SPONSORED SUPPLEMENT: New weapons against an old nemesis: Fighting e-payments fraud
Payment processors upgrade their technology
for combating online criminals
Ten years after the dawn of the Internet retailing age, attempts to defraud online merchants are only increasing. "The incidence of credit card fraud, particularly in a card-not-present environment, continues to increase at a fairly alarming pace," says Xavier Kris, CEO of Retail Decisions Inc., the North and South American operation of U.K.-based payments processor and risk management company Retail Decisions.
For instance, Kris notes that while holiday online purchases tracked by Retail Decisions were up 44% on a same store basis from Nov. 15 to Dec. 16, attempts to push through fraudulent transactions were up 46%. "Many expect to see that rise continue," he says.
The weakest link
Part of the explanation for the rise in fraud lies in the increasingly successful fraud fighting efforts in the offline world, he says. Developments in the U.K. , where credit card issuers are moving to smart cards and PIN-based transactions bode ill for online merchants, he says. "Fraud always preys on the weakest link," he says. "The weakest link are merchants who are not protected from e-commerce fraud."
Five years ago, notes Jeff Foster, executive vice president of Retail Decisions, about 18% of card-not-present fraud took place at online merchants. In 2005, Retail Decisions estimates that proportion will exceed 50%.
The very nature of online transactions is one reason that e-commerce fraud will continue to increase. "The anonymity of the buyer and the seller are conducive to fraud," says Michelle Banaugh, senior vice president of merchant online services with Wells Fargo Merchants Services.
Online fraud is an issue that is important to the future of online retailing, not just for the losses that fraud represents to merchants but also for the corrosive effect it could have on consumers` comfort in shopping online. "It`s still Number One in consumers` concerns," Banaugh says. Their concerns revolve around fears of card number and identity theft as well as around whether they are doing business with a legitimate online business. "Over the last two years, there has been higher concern over where the credit card information is going, who views it and what the users are doing with it," Banaugh says.
No silver bullet
Fighting online fraud is complex and requires many approaches. "There is no single rule, no silver bullet that will kill fraud," Kris says.
The card companies--MasterCard, Visa, American Express, Discover, JCB and others--have developed a number of initiatives to fight fraud. They include requiring the shopper to supply a billing address so it can be matched against that on file with the card issuer, to report the card verification value--the three-digit code that appears in the signature panel on the back of a credit card--and to input a password if the merchant participates in Verified by Visa, MasterCard SecureCode or JCB`s J/Secure. They`ve also worked on the secure electronic transaction protocol.
Fraud continues, nonetheless. "Criminals are always one step ahead of the game," Kris says. "The best we can do is to stay a half step behind." Adds Mary Ritchie, product manager for Omaha-based First National Merchant Solutions: "The people who perpetrate the fraud are spending all day doing it and they are very clever. Merchants understand the need to fight fraud, but it`s a constant learning curve."
That learning curve is one reason processing and risk management companies urge retailers to make use of outside fraud management services: Those services are in touch with fraud across the industry and can apply their lessons to individual clients. "It`s important to use as much transactional information as possible because that allows us to see what is happening across the industry," Ritchie says.
For starters, card processors encourage retailers to adopt most or all of the card company initiatives, but also note that if they alone could fight fraud, the fraud rate would be going down, and it`s not. Thus, merchants and payment processors have adopted a number of other approaches.
Reaping the fruits
Wells Fargo Merchants Services, for instance, offers customers advanced fraud protection and a service it calls Risk Assessor as part of its Global Payment Gateway, a proprietary payments processing service that provides domestic and international services. Wells brings extensive experience to fighting online fraud and claims the distinction of processing the first Internet transaction, for VirtualVineyard.com, 10 years ago. Last year, it processed $16 billion in online payments. "As an early player on the Internet, we are reaping the fruits of our labors today," Banaugh says.
