The Green Sheet Online Edition

December 27, 2010 • Issue 10:12:02

E-commerce fraud: Identifying and reducing risk

By Nicholas Cucci
Network Merchants Inc.

How quickly are you and your merchant customers adapting to fraudsters' evolving techniques? LexisNexis' September 2010 True Cost of Fraud Study showed that for every $1 in fraud, merchant expenses will reach $3.10 out of pocket. This cost does not even include lost customers and other "soft expenses" resulting from this fraud.

Javelin Strategy & Research surveyed over 1,000 merchants in September 2010 regarding consumer fraud. Javelin discovered that fraud losses are one of the largest and most significant challenges facing merchants. With 2011 right around the corner, what could you be doing to help your merchants fight fraud?

In 2009, e-commerce sales grew almost 6 percent, according to Javelin; sales in 2011 are expected to climb even higher, from 12 to 14 percent. With an increase in e-commerce sales comes another daunting trend: increasing levels of fraud.

This steady growth attracts criminals who continuously seek to develop new schemes to defraud merchants and consumers. Smaller merchants must respond to the threat by strict manual review of online purchase attempts.

Finding red flags

One important aspect of fraud management is "risk scoring." Here's how it works: your online merchants can use hundreds of factors to generate a score. Some examples of these factors are the payment method used, shipping address, billing address, frequency of orders and even the geo-location of the transaction.

First Data Corp. identified more triggers that might contribute to a negative risk assessment, as follows:

• A single IP address has been used with multiple payment cards in the last x days.
• The shopper's billing address is more than y miles from the shipping address.
• The email address has been flagged in a negative database of known fraud activity by other merchants participating in the same fraud detection strategy.
• Email addresses from Google Inc., Yahoo Inc., or other free email services have been used.
• The bank identification number (BIN) is from a high-risk country.

Risk assessment reports aid in analyzing the effectiveness of manual reviews and will help payment professionals spot opportunities to eliminate unnecessary analysis. Each risk management tool has its own algorithm to calculate a numerical score based on its weighted point for each rule.

For ISOs with merchants who are involved in international commerce, certain factors, such as address verification, are unreliable by themselves. Email database and IP address checks must be done to help verify transactions. Fraud management or "fraud scrubbing" is more than just a score, flag or review; it requires analyzing other components of the transaction, too.

Fraudsters never stand still and will keep attempting charges both large and small until an approval goes through. With this constant onslaught, security measures should also never stop growing and evolving.

Payment processors and other service providers can help new and growing merchants keep up with the changing future. Usually the feet on the street observe fraud trends closely and are able to protect and update merchants on emerging fraud methods and techniques that can be used to fight back.

"The credit card processing industry is based on risk, and it's our duty and obligation to mitigate the risk for our merchants," said Roy Derby, Director of Risk Management for America's Bankcard Alliance. "One of the most overlooked and basic ways to help your merchants is prevention through education."

Remaining proactive is essential to reducing one's risk, and that readiness requires ongoing training.

Below are additional details pertaining to red flags that often point to incidences of fraud:

• Multiple orders with different "bill to" and "ship to" addresses: check the IP geo-location and compare it with the billing address to help verify the validity of the charge.

  Once you have found a fraudulent charge, start keeping a database of prior fraud attempts, with information such as the customer name, shipping and billing addresses, phone numbers, IP addresses, and email addresses. Make sure to leave a section for comments.

• Suspicious patterns: multiple orders shipping to the same address but using different credit cards should raise concern. Fraudsters may have the credit card number but submit it multiple times with different expiration dates because that's what they are missing.

  Free email accounts: many businesses today refuse to accept orders from any free email accounts or any non-ISP email domains. Depending on the value of the purchase, you can call or request more information before processing the order further.

Some useful tools

In addition, here are tools and actions your merchants can use to help prevent fraud:

• Payer authentication programs: Programs such as Verified by Visa Inc. and MasterCard's WorldWide's SecureCode use personal passwords to confirm the identity of the card user. When merchants use such a program, card issuers may incur some of the losses for online fraud that otherwise would have been entirely the responsibility of the merchants.

• BIN check: The first six digits of the credit card can be used to determine if the issuing bank and the credit card holder are in the same country. However, this method should be corroborated before canceling the transaction since some legitimate transactions occur with a credit card from another country.

• Address Verification System (AVS): The AVS is available only in the United States and in four European countries. It checks to determine whether the cardholder's address and ZIP code match the information at the issuing bank. This, too, should be checked, as the AVS can fail to verify because of legitimate issues, such as an address change.

• Customer relations: Even with today's high transaction volume, phoning customers every so often will benefit merchants in many ways. This practice gives merchants an opportunity to welcome their customers and develop relationships for future ordering. And if an order turns out to be fraudulent, a merchant can simply cancel it and let the customer know to call his or her credit card company so a new card can be issued.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc. He is a graduate of Benedictine University and a licensed Certified Fraud Examiner. Prior to joining NMI, he worked in the payment processing division for a Fortune 500 company and has advised several large retailers on credit card fraud protection, screening and risk assessment. Nicholas can be reached at ncucci@nmi.com or 800-617-4850.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.