There’s a cost to keeping the criminals out—and it’s not always obvious

Guide to E-Commerce Technology

It’s been often said that there is no such thing as a free lunch. That is certainly true when it comes to fighting payment fraud on the Internet. While fraud prevention programs have proven effective in cutting the number of fraudulent and disputed transactions, those savings come at a cost. “If you’re going to do business in our space, the investment in any kind of fraud prevention is going to be substantial,” says Gany Karim, manager of fraud and risk control for Chicago-based uBid.com, an online auction and fixed-price retailer.

Some of the costs are easy to measure—the cost of purchasing or licensing decision-making software, purchasing new computer hardware and paying fees to have a transaction checked by an outside bureau. Other costs are more difficult to measure—the staff-hours spent maintaining databases—while others are nearly impossible to measure—the cost of lost business due to over-stringent preventive actions.

Whether these costs are tangible or not, they add up—and they’re necessary. Newton, Mass-based Meridien Research estimates online credit card fraud reached $3.8 billion worldwide last year. Meridien projects that without investments in prevention, online card fraud could reach $16 billion in 2005. Reasonable investments in fraud control technology could keep that number to $6 billion, Meridien says.

Most online retailers won’t talk about fraud. Some are reluctant for others in the industry to know their fraud experience while others fear that criminals will pounce on anything they say to determine where the weaknesses are in a system. But one thing is clear: nearly all retailers have to incur some anti-fraud costs, whether they are big operations that sell high-value goods that are easily re-sold—i.e., consumer electronics—or small guys who would be wiped out by only a few fraudulent transactions.

To make matters worse, vendors say many retailers don’t really know how to address the problem and so aren’t even sure of how much they are spending to combat the problem. “Merchants don’t really understand fraud very well,” says Robert Renzulli, vice president of product development for First National Merchant Solutions, a subsidiary of the First National Bank of Omaha. “Because they’re all different, merchants need to understand what kind of fraud they’re experiencing before they can take preventive action.”

One of the highest costs of fighting fraud is the cost of lost business. Many e-retailers have become so concerned about fraud that they have implemented systems that reject any questionable order, resulting in the rejection of good sales. Stamford, Conn.-based researchers Gartner Group estimates that online retailers reject 8% of sales due to fraud concerns. While Gartner researchers have not calculated how many of those rejected sales are truly fraudulent, payments processor Mountain View, Calif.-based Cybersource Corp. estimates that 3% are truly fraudulent while payments processor Retail Decisions, based in Providence, R.I., believes the rate of true fraud is 1.5%.

“A lot of companies have internal rules that automatically reject all sales over a certain amount or any sales over a certain number made on the same credit card,” says Jeff Foster, executive vice president of business technology integration for Retail Decisions. A retailer with $100 million a year in online sales could be losing substantial business due to too-stringent fraud measures, he says. “If you’re rejecting 7% of sales and only 1.5% are actually fraudulent, you’re losing $500,000 a month in revenue,” Foster says.

And that includes only the lost sales that can be measured. A customer whose purchase is rejected once may refuse to shop at that online store again. “On top of that,” Foster says, “many of the biggest Internet retailers have brick-and-mortar operations and you can be sure that many customers whose sales were rejected online will refuse to shop at the retailer’s brick-and-mortar stores as well.”

Unglobal business

Industrywide, lost sales could amount to $2.5 billion a year, based on Gartner’s high-end estimate of an 8% rejection rate and Cybersources’s 3% actual fraud rate. At $50 billion a year in U.S. web-based retail purchases, $1.5 billion are fraudulent, according to the Cybersource number, but the industry is rejecting $4 billion, using the Gartner number.

Associated with lost sales is the loss of international business. Many online retailers refuse to accept any sales outside North America because international fraud rates are so high. Gartner’s research found that only 64% of online retailers accept orders from outside North America. Furthermore, 9% of all merchants surveyed had accepted international sales at one time, but stopped doing so, due to the high fraud rates.

Also associated with rejected sales costs is the added cost of customer service. Jeff King, director of product management for Cybersource, notes that many retailers report that as order rejection numbers increase, customer service calls grow as customers whose orders are rejected call to complain.

To avoid rejecting a lot of transactions, many companies are manually reviewing all questionable sales. But that can be expensive as well. Some online retailers, particularly those most susceptible to fraud, review nearly all their claims. Cybersource estimates that 20% of Internet orders today require some human intervention to screen for fraud. “If you’re reviewing more than 20% of your transactions, you really have a problem,” King says.