Wells also is a long-time credit card transaction acquirer in the offline world, so knew a little bit about fraud when it began processing online payments. "When we started processing online, we looked at the traditional tools around transactional fraud monitoring and they addressed credit card transactions around the point of sale where patterns were predictable because they were so well established," she says. "But the patterns around online transactions were not predictable because they were so new."
Wells undertook a major effort three years ago to build models using good and bad transactions. "That allowed us to build up profiles to give merchants a higher confidence level," Banaugh says.
Wells feeds all information into a central database and that creates a master file of credit card information that Wells then applies to risk assessment.
Today, Wells applies its Risk Assessor service to all transactions. So when a merchant is ready to take advantage of the Risk Assessor service, the data already exist to help the merchant analyze transactions. Wells will then provide consulting services to assist the merchant in designing reports in a way that will fit in with the merchant`s existing systems and permit staff to make best use of the information.
Filtering
Wells, like other processors, supports Visa`s and MasterCard`s requirements for merchants to pass security validation tests for all customer credit card data that they store, even if only for a few minutes. "Fraud management requirements can be viewed as burdensome, but it`s good business practice all the way around," Banaugh says. "It`s good for the consumer to know that the merchant complies with the fraud management rules."
Another approach to online fraud that some processors take is to filter all transactions. VeriSign Payment Services, for instance, creates a filter based on a range of information, including such aspects as number of transactions that a card has conducted recently, the number of items in a transaction, the type of item and the dollar amount. It then incorporates information from outside databases such as address verification and other information about the cardholder.
The combination of internal data that VeriSign has developed and external data that others have developed is a powerful weapon, says Trevor Healy, vice president of VeriSign Payment Services, which processes for 125,000 merchants and expects to handle $40 billion in online payments this year. "Your fraud screening is only as good as the fraud that you experience," Healy says. "Our approach harnesses the collective power of the network. Customers get the benefit of operating with the largest payment processor on the Internet. Fraudsters are teaming up to do things together, so we are in essence creating a community effort also."
VeriSign Payment Services is a division of VeriSign Inc., which provides online security services beyond payment. Its VeriSign Secured mark is one of the most widely recognized security marks online. VeriSign`s security experience feeds into its ability to combat payment fraud, the company says. "We have a huge security practice with a large network security group," Healy says. "It`s very powerful that VeriSign does a lot of other things."
VeriSign also applies its security knowledge to internal fraud, such as merchant employees issuing refunds to themselves for purchases that never took place. It applies technology as well as human expertise to detecting such fraud, Healy says. "We have people who monitor all traffic," he says. "They sit at screens and scan traffic all day long."
The human element
The human element is crucial, he maintains. "You can trust that you`ll catch a certain level of fraud with computing systems," he says. "But the person you`re fighting at the other end has a human brain and you need a human brain to combat it."
VeriSign is also involved in combating identity theft, which Healy says is integral to the overall fraud fight. "Retailers see their responsibility as stopping with product and cash theft, but if a consumer experiences identity theft at a web site, it has very far-reaching implications," Healy says.
To help fight identity theft, VeriSign can apply its security services to all the devices in a merchant`s network to assure there`s no vulnerability at any step in the process. That requires a delicate balance in today`s environment between securing servers and making them accessible to shoppers, suppliers and others who need to get to them for information or transactions. "Security must set you free, not lock you down," Healy says. In addition, VeriSign has relationships with many Internet service providers and so can help shut down web sites that engage in phishing to obtain names, addresses, account numbers and passwords for identity theft purposes.
Phishing is becoming a bigger concern to many involved in e-commerce. Phishing is a scam that tries to entice unwary consumers to visit an apparently legitimate site and supply enough information that the operator of the web site can either make fraudulent transactions with the account information gained or can take over the consumer`s identity. Almost anyone with an e-mail account has received seemingly authentic messages that purport to come from a financial institution or, increasingly, eBay or PayPal with a subject line "Problem with your account" or "Your account is about to be suspended."
Criminals hope that consumers will take the bait and click to the site in question and fill out the information. Enough consumers do so to make phishing one of the fastest growing and, from a criminal perspective, successful scams on the web.
