Practical Ecommerce

Credit Card Fraud: How Big Is The Problem?

Reports of website data breaches, identity theft and credit card fraud are increasingly in the news. But is the problem as widespread as the coverage suggests?

Anyone who collects payments or customer information online runs the risk of being targeted by thieves. However, the likelihood of being hit by a virtual shoplifter is statistically on the decline. Meanwhile, industry watchers say that rather than an influx of database hacking, it’s the new breach reporting laws, enacted in many states, which account for the recent surge in reported breach activity.

Indeed, merchants who maintain and regularly update their security procedures for credit-card data and processing seem to mitigate their risks. For now, let’s tackle this question: What is the scope of credit card-related fraud and the subsequent impact on an e-merchant?

In 2000, North American e-merchants lost an average 3.6 percent of their sales to stolen or fraudulent credit cards. In 2007, that figure was down to 1.4 percent, according to the 2008 “Online Fraud Report” by CyberSource, a major credit card payment gateway.

credit card fraud graph

“The industry has never been better at catching fraud while the fraudsters are trying to commit it,” says David Robertson, publisher of The Nilson Report, a bi-monthly newsletter covering the payment services industry. “The good guys have always done a pretty good job staying ahead of the bad guys in the credit card industry, especially since Visa and MasterCard had enough heft in their budget to really pursue credit card fraud.”

But where the credit card issuers have long been lagging is in protecting the online merchant from having to cover illegal charge-card purchases made on their site.

Scope of online merchandise theft

Internet sales have gone up an average 20 percent each year since 2000, according to CyberSource. Even though the percentage of fraud has dropped, the collective value of the products being stolen from North American e-merchants rose from $1.5 billion in 2000 to $3.6 billion in 2007, due in large part to the growth of Internet usage. Surprisingly however, a mere 18 percent of that total is referred to law enforcement via the F.B.I.’s Internet Crime Complaint Center, known as the IC3. What is the median loss per credit-card-fraud compliant? It’s $298, according to the F.B.I. On the upside, of all categories monitored, $298 is the lowest median dollar volume per crime tracked by the IC3.

Outside the U.S., the rate of fraud gets higher. The author of CyberSource’s annual online fraud report, Doug Schwegman, estimates that U. S. merchants reject one in every nine international orders for “suspected fraud.” In 2007, 3.6 percent of the orders U.S. merchants shipped outside of the country were later categorized as fraud, according to Schwegman.

Despite the amount of online fraud, it’s important to note that the total of online credit card fraud is still less than losses due to checking account fraud each year. Moreover, much of what is classified as credit card fraud is often “friendly fraud.” Friendly fraud is when real customers contest a charge – often to get merchandise for free – by claiming that the credit card charge wasn’t authorized. The merchant has to pay back the bank for the order, at least until the investigation is over, and is often levied an additional “chargeback” fee.

“Thirty to 50 percent of chargebacks are from friendly fraud,” says Dan Clements, president of CardCops.com, a Connecticut-based company cataloging online credit card fraud. “These are actual customers who either had a problem with the order or want to get it free.”

Scope of online data breaches

The Privacy Rights Clearinghouse has cataloged more than 800 publicly-reported thefts of personal data held by universities, medical and financial institutions, municipalities, physical retailers and online businesses since 2005. Of those 800+ breached, less than 20 are ecommerce. Translated, fewer than 2 percent of those breach case victims are online merchants.

Additionally, industry analysts say that, even in the event of a breach, there’s a minimal chance that the compromised credit card data will actually be used to make an unauthorized purchase. A late-2007 study by ID Analytics, a San Diego-based identity-scoring technology developer, found less than .5 percent of stolen records are actually used. For breached databases with less than 5,000 customer records, the use rate is one in 200. For breaches with more than 100,000 customer records, the misuse rate is one in 10,000.

For example, in March 2007, 11,500 online consumers had their credit card numbers stolen by a hacker at JohnnysSeeds.com. One year later, the Privacy Rights Clearinghouse reports that only about 20 of those stolen numbers have been used.

Impact on the e-merchant

Unlike face-to-face credit card transactions, where the merchant bank bears the responsibility of covering losses from fraudulently acquired merchandise, “card not present” transactions leave the merchant liable for the cost of that fraud. And the stark reality is that all Internet credit card transactions are “card not present.”

