White Paper: Latest Trends in Online Credit Card Fraud - and Preventing It By Eric Thomson
he rapid growth of Internet sales represents new opportunities and challenges for traditional retailers and Web-only merchants. Credible research organizations are predicting that by 2004, business-to-consumer Internet sales will exceed $150 billion. More than 90% of these sales will be made on credit and debit cards. These "card-not-present" conditions of purchase result in most of the fraud liability falling on the retailers' shoulders.
According to a recent Gartner study, chargeback dollar value as a percentage of total card sales is 0.09% for in-store sales, 0.38% for mail or phone sales and 1.14% for Internet sales. Of course, fraud does not settle on all merchants equally. In general, fraud risk is greatest for those selling digital content with no physical address for delivery, sellers of high-cost, easily resold physical goods and those with a high percentage of cross-border sales.
Therefore, understanding the merchants' perspective on online fraud and what options they have to deal with this source of losses are the objectives of this column. Two different white papers are reviewed, both dealing with merchant online card fraud. One is a survey of merchants' views on this topic, and the second provides a guide to online fraud prevention.
Exclusive Merchant Survey
CyberSource was founded in 1994 and provides transaction-enabling services for Internet businesses - including credit card and fraud protection. The company started as a software retailer that evolved its business into a back-office infrastructure company to support its expanding offerings to a customer base of more than 3,000 online merchants.
This CyberSource report represents the third annual survey of merchants' views of the impact of online fraud. The document starts by describing the survey methodology and representative interviewing based upon annual sales, duration of selling online, monthly transaction volumes and sales channels used (online, call center, retail store and other).
The focus of the survey was on four aspects of online fraud:
- The impact that online fraud has on merchants.
- How merchants are managing fraud.
- The holiday outlook for fraud.
- Consumer privacy.
The primary findings and trends on fraud's impact on the retailers' business include:
- 57% view online credit card fraud as a very serious/serious concern.
- The inability to accurately detect fraud remains a top concern.
- Fraud drains valuable resources - revenue, staff time and bank/processor fees.
- Fraud is as big or bigger in the online portion of the business for the majority of retailers surveyed.
- Fraudulent transactions are estimated at 3% of online sales and represent this same percentage of losses on overall revenue.
- Human intervention to deter fraud involves techniques that directly inconvenience customers.
Findings on retailers' approach to managing fraud:
- Perception is that most cardholder fraud occurs from physical theft, identity theft and credit card numbers stolen off the Internet.
- 65% of respondents are taking more precautions this year than last.
- Acceptable investment in fraud prevention is 4% of online revenues.
- The top three processes for managing online credit card fraud are internally built business rules, manual reviews and Address Verification System (AVS).
- Most have no plans for implementing additional online fraud protection in the next year.
Merchant views on consumer privacy:
- 85% of respondents maintain consumer information in their databases.
- Of these, 45% encrypt customer credit card numbers.
- The majority of retailers surveyed have not performed a penetration audit of their site.
Author: CyberSource Corp.
Date: October 2001
Size: 19 pages
Relevance Rating: High
Web Address:www.cybersource.com/resources/collateral/Resource_Center/whitepapers_and_reports/2001_fraud_report.pdf
Fraud Prevention Guide for Online Merchants
ClearCommerce was founded in 1995 as an online order processor for Internet merchants. Currently, it is shipping the fourth generation of its integrated processing engine, comprised of payment processing, fraud protection, reporting, APIs for both storefront and legacy system integration, shipping, tax calculators and an electronic download component to ease the sale of digital products such as music, software and videos.
The ClearCommerce business model is to sell the solution for a fixed-price software-purchase fee and no transaction charges. Smaller merchants are being served through alliances with organizations such as EDS and MSN. In addition to a strong functionality set, ClearCommerce has devoted extensive resources to building integration to legacy systems such as PeopleSoft, SAP and Oracle and claims compatibility with 90% of credit card processors and acquirers.
This combination of focus and functionality has placed ClearCommerce with a customer base of more than 40,000 online merchants - 10 times larger than its closest competitor. Consequently, this white paper describing ClearCommerce's views on adequate online fraud protection is worth reading.
Recently, I attended the annual convention of the International Association of Financial Crimes Investigators (IAFCI), where a large segment of the agenda was devoted to card fraud. It became clear that a new source of online card fraud has entered the market in the form of terrorists.
