Most every ecommerce merchant has experienced credit card fraud. Credit card companies try to prevent payment fraud, of course, and one — CyberSource — publishes a report on the state of payment fraud each year. CyberSource's chief researcher for that report — called, this year, "2012 Online Fraud Report" — is Doug Schwegman, director of market intelligence.
Practical eCommerce: What is the state of online fraud in 2012?
Doug Schwegman: "Well, we have seen the total dollars lost to fraud go up. Even though the fraud rates haven’t changed much, the [ecommerce] market growth has returned. So that is driving the total losses up.
"We’ve asked this question — for practically the entire thirteen years that we’ve done this survey — which is, 'What percent of your annual online revenues do you lose to payment fraud and payment fraud of all kinds of payment methods that are supported by merchants?' And it did go up a little bit, from like nine-tenths of a percent in 2010 to 1 percent of online revenue in 2011."
PEC: The total dollar of losses went up. And, to confirm, the percentage of fraud losses, to total revenue, also went up?
Schwegman: "Yes. On a revenue basis it went up from 0.9 percent to 1.0 percent. From our perspective, we wouldn’t put a lot of attention on that. I would say it hasn’t changed significantly but the market growth has meant that fraudsters are still getting more in their pockets, in terms of fraud gain."
PEC: Are fraudsters becoming more sophisticated?
Schwegman: "Merchants have shown some improvement in capturing and detecting fraud. We also ask merchants, ‘Is the fraud harder to detect than 12 months ago?’ We ask, ‘Is the fraud cleaner?’ That is, 'Are the fraud attempts and the actual fraudulent orders looking more and more like valid orders so they are harder to tell apart from the valid customers?'
"Fifty-percent of the merchants say the fraud is harder to detect this year than a year ago. And we’ve seen that now for a couple of years. So some of the fraudsters are getting better at what they do and the merchants have been keeping up, for the most part. What we did see, I think, this year is while the percent of revenues lost to fraud stayed relatively stable or went up slightly, the percent of orders that were fraudulent actually fell a little. What that implies is that the dollar value of a fraudulent order went up. When a fraud happens now, it tends to be a bigger dollar amount than in prior years."
PEC: Does PCI compliance help reduce fraudulent orders, under the theory that fewer credit card numbers are getting stolen?
Schwegman: "It certainly helps. There is a lot of ways the payment data gets compromised, such as when you give your card to a waiter or when you are paying your bill at a restaurant. And now with camera phones, they can copy the front and the back of your card very easily with their camera phone. And if you order a drink they can ask for your driver’s license, to check your age and your address where you live, and then they are ready to go online and start using your payment data. None of those are data breaches. PCI is not going to protect from that way of payment data being compromised. But it certainly helps, in terms of better standards of merchants, more secured data."
PEC: The stereotype would be to say that most fraud is generated outside of the U.S. for U.S.-based ecommerce merchants. Is that, in fact, what happens?
Schwegman: "In the fraud report, we look at both domestic, which is orders that are coming from U.S. and Canada, versus merchants that accept orders from outside of the U.S. and Canada. We find about 60 percent of merchants do accept orders from outside the U.S. and Canada. We ask them the fraud rate experience on those two different types of orders, domestic versus international. The international fraud rate is consistently twice as high and in some years three times higher than the domestic fraud rates."