The end result for online retailers is a chargeback: Reversal of the original order amount plus an additional merchant-bank fee of $5 to $35 per transaction. “You are assessed a chargeback fee once the original cardholder reports it to your bank,” says Bob Bokor, president of the magician supply site Abra4magic.com. He says he’s charged $20 or $25 for chargebacks, lower than most small merchants since chargeback fees can be negotiated down with higher sales volumes. He’s been hit with plenty of these as a high-volume merchant, so he’s now hedging his bets: “Credit them back before the customer reports it to the bank and you save the fee,” he says. Sixty-five percent of the 2,000 small to mid-size e-merchants surveyed by preCharge Risk Management Solutions, an international payment processor, in its 2007 “eCommerce Chargeback Report” agree. Rather than contest a chargeback and risk the bank siding with the friendly fraudster, in nearly half of the cases they simply refunded the card the amount of the order. This was done, the merchants reported, to keep their credit card processing rates down and curb chargeback costs.

Across the board, the cost of managing fraud exceeds the cost of fraud itself by as much as 300 percent, according to preCharge’s report. However, that’s a far cry from the millions it could cost merchants who’ve suffered a data breach, according to Darwin Professional Underwriters, an insurance and risk management consulting firm. Its online Data Loss Cost Calculator calculates possible attorney fees, customer notification costs, fines, and the cost of paying for credit monitoring for every one of those customers. The calculator can compute databases such as the 11,500 breached records at JohnnysSeed.com. In that case, it found $1.9 million in potential costs to combat it the breach.

Meanwhile, the cost of mistakenly rejected orders adds up as well: “Those could be good orders you’re throwing away, especially with the dollar the way it is,” says preCharge’s Director of Client Services, Howard Schecter. “As the dollar goes down and the Euro goes up in value…we have merchants who are doing hundreds of legitimate orders internationally now because it will cost a U.K. shopper less in pounds to buy a camera from a U.S. company than buying it where they are.” Incidentally, preCharge guarantees payment to merchants on all sales processed through its secure, Internet-fraud-fighting system.

Though 63 percent of merchants surveyed by preCharge have sold outside the U.S., fewer than 15 percent actively sell internationally; more than 85 percent said they’d actively sell internationally if fraud could be managed properly.

It’s clear that ecommerce merchants face a growing challenge in staying ahead of the new breed of online criminal. “It’s a problem that is never going to go away,” says Clements at CardCops.com. “Crooks are making $3.6 billion off of this every year, and with that much money at stake, they’re going to make sure they can stay at it.”

Jennifer D. Meacham

Jennifer D. Meacham

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Comments ( 3 )

  1. Legacy User April 24, 2008 Reply

    Massive increase in fraud crimes should make the government and banks realise that their data protection and Chip and PIN systems are diverting rather than deterring fraud crimes.

    This shows that fraud will continue to grow until they exploit KEY and PIN system described on website http://www.xwave.co.uk which will deter BOTH identity and card fraud by making signature and PIN systems reliable and foolproof.

    Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.

    ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.

    Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.

    We hope that the government and banks will appreciate these details and exploit KEY and PIN system before it is too late to stop a fraud boom.

    — *Roger*

  2. Legacy User April 24, 2008 Reply

    You make valid points here Roger. The Association of Payment Clearing Services in London reports that, after adopting the ID Key system, U.K. retailers saw a drop of 11 percent in credit card fraud losses.

    — *Jennifer D. Meacham*

  3. d3systems December 6, 2010 Reply

    As time goes on I think customers will abuse the charge back situation where credit card companies always side with the customer. Over enforcement of credit card charge backs could teach customers that when they by products that can not be easily tracked, like digital media, software, or graphic art, that it is simply to easy to issue a chargeback and get the item for free. In these cases no type of tracking options exist for these merchants and therefore have no way of proving that the item was delivered. Thus the customer gets away free since there is no way for the merchant to prove otherwise.

    The only protection out there is a signature protection module that I installed in my check out lane. When customers enter in their credit card information I require that they sign the page using their mouse creating a unique signature. I then log the signature and in the case of a charge back present that as part of the evidence to fight the fraudulent charge back. Its easy to install and very cost effective, in my case it has paid for itself 10 times over. Check it out at http://securedmark.com