FBI and the U.S. Secret Service presenters documented that in the past, the primary threat from cyber-crime came from hackers and organized crime. Both organizations state that they have documented evidence that terrorists often steal needed funding through credit card fraud. Also clear is that attempted fraud is increasing across the board, and attacks are more and more ingenious.
As a practical matter, merchants are coming to realize that they must rely on their own resources to fight this type of fraud as government agencies shift their attention to pursuing terrorists. As merchants devote more resources to preventing online fraud, they realize these dollars are well spent. It takes only a few large fraud attacks to put a merchant's Web site of out business, either from six-digit penalty fees imposed by credit card organizations or from devastating fraud losses.
This fraud-protection guide first sizes up the problem by drawing upon statistics obtained from user data contributed into the ClearCommerce Data Consortium database. Comparing customer experience with that supplied by the card associations, ClearCommerce concludes that its clients are experiencing 50-75% of the industry averages.
The next section of the guide details the components of costs merchants incur from cyber-fraud:
- Cost of goods sold: Seldom does merchandise delivered on purchases through fraudulent cards get recovered.
- Shipping cost: Merchants also absorb the cost of shipping for fraudulent orders.
- Card association fees: Both Visa and MasterCard have strict programs that penalize merchants generating high rates of chargebacks. Originally, these penalties were meant to screen out low-quality retailers that generated dissatisfied cardholder experiences within the merchant base. Cyber-fraud attacks on high-quality merchants are generating chargeback rates that exceed the card association guidelines for any three-month period (e.g., 1% of all transactions or 2.5% of the total dollar amount). The first month of penalties will be $25 a chargeback, but it increases to $100 per chargeback the following month if the rate doesn't drop back to acceptable levels. Furthermore, the card associations will assess fines from $5,500 to $100,000 a month for merchants with excessive chargeback rates. The final recourse that card associations have against merchant unable to control these rates is to terminate their card-accepting privileges, effectively putting the merchant out of the online business.
- Merchant bank fees: The processor or acquirer bank typically will charge $10-25 for each chargeback processed against a merchant. Not mentioned in the white paper, but clearly obvious to every online retailer, is the fact that they are paying a premium discount rate - typically 100% higher than what they are paying to deposit card-present POS transactions.
- Administrative cost: Every fraud chargeback represents serious clerical processing costs in the form of setting up a claim, researching its origin, contacting the cardholder and responding to the acquiring and issuer banks with documentation. Furthermore, the more sophisticated retailers are feeding each fraud experience into their fraud models to train them for increased effectiveness on screening future transactions. ClearCommerce estimates that each chargeback on low-cost merchandise easily can add up to more than a hundred dollars of loss - an estimate that would be much larger for retailers with high-ticket items such as computers, electronics or jewelry.
This document describes another interesting dimension of the profile of Internet fraud. Research has shown that fraud grows almost directly with the rate of new visitors to a site. Another sinister aspect of online fraud is that it typically will show up in the form a chargeback a couple of months after the transaction originally took place.
According to ClearCommerce client experience, the average time lag between transaction date and chargeback notification is 72 days. And 20% of fraudulent transactions will show up 100 days or more after the transaction first took place.
Therefore, new online merchants are lulled into a false sense of security as they experience little or no fraud in the early days of operation only to be overwhelmed as their sales grow and start installing fraud-prevention techniques.
Next, the document summarizes the sources of fraud, primarily the obtaining of a valid credit card number and expiration date. There are numerous ways in which fraudsters can obtain this information.
Stolen or lost cards provide all of the information needed. Card receipts contain this detail, and unscrupulous clerks and restaurant waiters are using small hand-held card "skimmers" to pull this information off the magnetic stripe on the back of your card. Hackers are breaking into merchant Web sites and stealing customer file information on cardholders and then posting them for sale on the Internet.
At this year's IAFCI convention, a Visa spokesperson said the association is monitoring this behavior and is seeing an average of 2,000 new cardholder account numbers a day being posted for sale in this manner.
