But losses mount for the home furnishings e-retailer that went public in October.
(Page 2 of 3)
For example, a criminal may simultaneously make purchases from several merchants using different credit cards in an attempt to disguise his activity. If all those orders are initiated from a computer using the same IP address, however, those transactions are probably fraudulent.
"Criminals are always looking to disguise their tracks, and having a partner that can scrutinize a larger pool of transactions outside a merchant's business for fraud can significantly increase a merchant's chances of spotting fraud before an order ships," says Verifi's Sawitke.
Another way to detect potentially high-risk transactions is cross-referencing card accounts and customer data with previous transactions that resulted in chargebacks. "Chargeback data should be part of a retailer's fraud prevention tools," Sawitke says. "Spotting a credit card or customer that was involved in a chargeback dispute at checkout can prompt retailers to reassess the risk of that transaction."
Verifi's Intelligence Suite and integrated Rules Engine enables data to become actionable and automate standard order review procedures. This allows card-not-present merchants to compare hundreds of data points from new orders against fraud management rule sets which include merchant- and network-based data. Retailers can customize the system to flag transactions based on their risk threshold.
As criminals become increasingly tech-savvy, retailers have had to adjust. "Merchants can't expect to stop criminals using 21st century technology with 20th century tools," says SecureBuy's Wooten.
While retailers used to whitelist—or automatically approve—repeat customers' transactions to remove friction, that approach no longer works, Wooten says. "With data breaches at large merchants affecting tens of millions accounts, retailers can't afford to whitelist anyone, because even though the accounts affected in a data breach may have been shut down that does not mean data from those accounts hasn't been used to steal identities for the purpose of committing fraud down the road."
Just as retailers need to think differently about how another retailer's data breach may increase their own fraud risks, they also need to think differently about the threat from consumers using mobile devices, which are particularly vulnerable to fraud.
For instance, merchants that have developed shopping applications with one-click checkout have inadvertently created a weak spot criminals can exploit with malware. Typically, retailers offering this convenience have stored the mobile user's account data. Criminals can obtain that data by surreptitiously downloading malware to the user's mobile device through e-mail or other web sites the mobile user may have visited that can access that card data.
One solution to this problem is to require mobile users to sign in to the retailer's app before it launches. "Anti-malware applications for mobile devices are not as evolved as they are for desktop computers, so mobile users don't always know if their device has been compromised," says Litle & Co.'s Morgan. "Requiring a user to authenticate prior to each purchase adds another layer of security."
Another area merchants can overlook is chargeback fraud, sometimes called "friendly fraud," which occurs when an online shopper makes a purchase then calls her credit card-issuing bank to dispute the purchase after receiving the product or service. The dispute often arises from buyer's remorse. Nevertheless, credit card issuers place the onus on the retailer to verify the transaction was legitimate. If the merchant cannot do so the charge is reversed by way of a chargeback in the consumer's favor. Verifi's Cardholder Dispute Resolution Network (CDRN) provides a solution to this problem by enabling merchants to receive fraud and friendly fraud dispute notifications directly from the issuer. Issuers and merchants can then collaborate to resolve customer disputes before they result in a chargeback.
Since disputing a chargeback can be expensive, some retailers conclude it is cheaper to accept the chargeback rather than fight it.
But retailers can turn to their payment solutions providers to gather the documentation to prove the transaction was legitimate. Verifi, for example, can work on behalf of the merchant to fight these chargebacks. The process evaluates the chargeback information and provides documentation of any anti-fraud prevention steps taken by the merchant such as IP address verification and device fingerprinting, which uses data to identify individual PCs, phones or tablets to verify a shopper's identity. This kind of additional information can strengthen the retailer's case that the consumer did in fact make the purchase, and help the retailer to reclaim significant profits lost to friendly fraud and the chargeback process.
"If the disputed charge is a recurring transaction, we can notify the merchant not to process future charges until the chargeback is resolved," Sawitke says. "Chargeback prevention and resolution are big parts of risk management."
With data breaches becoming a bigger concern for retailers, the need for more extensive ongoing security checks to identify vulnerabilities is imperative. "It's not enough to simply put data security tools in place and leave them," says Litle & Co.'s Morgan. "They must constantly be tested and upgraded."
The same applies for any kind of software an online retailer uses. A retailer must keep up with software manufacturers' upgrades to make sure it is not vulnerable to attack. Morgan recommends that retailers sign up to automatically receive upgrade notices from manufacturers for every application they use, including back-office applications such as e-mail. In addition, retailers should monitor their platform for abnormal events that can indicate a malware intrusion, such as changes to file logs or unauthorized data transfers out of their systems.
"Criminals are transferring smaller amounts of data over longer periods of time to avoid detection," Morgan says. "The hit–and-run tactics of yesterday are lessening; stealth is now the name of the game."
Given the ongoing evolution of fraud and data security threats, retailers can never rest on their laurels when it comes to safeguarding their web sites. Indeed, the threat of online fraud in the United States will only worsen in the next few years as Visa and MasterCard issuers roll out mandated chip cards, predicts SecureBuy's Wooten. Those chip cards use a standard called EMV, which has become shorthand for the move to the more secure credit and debit card technology.