Whatever the proportion of transactions reviewed manually, the cost is high. “I talked to one online electronics company that has 12 full-time employees reviewing every sale—at salary and benefits of $50,000 per employee,” Foster recounts. “With that overhead, it is nearly impossible to make a profit. Another company was reviewing about a third of sales. When it audited its costs, it found it was paying about $1 a transaction to keep out the fraud. That is outrageous.” Foster says a good fraud-prevention program should only incur 10 to 25 cents in direct costs of screening for fraud.

In order to avoid such extensive manual review, many online retailers are looking at decision-making software solutions, such as those provided by Cybersource, Retail Decisions, ClearCommerce Corp. and others. In its simplest form, this software has rules written into it that tell the online retailer to accept or reject an order based on experience. More complex systems use neural networks to score each order on the likelihood that it will be fraudulent. Such systems look at where the order came from, what the e-mail address is, which items are being purchased, the size of the order and other factors.

In evaluating the cost of implementing such software, the easiest thing to measure is the upfront purchase or licensing cost. Even then, prices can vary widely—typically between $25,000 and $250,000, depending upon the features and sophistication desired and size of the customer, according to Cybersource.

While Karim declines to reveal how much uBid.com paid for the neural network-based program it purchased from Cybersource, he notes that in a previous position as a consultant, he worked with a large online retailer that paid $500,000 for a neural network and spent four months preparing for the implementation with three or four developers working on the project at all times.

Upfront analysis

Others also have found that most decision-making systems require extensive upfront data analysis before they turn on the switch. “Before we pitch a solution to any merchant, we need to take a good look at that merchant’s business and what its fraud problems really are,” says Renzulli of First National Merchant Solutions, which also offers a neural network-based solution.

As basic as that sounds, many retailers don’t understand the source of their fraud problems. “You’d be surprised at how many companies never even look at their chargebacks,” says Cybersource’s King. “You have to analyze all your existing sales so that you know what a good order looks like and what a bad one looks like.”

Once the software is in place, the system typically does not run itself. Most require constant monitoring and updating. “Fraud is a moving target,” King says. “You have to keep an on-going review and analysis of your fraud situation and make changes and adjustments to your software as you go.”

Whether it is upfront analysis or on-going monitoring, Avivah Litan, Gartner vice president of financial services, says most large online retailers have 10 to 20 employees dedicated to fraud prevention, including database and software experts, manual reviewers and chargeback recovery staff.

But a retailer need not purchase an entire decision-making service to take advantage of certain elements of such services. For example, some retailers pay a few cents per transaction for an address verification service that matches the address supplied by the customer against the address reported by the customer’s bank or credit card issuer, says Dave Karlin, president of Portland, Ore.-based AmeriNet Inc., a provider of online debit payment solutions. Others, he says, purchase negative card and checking account files from outside firms that supplement the retailer’s own negative files.

Additionally, some smaller companies can avoid purchasing or licensing decision-making software and the need to maintain their own databases by paying a per-transaction fee to a payments processor to provide such a service for them. Dallas-based Paymentech, a leading payments processor, for example, offers a neural network-based service for 5 cents to $1 per transaction, depending on complexity and transaction volume, according to John Shirey, manager of product development.

Prosecute, prosecute

One advantage of using a service to provide the decision-making is that retailers don’t have to worry about interpreting the data. Most scoring systems, for example, only give a retailer a score as to the likelihood that a transaction is fraudulent with a short explanation of factors that make it risky. But even those automated systems still require some human brainpower to function. “Merchants still have to figure out if they’re going to approve a transaction,” Shirey says. “We extract the merchant from the headache. But they have to give us a threshold as to how much risk they’re willing to assume and we can tell them whether to approve or not.”

One of the most important costs associated with stopping Internet fraud, however, is a cost that few retailers are willing to bear—prosecuting criminals. Most retail systems are geared toward rejecting fraudulent claims, but they stop after rejecting the orders. “People know it is easy to commit Internet fraud because they won’t get caught,” says AmeriNet’s Karlin. “The worst that can happen to them is the order won’t go through. Retailers to date have not been willing to prosecute because it is cheaper and easier to let it go, especially if it is a small amount. But retailers need to start somewhere if they really want to stop the fraud.”

Lauri Giesen is a Chicago-based freelance business writer.

A password-based process that may reduce fraud

One of the most talked about fraud prevention programs today is one that appears to be the least expensive—at least upfront. That program is Verified by Visa, sponsored by the credit card association. A similar effort is being tested by MasterCard and is expected to be rolled out early this year.

Merchants who participate in the Verified by Visa program say they like its simplicity compared to other security programs. Earlier fraud-prevention programs advocated by the credit card associations, such as Secure Electronic Transactions, were costly and burdensome for merchants to implement. These often required the use of digital certificates, applets or smart cards that most consumers were not familiar with.

