Reports of website data breaches, identity theft and credit card fraud are increasingly in the news. But is the problem as widespread as the coverage suggests?
Anyone who collects payments or customer information online runs the risk of being targeted by thieves. However, the likelihood of being hit by a virtual shoplifter is statistically on the decline. Meanwhile, industry watchers say that rather than an influx of database hacking, it’s the new breach reporting laws, enacted in many states, which account for the recent surge in reported breach activity.
Indeed, merchants who maintain and regularly update their security procedures for credit-card data and processing seem to mitigate their risks. For now, let’s tackle this question: What is the scope of credit card-related fraud and the subsequent impact on an e-merchant?
In 2000, North American e-merchants lost an average 3.6 percent of their sales to stolen or fraudulent credit cards. In 2007, that figure was down to 1.4 percent, according to the 2008 “Online Fraud Report” by CyberSource, a major credit card payment gateway.
“The industry has never been better at catching fraud while the fraudsters are trying to commit it,” says David Robertson, publisher of The Nilson Report, a bi-monthly newsletter covering the payment services industry. “The good guys have always done a pretty good job staying ahead of the bad guys in the credit card industry, especially since Visa and MasterCard had enough heft in their budget to really pursue credit card fraud.”
But where the credit card issuers have long been lagging is in protecting the online merchant from having to cover illegal charge-card purchases made on their site.
Scope of online merchandise theft
Internet sales have gone up an average 20 percent each year since 2000, according to CyberSource. Even though the percentage of fraud has dropped, the collective value of the products being stolen from North American e-merchants rose from $1.5 billion in 2000 to $3.6 billion in 2007, due in large part to the growth of Internet usage. Surprisingly however, a mere 18 percent of that total is referred to law enforcement via the F.B.I.’s Internet Crime Complaint Center, known as the IC3. What is the median loss per credit-card-fraud compliant? It’s $298, according to the F.B.I. On the upside, of all categories monitored, $298 is the lowest median dollar volume per crime tracked by the IC3.
Outside the U.S., the rate of fraud gets higher. The author of CyberSource’s annual online fraud report, Doug Schwegman, estimates that U. S. merchants reject one in every nine international orders for “suspected fraud.” In 2007, 3.6 percent of the orders U.S. merchants shipped outside of the country were later categorized as fraud, according to Schwegman.
Despite the amount of online fraud, it’s important to note that the total of online credit card fraud is still less than losses due to checking account fraud each year. Moreover, much of what is classified as credit card fraud is often “friendly fraud.” Friendly fraud is when real customers contest a charge – often to get merchandise for free – by claiming that the credit card charge wasn’t authorized. The merchant has to pay back the bank for the order, at least until the investigation is over, and is often levied an additional “chargeback” fee.
“Thirty to 50 percent of chargebacks are from friendly fraud,” says Dan Clements, president of CardCops.com, a Connecticut-based company cataloging online credit card fraud. “These are actual customers who either had a problem with the order or want to get it free.”
Scope of online data breaches
The Privacy Rights Clearinghouse has cataloged more than 800 publicly-reported thefts of personal data held by universities, medical and financial institutions, municipalities, physical retailers and online businesses since 2005. Of those 800+ breached, less than 20 are ecommerce. Translated, fewer than 2 percent of those breach case victims are online merchants.
Additionally, industry analysts say that, even in the event of a breach, there’s a minimal chance that the compromised credit card data will actually be used to make an unauthorized purchase. A late-2007 study by ID Analytics, a San Diego-based identity-scoring technology developer, found less than .5 percent of stolen records are actually used. For breached databases with less than 5,000 customer records, the use rate is one in 200. For breaches with more than 100,000 customer records, the misuse rate is one in 10,000.
For example, in March 2007, 11,500 online consumers had their credit card numbers stolen by a hacker at JohnnysSeeds.com. One year later, the Privacy Rights Clearinghouse reports that only about 20 of those stolen numbers have been used.
Impact on the e-merchant
Unlike face-to-face credit card transactions, where the merchant bank bears the responsibility of covering losses from fraudulently acquired merchandise, “card not present” transactions leave the merchant liable for the cost of that fraud. And the stark reality is that all Internet credit card transactions are “card not present.”
The end result for online retailers is a chargeback: Reversal of the original order amount plus an additional merchant-bank fee of $5 to $35 per transaction. “You are assessed a chargeback fee once the original cardholder reports it to your bank,” says Bob Bokor, president of the magician supply site Abra4magic.com. He says he’s charged $20 or $25 for chargebacks, lower than most small merchants since chargeback fees can be negotiated down with higher sales volumes. He’s been hit with plenty of these as a high-volume merchant, so he’s now hedging his bets: “Credit them back before the customer reports it to the bank and you save the fee,” he says. Sixty-five percent of the 2,000 small to mid-size e-merchants surveyed by preCharge Risk Management Solutions, an international payment processor, in its 2007 “eCommerce Chargeback Report” agree. Rather than contest a chargeback and risk the bank siding with the friendly fraudster, in nearly half of the cases they simply refunded the card the amount of the order. This was done, the merchants reported, to keep their credit card processing rates down and curb chargeback costs.
Across the board, the cost of managing fraud exceeds the cost of fraud itself by as much as 300 percent, according to preCharge’s report. However, that’s a far cry from the millions it could cost merchants who’ve suffered a data breach, according to Darwin Professional Underwriters, an insurance and risk management consulting firm. Its online Data Loss Cost Calculator calculates possible attorney fees, customer notification costs, fines, and the cost of paying for credit monitoring for every one of those customers. The calculator can compute databases such as the 11,500 breached records at JohnnysSeed.com. In that case, it found $1.9 million in potential costs to combat it the breach.
Meanwhile, the cost of mistakenly rejected orders adds up as well: “Those could be good orders you’re throwing away, especially with the dollar the way it is,” says preCharge’s Director of Client Services, Howard Schecter. “As the dollar goes down and the Euro goes up in value…we have merchants who are doing hundreds of legitimate orders internationally now because it will cost a U.K. shopper less in pounds to buy a camera from a U.S. company than buying it where they are.” Incidentally, preCharge guarantees payment to merchants on all sales processed through its secure, Internet-fraud-fighting system.
Though 63 percent of merchants surveyed by preCharge have sold outside the U.S., fewer than 15 percent actively sell internationally; more than 85 percent said they’d actively sell internationally if fraud could be managed properly.
It’s clear that ecommerce merchants face a growing challenge in staying ahead of the new breed of online criminal. “It’s a problem that is never going to go away,” says Clements at CardCops.com. “Crooks are making $3.6 billion off of this every year, and with that much money at stake, they’re going to make sure they can stay at it.”