A study of e-commerce fraud by CyberSource Corp. indicates merchants expect to lose a record $4 billion to online criminals in 2008. In the past three years, loss rates have hovered around 1.4 percent of merchants' revenue, but continued growth in e-commerce sales means dollar losses to fraud are growing.
"For years, U.S. e-commerce merchants have fought fraudsters to what amounts to an annual standoff," said Doug Schwegman, CyberSource's Director of Market and Customer Intelligence. "For the first time this year, however, merchants could not rely on double-digit market expansion to bolster online revenue growth or cover inefficiencies."
The survey showed merchants, mostly level 3 and 4, still manually review orders for fraud, examining, on average, one out of every three orders they receive. Heavy human involvement continues in what one might expect to be an automated process. As order percentages increase, the burden of expensive manual review continues to grow.
"Every time a human gets in the loop, that costs salary, time and effort," said Tim Cranny, Chief Executive Officer of Panoptic Security Inc. "If we had a magic wand, there'd be a box with blinking lights that would do all of this for you with no human involvement or distractions, but we are very much not there yet."
Mid-size e-commerce merchants show higher order rejection rates compared to larger merchants (4.3 percent versus 2.4 percent), higher manual review rates (34 percent of orders versus 15 percent) and higher fraud loss rates (1.6 percent of revenues versus 1.2 percent). "We believe the largest merchants are better at fighting fraud because they simply make better use of fraud detection tools and other resources," Schwegman said.
According to Theodore Svoronos, Payment Consultant for Group ISO, based in Irvine, Calif., the Payment Card Industry (PCI) Data Security Standards (DSS) and the Fair and Accurate Credit Transactions Act of 2003 Red Flag Identity Theft Rules are the key components to fraud reduction.
"When you purchase online or do a MO/TO, you're not giving any information except name, address and card number," Svoronos said. "There is no verification, no authentication of the individual.
"Knowledge-based authentication questions are crucial, and they ask both in - and out-of-wallet questions only the true person would know. They're pulled from multiple, unstored databases specific information that only the real cardholder could possibly know. Fraudsters are only looking for financial information."
Order rejection rates due to suspicion of fraud showed a significant drop in 2008, falling from 4.2 percent in 2007 to 2.9 percent this year. Simply put, merchants are accepting a higher percentage of the orders they receive. The survey suggested falling rejection rates, coupled with steady fraud rates, imply that merchants have been more successful in combating fraud this year than in the past.
"With transactions, the last thing you want to do is reject someone who is trying to give you money," Cranny said. "If it's an honest transaction, you desperately don't want to drop that. So I'm glad that rejection rates and the overall system are working slightly better this year than last year. However, there is no reason to think that this is some inevitable trend and that we're heading towards nirvana. That is just not the case."
Many fraud detection tools are available that provide automated assessment of transactions' fraud potential and can reduce human involvement. And merchants, due to the slowing economy, are starting to shift their fraud fighting policies. For many experts in the industry, the timing could not be better for this shift in security practices.
"To me, the January 2010 sunset date for PCI is a blessed mandate," Svoronos said. "Take steps now to be proactive and secure your business - your bread and butter. You can say it won't happen to me, but that is absolute baloney."
Svoronos feels ISOs and merchants should take extra steps to secure their businesses and eliminate suspect clients. "And if you drop from $10,000 a month to $8,000, so be it," he said.
"At least you won't have the losses hitting you; you'll be compliant; you'll sleep at night. If you don't do the necessary things to bolster consumer confidence, to make it safe, secure and easy to purchase online, you'll never have great acceptance."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next