Verified by Visa requires only the use of a password that consumers select when they sign up for the program with their card issuers. And then merchants are given the option to participate. When a customer participating in the program makes a purchase at a participating retail site, the customer gets a pop-up template that prompts for the password. The payments processor checks the password with the card issuer.

Beginning in April, merchants will be protected from chargeback liability when both they and the customer participate in the program. Currently, merchants are responsible for all chargebacks.

When the MasterCard program rolls out, it will have three versions from which card issuers can choose. The simplest will be similar to Verified by Visa, requiring customers to select a password to compete a transaction. Another version will require consumers to store on their computers an applet that they click on when making a purchase. Customer identification information is transferred from the applet to the merchant for authorization. The final version requires the consumer to have a smart card, which retains the identification information. The card must be swiped in a device hooked up to the consumer’s computer.

Regardless of which version consumers use, the requirements are the same to the merchants, Bruce Rutherford, vice president of MasterCard’s e-business and emerging technologies, says. Rutherford believes that the password version will initially be the most popular, but says MasterCard wants to be ready for when smart cards take off in the U.S. and also have options that can serve other parts of the world.

Still, the upfront investment to the merchant appears minor. If the retailer’s payments processor already is participating in the credit card associations’ programs, as most are or will be, the software cost to most retailers is less than $2,000, says Avivah Litan, Gartner Group Inc. vice president of financial services. If a merchant processes its own payments, it may need to spend $50,000 or more on software, she says.

More confidence=more sales

In the case of uBid.com, a participant in Visa’s pilot program, Visa bore the software cost. However, other merchants who were not pilot participants will have to pay for their own software. Tower Records, for instance, paid $10,000 to participate through a software provider approved by Visa, Arcot Systems Inc., says David Harris, Tower Record’s direct-to-consumer project manager.

Gany Karim, uBid.com manager of fraud and risk, believes the cost is a bargain. “This has significantly helped us with our fraud problem and we’re seeing a huge increase in the number of customers converting over to participate,” says Karim.

Tower’s primary goal in participating in the program is to gain additional sales by attracting consumers who might have previously hesitated to shop online because of the lack of identification protection. “We’re hoping the extra sales we see this Christmas alone will pay for our cost of participation,” Harris says.

Tower went live with the Visa program in mid-October and approximately six weeks later, 2% to 3% of online customers were participating in Verified by Visa. Harris says it was too early to tell if the company was indeed experiencing additional sales. He expects the participation numbers will increase substantially next April when Visa requires issuers to offer the service.

Participation will increase when Visa and issuers start promoting the service, retailers say. In fact, with consumer promotions by Visa—including a major TV ad campaign—and signup efforts that some large issuers were undertaking in the fall, the number of customers using Verified by Visa at uBid.com tripled in October. UBid.com also has promoted the service on its web site.

Other agree that for the program to be effective, merchants need to back up the consumer education provided by card issuers. Retailers need to reinforce the messages on their own web sites, says Robert Renzulli, vice president of product development for First National Merchant Solutions. That might involve explaining what the program is and how it works. Merchants also need to actively encourage customers to sign up for the service with their card issuers, Renzulli says.

But not everyone is sold on the program. Gartner’s Litan says many retailers are skeptical of the promises to shift chargeback liabilities. “E-retailers cite similar promises that were made, but never carried out, if they implemented checks for card verification codes from the physical card on their web sites,” she says. “They are also wary that card issuers will start classifying chargeback and fraudulent transactions under codes not covered by the rules.”

Keeping the connection

And while Verified by Visa appears easier for both consumers and merchants than past systems, there is still the risk that some consumers will have difficulty using the system. “The payer authentication applications have technical issues that could potentially turn consumers away,” Litan says. “For example, Verified by Visa is based on a centralized Visa directory. Authentication of a consumer—which occurs before payment authorization—requires several messages across the Internet, potentially making the system susceptible to failed connections. Also, e-retailer software manages the transition from consumer authentication to payment authorization, making e-retailers fully responsible for the integrity and security of the transactions.”

Tower has received the chargeback protection promised and has not had many technical programs with the implementation. Harris says most of the consumers know their passwords and are not having difficulty using the service.

Supporters believe the program will spur Internet sales. Renzulli says only 30% of Internet shoppers report they are comfortable shopping online anywhere. The remaining 70% will only shop at one or two locations where they know the retailer. When these consumers see the Verified by Visa sign, and later the MasterCard SecureCode, they will know it is safe to shop there, Renzulli says. And that should benefit all e-retailers.