler is at risk of having compromised card details used for CNP fraud. This not only impacts the traveler who may end up a victim of CNP fraud, the reputation of both the hotel and travel company may be harmed.
The agency model is favored by some hotels as it can offer improved cash flow, since there is no need to wait for payment from the travel company.
However, WEX believes the fraud risk to the traveler, and consequential impact on the reputation of the hotel and travel company, outweighs this benefit.
The merchant model is the most prevalent way of working with hotels in the US for travel companies. In this model the travel company is the merchant of record for the transaction with the traveler paying the travel company directly.
This offers protection for travelers as their personal card details are not passed to hotels.
While the merchant model protects travelers, if a travel company uses a traditional corporate credit card to pay the hotel, the travel company is at risk of becoming the target of CNP fraud should there be a data breach at the hotel.
Adopting the merchant model and choosing to use virtual card numbers (VCNs) rather than a traditional company credit card protects the travel company. VCNs offer a number of features to protect against CNP fraud:
- One time use – since VCNs are single-use even if they are exposed in a breach, they cannot be used if the hotel has already processed the payment
- Control who is paid, how much, when and more – VCNs can be locked down to be valid only for very specific purchases so they cannot be used for any purpose other than the intended payment
The merchant model combined with VCNs not only protects against exposure to CNP fraud, it can help protect travelers against accommodation scams – where fraudsters typically hack into an accommodation website and ask to be paid directly before disappearing, or list fake hotels on travel company websites and demand direct payment.
Such scams have been publicized as having hit British travelers in particular, data from City of London Police showed that 4,700 travelers fell victim to these scams in 2017, a 25% rise on 2016.
This trend is likely global, if travelers expect to pay the travel company directly they are less likely to fall victim to requests for direct payment.
VCNs vital in fighting CNP fraud in travel
VCN solutions like the one offered by WEX can play a vital role in protecting against CNP fraud.
Where travel companies work with hotels using an approach in which the travel company is the merchant of record and takes payment from the traveler, it builds a consistent experience for the traveler with just one central payment and avoids exposing the traveler to fraud.
Travel companies who then choose to pay hotels using VCNs are not exposed to risk of fraud should there be a data breach at the supplier. A VCN is single-use and controls can be employed to lock down the payment to a certain transaction only.
VCNs also allow travel companies to benefit from savings on international payments, the ability to earn money on payments made, automation of accounts payable tasks and more.