Some retailers launched online deals well in advance of Thanksgiving, Black Friday and Cyber Monday.
Ten years after the dawn of the Internet retailing age, attempts to defraud online merchants are only increasing. "The incidence of credit card fraud, particularly in a card-not-present environment, continues to increase at a fairly alarming pace," says Xavier Kris, CEO of Retail Decisions Inc., the North and South American operation of U.K.-based payments processor and risk management company Retail Decisions.
For instance, Kris notes that while holiday online purchases tracked by Retail Decisions were up 44% on a same store basis from Nov. 15 to Dec. 16, attempts to push through fraudulent transactions were up 46%. "Many expect to see that rise continue," he says.
The weakest link
Part of the explanation for the rise in fraud lies in the increasingly successful fraud fighting efforts in the offline world, he says. Developments in the U.K. , where credit card issuers are moving to smart cards and PIN-based transactions bode ill for online merchants, he says. "Fraud always preys on the weakest link," he says. "The weakest link are merchants who are not protected from e-commerce fraud."
Five years ago, notes Jeff Foster, executive vice president of Retail Decisions, about 18% of card-not-present fraud took place at online merchants. In 2005, Retail Decisions estimates that proportion will exceed 50%.
The very nature of online transactions is one reason that e-commerce fraud will continue to increase. "The anonymity of the buyer and the seller are conducive to fraud," says Michelle Banaugh, senior vice president of merchant online services with Wells Fargo Merchants Services.
Online fraud is an issue that is important to the future of online retailing, not just for the losses that fraud represents to merchants but also for the corrosive effect it could have on consumers` comfort in shopping online. "It`s still Number One in consumers` concerns," Banaugh says. Their concerns revolve around fears of card number and identity theft as well as around whether they are doing business with a legitimate online business. "Over the last two years, there has been higher concern over where the credit card information is going, who views it and what the users are doing with it," Banaugh says.
No silver bullet
Fighting online fraud is complex and requires many approaches. "There is no single rule, no silver bullet that will kill fraud," Kris says.
The card companies--MasterCard, Visa, American Express, Discover, JCB and others--have developed a number of initiatives to fight fraud. They include requiring the shopper to supply a billing address so it can be matched against that on file with the card issuer, to report the card verification value--the three-digit code that appears in the signature panel on the back of a credit card--and to input a password if the merchant participates in Verified by Visa, MasterCard SecureCode or JCB`s J/Secure. They`ve also worked on the secure electronic transaction protocol.
Fraud continues, nonetheless. "Criminals are always one step ahead of the game," Kris says. "The best we can do is to stay a half step behind." Adds Mary Ritchie, product manager for Omaha-based First National Merchant Solutions: "The people who perpetrate the fraud are spending all day doing it and they are very clever. Merchants understand the need to fight fraud, but it`s a constant learning curve."
That learning curve is one reason processing and risk management companies urge retailers to make use of outside fraud management services: Those services are in touch with fraud across the industry and can apply their lessons to individual clients. "It`s important to use as much transactional information as possible because that allows us to see what is happening across the industry," Ritchie says.
For starters, card processors encourage retailers to adopt most or all of the card company initiatives, but also note that if they alone could fight fraud, the fraud rate would be going down, and it`s not. Thus, merchants and payment processors have adopted a number of other approaches.
Reaping the fruits
Wells Fargo Merchants Services, for instance, offers customers advanced fraud protection and a service it calls Risk Assessor as part of its Global Payment Gateway, a proprietary payments processing service that provides domestic and international services. Wells brings extensive experience to fighting online fraud and claims the distinction of processing the first Internet transaction, for VirtualVineyard.com, 10 years ago. Last year, it processed $16 billion in online payments. "As an early player on the Internet, we are reaping the fruits of our labors today," Banaugh says.
Wells also is a long-time credit card transaction acquirer in the offline world, so knew a little bit about fraud when it began processing online payments. "When we started processing online, we looked at the traditional tools around transactional fraud monitoring and they addressed credit card transactions around the point of sale where patterns were predictable because they were so well established," she says. "But the patterns around online transactions were not predictable because they were so new."
Wells undertook a major effort three years ago to build models using good and bad transactions. "That allowed us to build up profiles to give merchants a higher confidence level," Banaugh says.
Wells feeds all information into a central database and that creates a master file of credit card information that Wells then applies to risk assessment.
Today, Wells applies its Risk Assessor service to all transactions. So when a merchant is ready to take advantage of the Risk Assessor service, the data already exist to help the merchant analyze transactions. Wells will then provide consulting services to assist the merchant in designing reports in a way that will fit in with the merchant`s existing systems and permit staff to make best use of the information.
Wells, like other processors, supports Visa`s and MasterCard`s requirements for merchants to pass security validation tests for all customer credit card data that they store, even if only for a few minutes. "Fraud management requirements can be viewed as burdensome, but it`s good business practice all the way around," Banaugh says. "It`s good for the consumer to know that the merchant complies with the fraud management rules."