Taking the hits
Written by Richard Thurston
Is technology winning the battle against card-not-present (CNP) fraud? Richard Thurston reports
For the first time, the quantity of CNP fraud has fallen. This type of fraud - the total of phone, internet and mail order fraud - fell 19 per cent to £266.4 million in 2009, according to the UK Cards Association, the organisation that represents card issuing companies. The fall took many by surprise. CNP fraud had jumped substantially for each of the previous three years.
According to the UK Cards Association, the decrease is due to the expanding use of “sophisticated” fraud screening detection tools by both retailers and banks, as well as continuing growth in 3D Secure systems (MasterCard SecureCode and Verified by Visa) by retailers and cardholders.
Due to the uptake of these solutions, fraudsters have in part shifted their focus from CNP fraud to online and phone banking, where consumers can be impersonated and their bank accounts compromised. However, the fall in CNP fraud leaves little room for complacency. According to the British Retail Consortium (BRC), it is still one of the largest elements of fraud affecting its members. And that’s bad news: retailers will still be hit by chargebacks where the card issuer believes they are at fault, and they’re also hit by a loss of reputation where the consumer believes the retailer is to blame.
“We still see fraud as a problem in the CNP space,” says Kevin Smith, senior vice president for fraud prevention management at Visa Europe. He says the success of chip and PIN had even persuaded some fraudsters to try to engineer CNP fraud, despite its shrinking opportunities. He adds that Verified by Visa had been successful in tackling it, and that its success was pushing fraudsters towards exploiting retailers that had not adopted 3D Secure. Online CNP fraud is a growing problem, with e-commerce now accounting for two thirds of CNP fraud by value. Smith said that percentage continues to rise.
Retailers must, of course, make some back office infrastructure changes to accommodate 3D Secure. Some, like Amazon for example, choose not to implement 3D Secure as they consider it an inconvenience to their customers. It has been a major innovation in the fight against CNP fraud, but retailers have further options. Fraud detection tools are rapidly evolving, becoming more intelligent and better informed over time.
Fraud screening tools
These tools can be deployed in-house or by a third party specialist, and can be used for either real-time transactions or for a batch of transactions where real-time approval is not required. The tools evaluate the likelihood of a transaction being fraudulent, returning either a score or a traffic light scenario, upon which the retailer can base its decision whether to approve the transaction, adding in to the consideration any information they already have in-house on that customer.
Catherine Bowen, crime policy advisor at the BRC, says its members are spending heavily on third party screening of card data. “They are spending a lot of money on protecting themselves.”
The BRC’s latest annual crime survey found that 53 per cent of retailers were using in-house fraud screening tools, while 41 per cent had enlisted the help of third party tools. Usage of these tools had “increased substantially.”
Andre Edelbrock is the chief executive at Ethoca, a fraud detection company that offers these tools. “It (the set of tools) gets very good at predicting the likelihood of fraud on a transaction,” he says. “We have proven 100 per cent that when certain signals fire it is guaranteed fraud.”
Edelbrock said Ethoca collects a large amount of data on users, including information they provide when they register for a service, or transact within it. This includes the user’s name, address, shipping address, phone number, email address, card number and IP address. It uses this information together with wider data on the fraud marketplace to give a so-called Signals Report - a traffic light-based reporting system to its retailer customers.
Red means decline the transaction, and green means go ahead, Edelbrock notes. Yellow means the transaction could be fraudulent, but the information should be used in conjunction with a retailer’s own information. Sometimes a white light is given, which means Ethoca has insufficient information to make a judgement.
Edelbrock observes that some customers were still managing the process in-house, a flashback to the early days of fraud prevention when retailers would be “working alone”, sharing knowledge mainly at conferences. Now many companies are choosing to supplement their in-house expertise with third-party solutions like that of Ethoca, because of scalability issues or in cases where the third-party has information the retailer can’t or doesn’t want to gather on its own.
The power of analytics
Another piece of technology that can be useful in preventing fraud is analytics. Analytics software can detect anomalies that can indicate fraud even when they are hidden in large quantities of data. This software can uncover attempted fraud by customers, staff and suppliers.
Analytics could also profile fraud across a network of sources so it can calculate the potential risk of a future problem based on even small anomalies in customer data. Such software can be bought from suppliers like SAS, who provide analytics software for retailers to help them optimise their merchandise and customer retention strategies.
The decline in fraud may also be a result of the introduction of the PCI DSS payment card industry security standards that govern how card data must be stored. Visa’s Smith suggests that implementation by retailers of PCI DSS is helping to prevent access to card data by fraudsters. “The one serious challenge is data compromise - the ability for fraudsters to gain access to transmissions and servers,” he says. “PCI DSS is a major part of the solution. It takes time for the whole merchant community to move to PCI compliance...but the benefits are being realised.”
Of course, meeting the onerous requirements of PCI DSS in order to help prevent card fraud is neither quick nor easy for retailers. Whether it is fraud screening tools, 3D Secure, analytics or the technical requirements of PCI DSS such as encryption and wireless network security, there is now a wide range of technology offerings available to help retailers reduce CNP fraud further.
“It’s taken a while to get to grips with new types of fraud such as CNP fraud,” says Richard Allen, principal consultant at Consult Hyperion, an IT consultancy that is focused on securing electronic transactions. Describing what he called “an arms race against the fraudsters”, he comments: “We have to keep introducing technology to combat fraud. 3D Secure has hit fraud dramatically.”
He adds that card readers, where a customer must have the card in their possession in order to purchase online, may help reduce overall fraud further. Devices that generate one-time passcodes for users may also help.
However, Allen says the increasing proliferation of malware such as Trojan horses on consumers’ PCs would ensure upward pressure on the proliferation of fraud. “Technology is certainly an improving topic. I don’t think we can ever say we’ve won until there’s no fraud. Squeezing out that last bit of fraud is the most expensive bit.”