Going for the bait
While phishing is not directly a merchant problem, it can harm online sales by undermining consumer confidence in the Internet. In a phishing scheme, a consumer may not even know that he has entered a bogus site and given his information to a criminal. A consumer who suspects that his information was compromised at a retailer`s site, even if the site was a bogus one, is unlikely to trust that retailer, and possibly not others, in the future.
Because of its large user base, PayPal, the payment unit of eBay Inc., undertook an education program two years ago to alert consumers to phishing. It has developed a three-step approach to fighting phishing. The first is consumer education under which PayPal customers are encouraged to visit the security center at PayPal.com and view recommendations for detecting and avoiding phishing. In addition, PayPal has just released its eBay toolbar that consumers download to their desktops. It issues an automatic alert if the consumer is about to input eBay or PayPal information on a site that is not eBay or PayPal. That can be helpful in phishing scams where a bogus site might be hard to differentiate from the real thing. Consumers who encounter such sites are encouraged to send an e-mail with the site`s web address to spoof@paypal.com.
It`s also harnessing the 1,000-strong security staff of eBay and PayPal to identifying and closing down phishing operations. And it is applying analytical technology to identifying suspicious transactions and trends in payments. "Because PayPal is a closed system, we can apply pre- and post-transaction screens and that can help us identify problems as they develop," says a PayPal spokeswoman.
To PayPal, security assurances apply equally to sellers as to buyers. And because PayPal has such an extensive security and review apparatus behind it, it can provide innovative services to merchants such as Buyer and Seller Protection. Under Buyer Protection, sellers insure buyers that they will get what they expect. Any eBay seller who has 50 feedback reports and a 98% positive rating can offer buyers PayPal`s Buyers Protection. That service insures the buyer against non-delivery and that the product will be as described on transactions up to $1,000. That raises buyers` comfort level while helping the seller attract more buyers, the spokeswoman says.
Seller Protection for merchants provides 100% protection against chargebacks if the seller ships to a confirmed address in the U.S., Canada or the U.K.
A further element of security, PayPal points out, is that the merchant never stores the consumer payment information, meaning that security is not based on a merchant`s willingness or ability to invest in secure storage.
Collective knowledge
First National Merchant Solutions has also developed a payments gateway that applies rules and scoring to judge the validity of transactions. It starts with the basics of address verification, CVV numbers, and Verified by Visa and MasterCard SecureCode, then checks transactions against negative files and scores them against 50 other data fields. Like VeriSign, First National applies what it learns across its network to individual clients` transactions.
The processor can build rules across the network based, for instance, on product codes, flagging higher-risk products for closer scrutiny, says Ritchie, product manager for First National`s PayFuse system. "We then spread it across the network to our other merchants who have products like it," she says.
Broader selection
As an example, she offers office supplies as a category that, because of the promotion applied to many products in that category, is susceptible to fraudulent transactions. "Office supply retailers have lots of coupons and specials in the newspapers that customers can use online," she says. "With coupon fraud, we can see what`s happening and build a rule very quickly. If a store is all of a sudden hit with coupon fraud, we can write new rules as the system is processing transactions. The merchant can change the rule on the fly."
Another advantage of developing rules based on a range of transactions, Ritchie says, is that merchants can draw upon First National`s expertise if they want to expand their inventory. "A retailer in consumer electronics, for instance, knows their business and what`s risky within their own product classification," she says. "But if they want to push their inventory into more areas, we can help them flag the products that are riskier or less risky than others."
First National`s system is oriented toward the business user, not the technology department, with user-friendly interfaces, Ritchie says. First National took its screening engine in-house in May 2003 for further development, after outsourcing it before that. Since that time, it has added payment types that the system can process as well as the capability of processing payments from multiple channels.
In addition, First National is planning to add still more data fields to the screens and more transactional information and enable the system to act more quickly on more information. "We`re always working on making the engine smarter," Ritchie says.
