(Page 4 of 5)
Another potential drawback to multimerchant databases that rely on historical data is that the information supplied by merchants may be inconsistent. "One merchant may have stricter rules for denying a transaction and another may be less strict; it all depends on their risk tolerance and the type of products they sell," says Rouse. "Real-time databases are much more powerful when it comes to velocity checks. Retailers can more readily see fraud across geographic regions, merchant categories, etc."
In addition to using real-time aggregate databases for velocity checks, Kount uses a proxy-piercing process to identify the Internet nodes used by the access device to connect to the proxy server to determine the user's true geographic location. Kount also uses dynamic scoring models to detect fraudulent transactions.
While minimizing fraud losses is an important element of risk management, so too is controlling chargebacks. It's not uncommon for consumers to seek to reverse a charge on a credit card by claiming they never received the product, the product was damaged or not as advertised. Such claims can be tough for merchants to refute and can lead to a reversal of the charge, thus generating a chargeback.
"In this economy we are seeing a lot of consumers disputing transactions because they may be butting up against their credit limit or bought an item on impulse they decided they really can't afford," says FIS's Roese. "The question for merchants is are these transactions a form of fraud or do they fall in a gray area?"
Merchants that sell downloadable content, such as music or games, are experiencing a high rate of chargebacks from consumers who are not professional criminals, a risk often called friendly fraud. One way to prevent such losses is to match the phone number or e-mail address the customer provided at the time of purchase to the same information given to the customer service representative handling the dispute.
"If the phone number provided at the time of purchase is the same one used to contact the service agent to initiate the chargeback, the agent can point that fact out to the customer as proof they did indeed make the purchase," says Chase Paymentech's Nadeau. "This tactic is something that is under discussion among payments providers right now."
Looking for patterns
Another key to determining whether a chargeback or returned item is part of an actual fraud scheme or merely the result of a consumer changing his mind about the purchase starts with identifying the patterns associated with good and bad transactions, according to Roese.
"Fraudulent transactions have distinct attributes and just because a consumer initiates a chargeback does not automatically mean the transaction is fraudulent," says Roese. "It helps retailers to know what attributes to look for in good and bad transactions to help them decide whether the transaction requires manual review."
To bring more objectivity to screening transactions for fraud, FIS weighs the characteristics of a legitimate transaction and then balances them against what, if any, characteristics in the transaction suggest fraud. Doing so can reduce the number of transactions subjected to further fraud screening from as much as 25% to as little as 3% of total transactions.
Neural networks, which use artificial intelligence to scan transaction activity looking for anomalies, represent another tool that can help retailers spot suspicious transaction patterns. "Every consumer that makes a purchase online leaves data that makes up a personal customer profile," says GlobalCollect's Vanpraet. "Neural networks can help retailers track profile changes and flag suspicious activity."
Neural networks can deliver a 10% lift in spotting fraud from traditional scoring models, according to Retail Decision's Clump.
"Neural technology helps retailers understand the relationship between data sets around a transaction," says Clump. "Once they have that understanding they set rules that keep their rejection rates in line with, or lower than, their overall fraud rates, while ensuring that no good transactions are declined."
Fraud is not the only threat facing retailers. Last December supporters of WikiLeaks founder Julian Assange attempted to crash Amazon.com's web site through a coordinated distributed denial of service attack in which many computers try to overwhelm a site with simultaneous hits. The planned attack was believed to be retaliation for Amazon's decision to stop providing hosting services for the WikiLeaks web site.
While Amazon's EC2 (Elastic Compute Cloud) infrastructure was able to withstand the attack, it highlighted the potential threat to other retailers of denial of service attacks. "Previously, denial of service attacks have been aimed at governments and other public entities as an act of retaliation to policy, but this incident showed that retailers have to be on the lookout for them and take steps to protect themselves," says Clump.
Some of the steps retailers can take to protect their web site against denial of service attacks include updating such network appliances as firewalls and load balancers, and installing the latest upgrades for software and firmware. Retailers can also work with their Internet service provider (ISP) to establish a contingency plan to keep their web site running in the event of a denial of service attack, such as using a different network. Retailers should be sure to have alternative ways of connecting to their ISP and enough server capacity to handle sudden, unexpected spikes in volume.
Network capacity that scales as needed is also important to preventing this sort of coordinated assault. Retailers need back-up servers across the geographic regions they do business in to reduce the risk that a single weak link could lead to a complete site shutdown.
"Being able to scale capacity and even switch traffic onto alternate routes to different servers at the first sign of trouble can help avoid a site going down from a denial of service attack," says GlobalCollect's Vanpraet. "Retailers need to be asking their payment service providers whether they have the appropriate tools in place and can monitor traffic continuously to spot a denial of service attack early on, because it is a real risk in today's e-commerce world."
How much to spend
Given the threats retailers face from criminals and hackers, it can be tough to calculate how much to spend to safeguard data, detect fraud and keep e-commerce sites immune from attack. Among the criteria retailers need to weigh when determining what to spend are the value of the goods they sell, average transaction size and their risk tolerance.