The rest of the ClearCommerce fraud guide details the various fraud-detection tools available to merchants. All of these options have costs associated with them and include:
- Address Verification System (AVS): Validates that the billing-address information provided by the consumer via a Web form or over the phone matches the billing address for that cardholder. AVS has a high failure rate: Typically, less than 60% of the transactions will obtain a full match on AVS. One component of this result is the fact that it only applies to cards issued in the U.S. According to the guide, more than 98% of the transactions that fail both ZIP and street address are legitimate. ClearCommerce recommends the tool as a form of detection as part of a more comprehensive risk-management program.
- Card Verification Methods (CVM): Consists of a three- or four-digit numeric code that is printed on the card but not embossed on the card or available in the magnetic stripe. The merchant can ask that the consumer provide this code with the order and submit it with the authorization. There is no further protection afforded the retailer in the way of chargeback rights from using CVM, but fraud rates on CVM-validated transactions are 80% lower than those for non-CVM transactions.
- Lockout Mechanisms: Automated card number generators represent a new tool used by fraudsters. These programs easily can be downloaded from the various Web sites and are able to generate thousands of "valid" credit card numbers. These programs can generate numbers that an issuer bank might have issued, but the vast majority correspond to non-existent account numbers. The report describes various transaction patterns that reflect use of these type of numbers until they achieve a transaction approval. Then the account number is run up rapidly. The Lockout Mechanism enables merchants to monitor and then block such accounts from use at their site.
- Negative and Positive Lists: This is the same practice used by check guarantee companies to decide on approving checks online. For card transactions, you are building a file containing past fraudulent card accounts or high-risk addresses or country-of-origin filters that effectively block transactions that are on these lists.
- Fraud Rules: Rely upon expert rules defined to identify specific types of high-risk transactions. They use "if-then" logic to screen transactions for either investigator review or rejection. The guide provides an example of how a typical fraud rule might be designed to flag all orders more than $500 with multiple purchases of the same product. Positive rules, as an example, will approve all transactions less than $50 that also pass the AVS test.
- Risk Scoring: These are statistical models designed to identify transaction characteristics and accumulate a "score" that allows the merchant to automatically set approval rules. As an example, on a scale of 100 to 1,000, the higher the score the higher the probability the transaction is fraudulent. The merchant might set an automatic approval on all transactions that are scored at less than 600. For transactions between 601 and 750, the transaction is approved but is referred to an investigator for review. And all scores of more than 751 are automatically declined.
The next section of the ClearCommerce fraud guide paper details the fraud-detection components and workflow the company recommends as a "best practice" risk-management process. To demonstrate the effectiveness of this process, ClearCommerce provides a case study on a representative merchant, detailing the cost of fraud and the justification for implementing the ClearCommerce risk-management process. Finally, the document closes with a list of guidelines for high-risk transactions and guidelines for reporting and prosecuting fraudsters.
Author: ClearCommerce
Date: March 2001
Size: 23 pages
Relevance Rating: High
Web Address: www.clearcommerce.com/pdf/whitepapers/ClearCommerce_Fraud_Prevention_White_Paper.pdf
Web Sites for More Information
www.iafci.org/
International Association of Financial Crimes Investigators is a professional organization made up of law enforcement, corporate and card organizations dedicated to shared experience and prevention of financial crimes.
www.cybersource.com/resources/collateral/pdf/ifs_wp111500.pdf
"Managing Risk on the Net: What Internet Merchants Need to Know," white paper by Cybersource Corp., May 2000.
www.windowsix.com/whitepapers/Controlling_Online_Credit_Card_Fraud.pdf
"Controlling Online Credit Card Fraud," white paper by Window Six, January 2002.
www.merchantfraudsquad.com/
Web site for Worldwide E-Commerce Fraud Prevention Network, a not-for-profit group dedicated to helping merchants fight internet fraud.
www.diogenesllc.com/creditcardfraud.pdf
"Credit Card Fraud," a white paper by Diogenes LLC.
www.siia.net/sharedcontent/piracy/news/auction2001.pdf
"Piracy on Internet Auction Sites - What Consumers Need to Know," by the Software & Information Industry Association.
www.cfenet.com/pdfs/FrdPrevCheckUp.pdf
"The Fraud Prevention Check-up," by the Association of Certified Fraud Examiners.
Eric Thomson is Executive Vice President of Profit Source Advisors. He can be reached at etprosc@attbi.com.
|