Re-write on the fly
Other processors are working on expanding the capabilities of their systems, as well. Retail Decisions recently integrated its PRISM tool with its ebitGuard product, which allows the company to analyze transactions in multiple dimensions simultaneously. For instance, it can bring together its analysis of transaction patterns, velocity checks on card usage and negative databases, all toward flagging or passing a single transaction. "In the card-not present environment, it`s absolutely critical to detect the slightest change in patterns," Kris says.
PRISM is a neural network that constantly analyzes transactions and re-sets rules based on the patterns it is observing. It`s more powerful than human-based rules systems because it can analyze massive amounts of data quickly and re-write rules on the fly, Foster says. "If a team writing rules could set even as many as 20,000 rules based on all products and all customer behavior, when they`re done, all they`ve got is a level of rules that reflect their business today," he says. "PRISM re-sets the levels without re-writing all the rules."
Retail Decisions is also developing PRISM to work at an even deeper level of information, down not only to the transaction patterns at specific sites but even down to types of SKUs. "Someone who buys diamonds and sneakers doesn`t get the same score for each product," Kris says.
Processors are developing technological approaches in part as a way to reduce merchants` manual review of transactions. For instance, Retail Decisions says trials of its integration of PRISM into ebitGuard, which can be programmed to produce any level of manual review that a retailer desires, have reduced manual review by 30% at retailers that were using just ebitGuard before. "If you have a staff of 18 and you can reduce it by six at $50,000 each per year, you can save some real money," Kris says.
E-checks
Credit cards are not the only online payment vehicles subject to fraud. Just about any transaction that represents money on the Internet is likely to attract criminals. Thus processors have built up security systems around e-checks to ensure that retailers can ship orders paid by e-checks with the same level of confidence as they ship orders placed by credit card.
So far, fraud has not been the problem with e-checks that it is with credit cards, processors say. "Credit card fraud is what`s hurting the merchant," says David Kerlin, president of AmeriNet Inc., which offers the Debit-It e-check product. "Criminals haven`t
spotted opportunities with
e-checks. "In some ways, it`s like the difference between Apple and Microsoft. Criminals go where the money is and because 90% of the market is on Windows, they create attacks for that part of it. They don`t go after the small guys. E-checks are a small part of the market."
Nonetheless, processors aren`t sitting by, waiting for the criminals to attack. They are developing databases that cross-reference information from multiple databases and processors and merchants are building up systems and information that allow merchants to be more comfortable shipping more quickly to customers as customers build up buying and paying history.
Usually, the type of e-check fraud that merchants experience is related to the buyer changing his mind, Kerlin says. The fraud falls into two general categories--the buyer denies the transaction or claims the product was not as depicted--but usually devolves into a change of mind. "An awful lot of fraud is really just buyer`s remorse," Kerlin says, "and it could be avoided by the customer just saying he wants to return the product and wants his money back."
E-check security raises some challenges that aren`t present with credit cards. For instance, merchants can`t get a positive authorization on an e-check the way they can with a credit card`s open-to-buy authorization. That`s the result of privacy requirements that prevent a bank from telling a merchant or its processor that a buyer has adequate funds in his checking account.
Common sense
But merchants can overcome those obstacle by
applying, in Kerlin`s words, "some basic common sense" to accepting e-check transactions. Among his recommendations: watch out for high-velocity new customers, verify the shipping address against valid-address databases and watch out for surges in small purchases of items that can be easily re-sold that can indicate an organized ring.
In spite of the differences between e-check and credit card processing, processors encourage retailers to consider the alternative. "We don`t see as much fraud with e-checks as we do with credit cards and it`s a lower-cost transaction," says Branaugh of Wells Fargo.
Wherever fraud occurs, the industry is also working on making itself smarter by cooperating across institutions, both individually and as an industry. "Financial institutions and merchants are working together in consortiums," Banaugh says. "We will share information about suspicious activities with our counterparts at other banks." Adds Ritchie of First National: "The more information you have from a variety of sources, the easier it is to stay even with the criminals. And we have found organizations and merchants very willing to work together."
