Trying to stop criminals from making fraudulent transactions and stealing cardholder account data is a bit like playing whack-a-mole. As soon as retailers stop the thievery by plugging one hole in their systems, criminals find a way to breach their defenses. In many cases, it's the tiniest weaknesses in a retailer's web site that criminals zero in on and exploit.
Criminals never stop seeking ways to make money from fraud and data theft, and as e-commerce grows it makes for an ever more appealing target. That's why retailers can never let their guard down, no matter how diligently they police their sites. In 2011, for example, while fraud as a percentage of transaction volume for U.S. and Canadian e-retailers declined to 0.6% from 0.9% in 2010, dollar losses grew to $3.4 billion from $2.7 billion, according to CyberSource, a subsidiary of payment card network Visa Inc.
Several factors make e-retailers prime targets for criminals. The first is that it's easier on the web than in the physical world to commit fraud. There are many ways criminals can mask their identities, such as by using proxy servers to hide their true location or by creating an alternative IP address for the device being used.
Online merchants are also open 24/7, which means criminals can operate around the clock and from anywhere in the world. Finally, the cost of entry to committing cyber-crime is low. Anyone with a computer and an Internet connection can commit online fraud or steal card data.
"Preventing fraud and data theft is an ongoing business problem and a big cost for e-retailers, because criminals are well organized and always working to get better at beating the system," says Bill Cohn, principal product manager for Litle & Co., a payments management company specializing in card-not-present transactions. "Merchants aren't going to be able to get completely away from the problem, but the more emphasis they put on fraud management and data security, the faster they can take preventive measures that will reduce fraud losses."
To effectively combat cyber-criminals, e-retailers must continually upgrade their fraud detection systems and defenses to protect cardholder data. Merchants that don't stay on top of new fraud trends will not only fall behind advances by cyber-crooks, they will set themselves up for huge fraud losses. To make matters worse, a retailer's poor security record can lead to stiff fines from the credit card networks and require high-priced fixes to its payment and security systems.
Ongoing upgrades in fraud detection and data security reduce those risks and costs. "The key is constantly adjusting fraud and data protection strategies," says Rich Rezek, head of global product management for ReD (Retail Decisions), which specializes in fraud detection. "Rules and strategies that worked yesterday will need to be adjusted based on what happens today. Merchants need to learn everyday about the strengths and weaknesses of their fraud strategy and adjust it accordingly or risk becoming stagnant."
Retailers, however, cannot depend on a blanket fraud detection strategy, especially if they sell a wide variety of merchandise. "Retailers that sell hard goods and soft goods need fraud prevention strategies for each product, because each product has a different set of fraud characteristics," Rezek says. "If customers can buy online and pick up in-store, retailers need a strategy for that part of their business, too. Each part of a retailer's business needs its own fraud prevention strategy that is continually adjusted."
Make it fast
Criminals' growing sophistication in skirting fraud-prevention tools and maximizing their yields from online fraud makes real-time fraud detection a must. At the same time, consumers expect a retailer will prevent fraud without hindering their online shopping trips in any way. Fraud prevention strategies that slow site performance, even by a second, can diminish a customer's goodwill, hurt the retailer's brand and lose sales.
"Fraud detection has to be done in real time because it takes place during checkout when consumers are anxious to conclude their online shopping trip, but it can't impact the customer experience in any way," says Steve Rouse, chief operating officer of Kount Inc., a provider of turnkey fraud and risk-management solutions. "If a customer has to wait longer than he would like for a transaction to be authorized, or if the retailer asks for too much information to validate his identity, it can lead to impatience on the part of the customer and a lost sale."
Running a consumer's card through a fraud screen should take place in about 300 milliseconds, which is as fast as it takes to authorize a credit card at a store checkout counter, according to Rouse. Retailers can further streamline the fraud-screening process by reviewing the rules they have in place to validate a customer.
"We recommend that retailers only ask customers for data they really need. For example, a retailer selling downloadable content, such as games, really does not need to ask for a shipping address, because nothing is being shipped," Rouse says. "Being more selective about the data needed to validate the customer can make for a faster, smoother checkout process that does not compromise fraud prevention."
No data to protect
While real-time fraud detection strengthens retailers' defenses against cyber-criminals, many consumers still have doubts about the security of e-retail sites, and some remain reluctant to use their credit cards online. Their fear is that criminals will intercept the data during the transaction or hack into a retailer's database and steal credit card data stored there.
To ease these fears, transaction processors such as Litle & Co. are urging retailers not to store cardholder data on their servers and to use tokens in lieu of actual card numbers. Tokens are facsimiles of card account numbers generated by a token server; even if a criminal obtains a token, he won't be able to use it to make another purchase. The token is generated when the merchant submits the card account data for authorization to the processor, which generates a token and returns it to the merchant. The processor stores the actual card account data on a secure server, freeing the merchant to erase card data from its system.