One of the great advantages of the Internet is that it allows retailers to extend their reach to new markets. One of the great disadvantages of the Internet is that it allows criminals to extend their reach to new markets.
“Fraud is increasing on a global basis and one of the major drivers is the card-not-present environment,” says Carl Clump, CEO of London-based risk management and transaction services provider Retail Decisions plc. “The Internet is so anonymous that it allows criminals to very easily see if they can buy something with a card that has been lost, stolen or skimmed.”
Retail Decisions specializes in fraud prevention. And with headquarters in Europe, a major presence in North America, operations in South Africa and Australia and re-seller agreements in Japan and South America, it is in a unique position to see how criminals have extended their reach into global card-not-present fraud. “Fraud is multinational; the gangs are international,” Clump says. “With the Internet, fraud has really become a global phenomenon. That is why we are an international company.”
While there’s no doubt that the Internet has created a great new opportunity for criminals, the rate of online fraud is hard to measure. For one thing, many retailers won’t discuss their fraud experiences for fear of tipping off criminals either to vulnerabilities in their systems or to the fact that they are easy marks. For another, card companies lump online fraud with other card-not-present fraud and it becomes difficult to know how much fraud occurs on, say, telephone orders, where the mere fact that there is a human at the other end of the line may deter criminals from trying out scams, vs. Internet orders, where complete anonymity may embolden criminals. But whatever the rate of fraud, there is general agreement that it is exponentially higher online than in stores. While store-based fraud is well under 1%, estimates of the rate of online fraud range from the 2-4% that some processors project to the 10% that Retail Decisions projects. “Growing use of the Internet fuels our business,” Clump says.
Retail Decisions, a 3-year-old spin-off from the Card Clear Group, now is positioning itself to help retailers fight the globalization of fraud with its ebitGuard fraud screening service. The centerpiece of ebitGuard is a comprehensive risk assessment that results in a set of customized fraud detection rules and a neural network built on millions of transactions that analyze up to 150 variables per transaction. ebitGuard also runs all transactions through numerous proprietary domestic and international databases comprised of about 75 million records. Customers for ebitGuard include the world’s largest retailer and the world’s largest fulfillment aggregator, as well as the UK’s largest retailer.
In addition, Retail Decisions applies its international experience to all transaction analyses. And it is making a major push into the U.S. market where it hopes to learn even more. “We learn from each of the geographies that we are in,” Clump says. “And we pass on to other geographies what we learn.”
Retail Decisions traces its fraud detection roots back 15 years to helping telecommunications companies like AT&T; control credit cards used fraudulently to make telephone calls. “We were leading proponents of fraud prevention in that space when most people didn’t know what the card-not-present market was,” Clump says. “We then saw a huge opportunity to apply our skills to the emerging market of mail order, telephone order and, of course, the new capabilities of e-commerce.”
Today, Retail Decisions targets four vertical markets: retail, banking, telecommunications and gasoline for fraud prevention and processing services. Just as it cross-pollinates its databases and neural networks with lessons it learns geographically, it also applies lessons from one vertical to another. “They are all high volume, high fraud environments,” Clump says. “We are seeing considerable success in each one and that allows us to apply our knowledge from one to another.”
The global nature of fraud makes it that much harder for retailers to fight against fraud by themselves, Clump argues. “There are so many new frauds being perpetrated all the time that it’s hard for any individual retailer to keep up with them,” Clump says. “To do it themselves, retailers would have to replicate the risk management departments that banks have had for many years.”
Some new types of fraud, driven by the speedy communication that the Internet makes possible, would be virtually undetectable to merchants working on their own until it’s too late, Clump says. A recent example: Criminal gangs in Southeast Asia have entered retail establishments posing as cleaning crews. At an opportune moment, they surreptitiously link an unobtrusive recording device to POS terminals. The device grabs and holds payment card information, including account number, customer name and expiration date, as customers make purchases. A few days later, the crew returns to collect the device and harvest the numbers. Within minutes, associates can be using the purloined numbers to make purchases at locations far distant from where the numbers were harvested. Without sophisticated velocity checks, for instance, there would be no reason for a merchant to be suspicious of the transactions. “There is no doubt that fraudsters are becoming much more clever,” Clump says. “And that’s one of the strengths that we have with our neural software: It can detect very subtle changes in behavior.”
Retail Decisions runs a transaction through its various checks in parallel, comparing it against the retailer’s business rules at the same time it is performing velocity and other checks, putting it up against negative files, and applying its neural software to the transaction. Finally, it puts all the information through an analytical engine that evaluates the results of each ebitGuard service element and makes an accept, reject or challenge decision. Many other fraud prevention companies give the retailer a score, on which the retailer bases a decision to accept or reject. “But is there a huge difference between a score of, say, 650 and a score of 670?” Clump says. “It’s hard for a merchant to base a decision on that kind of gradation. We give absolute advice to the retailer.” Retail Decisions charges a risk assessment fee for ebitGuard customers, then configures the system for optimal use. After that, retailers pay a per-transaction fee.