CyberSource Exec on Credit Card Fraud, Steps to Avoid

Nearly every ecommerce merchant has experienced credit card fraud. Credit card companies attempt to prevent payment fraud, obviously, and one — CyberSource — publishes a report on the condition of payment fraud annually. CyberSource’s chief researcher for this report — calledthis season,”2012 Online Fraud Report” — is Doug Schwegman, director of market intelligence.

Practical eCommerce: what’s the state of internet fraud in 2012?

Doug Schwegman:“Well, we’ve seen the total dollars lost to fraud go up. Despite the fact that the fraud rates have not changed much, the [ecommerce] market growth has returned. So that’s driving the overall losses up.

“We have asked this question — for practically the full thirteen years that we have completed this survey — that is,’What percentage of your yearly online revenues would you lose to payment fraud and payment fraud of a variety of payment methods that are supported by merchants?’ And it did go up a little bit, from like nine-tenths of a percent in 2010 to 1 percent of online revenue in 2011.”

PEC: The entire dollar of losses went up. And, to confirm, the proportion of fraud losses, to overall earnings, also went up?

Schwegman: “Yes. On a revenue basis it went up from 0.9 percent to 1.0 percent. From our standpoint, we wouldn’t place plenty of focus on that. I’d say it has not changed significantly but the industry growth has meant that fraudsters are still becoming more in their pockets, concerning fraud gain.”

PEC: Are fraudsters getting more sophisticated?

Schwegman:“Merchants have demonstrated some improvement in capturing and detecting fraud. In addition, we ask merchants,’Is the fraud more difficult to find than 12 months ago?’ We ask, ‘Is the fraud cleaner?’ That is,’Are the fraud efforts and the real fraudulent orders appearing more and more like legitimate orders so they are harder to tell apart from the valid clients?’

“Fifty-percent of the merchants say the fraud is more difficult to detect this season than one year ago. And we have seen that today for a few years. So some of the fraudsters are becoming better at what they do and the merchants are keeping up, for the most part. What we did see, I believe, this season is while the percentage of earnings lost to fraud remained relatively steady or went up marginally, the percentage of orders which were deceptive actually dropped a little. What that implies is that the dollar value of a fraudulent order went up. When a fraud happens today, it tends to be a larger dollar amount than in prior years.”

PEC: Can PCI compliance help reduce fraudulent orders, under the theory that fewer credit card numbers are getting stolen?

Schwegman:“It surely helps. There’s a great deal of ways the payment information becomes compromised, like when you give your card to a server or when you’re paying your bill at a restaurant. And today with camera phones, they could replicate the front and the back of your card quite easily with their camera phone. And if you purchase a drink they can request your driver’s license, to look at your age and your speech in which you reside, then they are ready to get on the internet and begin using your payment information. None of these are data breaches. PCI is not likely to protect from that method of payment information being compromised. However, it certainly helps, in terms of standards of merchants, more secured data.”

PEC: The stereotype is to say that fraud is generated beyond the U.S. for U.S.-based ecommerce merchants. Is that, in actuality, what happens?

Schwegman:“From the fraud report, we look at both nationally, which is orders which are coming from U.S. and Canada, versus merchants that accept orders from outside the U.S. and Canada. We find about 60 percent of merchants do accept orders from outside the U.S. and Canada. We ask them the fraud speed experience on those two unique kinds of orders, domestic versus international. The international fraud rate is always twice as high and in some years three times greater than the national fraud prices.”

CyberSource’s”2012 Online Fraud Report” is available for downloading at CyberSource.com.

PEC: Your report addresses automatic screening tools that merchants use to detect fraudulent orders. How have those tools evolved to keep up with increasingly sophisticated criminals?

Schwegman:“A great deal of new technologies are on the market today. Device fingerprinting is among them. There’s a good deal of data in an online session: browser type, language kind — lots of different sorts of data. From those data components, during the semester, you can create a fingerprint which can be quite consistent at recognizing the apparatus that session is coming from. You can start to see that the identical apparatus has placed an order with five individuals with different payment information in the previous hour and that’s probably something to look at. So, device fingerprinting is remarkably popular among merchants.

“There are other things, like site behavior analysis. This is how a fraudster will navigate your site otherwise, typically, from a legitimate client. Partly because lots of the fraudsters are automated so they’re using botnets and programs they have written to rapidly put items in the shopping cart to complete a voucher because they do not need to spend some time doing it manually in case they don’t have to. The site behavior analysis tools allow you to identify, by way of instance, that most individuals do not place six items in their shopping cart in under one second.”

PEC: Let us change directions and talk about a fraud-prevention plan for smaller merchants. What if a fraud detection strategy be?

Schwegman:“What may surprise that the tiny companies is that fraud detection tools are quite accessible. You may get multi-merchant fraud and data patterns by subscribing to a service that’s offered to small businesses. It may be $10.00 a month to provide you a risk score on something. It brings to the peak of the heap the two or three orders which you would like to spend some time looking at.

Authorize.Net includes a fraud protection service that lots of merchants subscribe to. But if you do not need to do that, the first place to begin, as a minimum, is to make the most of the fraud services and tools that the card associations provide. American Express, MasterCard, and Visa have things like payer authentication which you could register in and, on the site, in the event the card is registered in that the cardholder must validate the purchase using a password. And really we do not see massive impacts on shopping cart abandonment here. I believe that the consumers are impressed that you have gone to the trouble to provide additional safety for their shopping experience which gives them confidence.

“Some tools have existed for a while, like address validation system — AVS. That’s where, in real time, it’s assessing the cardholder’s billing address on file with the issuing bank and see if it matches the address information they have provided to you. It’s truly only checking the numerical data in the address area. It will tell you if it matches to what the lender has on file or not. If it says no, then it simply means that you have got to look a bit more closely at that order.

“The last thing that many merchants do now, as a benchmark, that was not true six to seven decades back, is collecting the 3 digit security code on the back of a card sometimes they are on the front of the card.”

PEC: Anything else on your mind for our readers about payment fraud?

Schwegman:“The thing that’s a favorite at the moment is that the development of the mobile purchase channel. People using their mobile devices to store online. That’s presenting new challenges to merchants because that is another set of information you have got to look at. A few of the data that you’re familiar with may not be available to you along with other new data may.

“In terms of handling fraud, it’s extremely nascent, new. Nobody really knows precisely how to approach it. We’ve discovered, as explained in the fraud file, that 92 percent of the merchants do not currently track the fraud in their mobile orders. It’s an emerging channel. I suspect fraudsters such as these sort of things, higher growth areas where they can probe for weaknesses. Merchants should keep this in mind if they’re going down the mobile route.”