A second wave of attacks began midday Friday after much of the eastern United States was affected in the morning. Sites affected included Etsy, ...
(Page 2 of 3)
But the retailer can keep the token on file and use it again if the cardholder makes another purchase in the future. "Tokens are useless to criminals because they are not legitimate card numbers," says Litle & Co.'s Cohn. "As the creator of the token we hold the key to decrypt it and match it with the card number and merchant it is linked to, so if a criminal attempts to use a token we would detect and decline it."
Tokenization usage by Litle and & Co. merchants has grown threefold in the year since its inception.
In 2011, the company added PayPage, a front-end application that transmits card account data collected at the checkout page through a shopper's web browser directly to a secure tokenization server. PayPage returns a token—not the card number—to the merchant so the retailer never sees the card data; as a result, the retailer need not build systems for protecting card data, even for a short time.
A team approach
As effective as tokenization is at protecting consumer card data and reducing fraud risk, it remains just one arrow in a retailer's fraud-fighting quiver. The growing sophistication and organization of fraud rings has created the need for retailers to have better real-time data to flag potentially fraudulent transactions.
One way to keep up with fraud as it happens is for merchants to exchange data about suspicious transactions with the banks that issue credit and debit cards. Although merchants and card issuers have shared information in the past, they did not necessarily exchange detailed data about suspicious transactions, such as what was purchased or where it was to be shipped. Nor did they always share the data in time to stop shipment of the order.
Very often the retailer would ship the goods, the criminal would sell them and weeks later the legitimate cardholder would see the charge on his card statement and complain. The result was a chargeback, in which the retailer must refund the money received for the purchase and take a loss for the value of the merchandise shipped.
"A significant percentage of chargebacks are fraud," says ReD's Rezek. "Sharing better data sets about transaction activity and cardholder behavior between issuers and merchants can help identify fraudulent transactions as they occur, even on orders that initially got approved, but have yet to ship."
ReD's Fraud Alert service sends daily transaction data from ReD's merchant clients to the issuers of cards used at those merchants. If the card issuer spots a transaction outside the cardholder's normal pattern of activity, the issuer can immediately contact the cardholder to verify the transaction. If the cardholder says she did not make the purchase, the card issuer turns down the transaction and the retailer is alerted to the possibility of fraud.
"It's a much clearer validation process that gets merchants and card issuers working together by sharing more detailed data sets on a daily basis," Rezek says.
ReD also uses analytics, rules, neural network technology and pooled data to identify all the components of a fraudulent transaction and the linear and non-linear relationships between those data across multiple merchant categories in real time. The company even monitors online chat rooms used by criminals to exchange stolen card accounts to build its negative card file.
Even with the growing sophistication in fraud detection technology, a retailer's fraud prevention strategy still comes down to its appetite for risk. Newer merchants, for instance, tend to be more focused on marketing to grow their business and less inclined to reject a lot of suspect transactions. Merchants more prone to fraud, such as those that sell consumer electronics that can quickly be resold for cash, tend to have a lower risk tolerance.
"Managing fraud by manually reviewing orders is expensive and time-consuming, and often results in lost sales and customer insults," says Kount's Rouse. "While every situation is different, most retailers will benefit greatly by reducing manual reviews and introducing automation into the process."
Implementing simple and inexpensive checks is an important first step for retailers seeking to balance risk with other business objectives. One practice is tracking transaction velocity on a card. For example, a retailer may want to manually review the next order from a customer who has placed five orders in a 24-hour period.
"Customers with high transaction velocity in a short period should be flagged and approval slowed down a bit," Rouse says.
Nor should retailers overlook requiring a customer to enter her three-digit CVV number on the back of her card. CVV numbers are intended to prove the customer is in possession of the card, and not a criminal entering a stolen account number.
"A lot of retailers don't ask for it," Rouse says. "It's an easy and inexpensive fraud detection tool to implement at checkout, and if it is not entered or entered wrong it can be one indication of potential fraud."
These simple techniques are helpful, but often not enough to stop today's sophisticated criminals. Advanced technologies available from fraud-prevention services providers are often needed to round out an effective fraud reduction strategy. For example, Kount uses real-time dynamic scoring models to evaluate card-not-present transactions and links orders from around the globe to uncover hard-to-detect fraud schemes. The company also uses a proxy-piercing process to identify the Internet nodes used by the access device to connect to the proxy server. That helps to determine the user's true geographic location and enables a retailer to reject transactions from areas where it cannot ship or that are known to initiate a lot of fraud.
A tricky aspect of fraud that retailers need to monitor and address is chargeback-related fraud. The tepid economy in recent years has fueled a rise in what some call friendly fraud, that is, transactions by normally law-abiding consumers who decide they want to keep an item without paying for it. They may have realized they butted up against their credit limit after making the purchase or decided they could not afford their purchase after receiving the item. Regardless, the customer decides he wants to keep the item.