Most every ecommerce merchant has experienced credit card fraud. Credit card companies try to prevent payment fraud, of course, and one — CyberSource — publishes a report on the state of payment fraud each year. CyberSource’s chief researcher for that report — called, this year, “2012 Online Fraud Report” — is Doug Schwegman, director of market intelligence.
Practical eCommerce: What is the state of online fraud in 2012?
Doug Schwegman: “Well, we have seen the total dollars lost to fraud go up. Even though the fraud rates haven’t changed much, the [ecommerce] market growth has returned. So that is driving the total losses up.
“We’ve asked this question — for practically the entire thirteen years that we’ve done this survey — which is, ‘What percent of your annual online revenues do you lose to payment fraud and payment fraud of all kinds of payment methods that are supported by merchants?’ And it did go up a little bit, from like nine-tenths of a percent in 2010 to 1 percent of online revenue in 2011.”
PEC: The total dollar of losses went up. And, to confirm, the percentage of fraud losses, to total revenue, also went up?
Schwegman: “Yes. On a revenue basis it went up from 0.9 percent to 1.0 percent. From our perspective, we wouldn’t put a lot of attention on that. I would say it hasn’t changed significantly but the market growth has meant that fraudsters are still getting more in their pockets, in terms of fraud gain.”
PEC: Are fraudsters becoming more sophisticated?
Schwegman: “Merchants have shown some improvement in capturing and detecting fraud. We also ask merchants, ‘Is the fraud harder to detect than 12 months ago?’ We ask, ‘Is the fraud cleaner?’ That is, ‘Are the fraud attempts and the actual fraudulent orders looking more and more like valid orders so they are harder to tell apart from the valid customers?’
“Fifty-percent of the merchants say the fraud is harder to detect this year than a year ago. And we’ve seen that now for a couple of years. So some of the fraudsters are getting better at what they do and the merchants have been keeping up, for the most part. What we did see, I think, this year is while the percent of revenues lost to fraud stayed relatively stable or went up slightly, the percent of orders that were fraudulent actually fell a little. What that implies is that the dollar value of a fraudulent order went up. When a fraud happens now, it tends to be a bigger dollar amount than in prior years.”
PEC: Does PCI compliance help reduce fraudulent orders, under the theory that fewer credit card numbers are getting stolen?
Schwegman: “It certainly helps. There is a lot of ways the payment data gets compromised, such as when you give your card to a waiter or when you are paying your bill at a restaurant. And now with camera phones, they can copy the front and the back of your card very easily with their camera phone. And if you order a drink they can ask for your driver’s license, to check your age and your address where you live, and then they are ready to go online and start using your payment data. None of those are data breaches. PCI is not going to protect from that way of payment data being compromised. But it certainly helps, in terms of better standards of merchants, more secured data.”
PEC: The stereotype would be to say that most fraud is generated outside of the U.S. for U.S.-based ecommerce merchants. Is that, in fact, what happens?
Schwegman: “In the fraud report, we look at both domestic, which is orders that are coming from U.S. and Canada, versus merchants that accept orders from outside of the U.S. and Canada. We find about 60 percent of merchants do accept orders from outside the U.S. and Canada. We ask them the fraud rate experience on those two different types of orders, domestic versus international. The international fraud rate is consistently twice as high and in some years three times higher than the domestic fraud rates.”
PEC: Your report addresses automated screening tools that merchants use to detect fraudulent orders. How have those tools evolved to keep up with increasingly sophisticated criminals?
Schwegman: “A lot of new technologies are on the market now. Device fingerprinting is one of them. There’s a lot of data in an Internet session: browser type, language type — lots of different kinds of data. From those data elements, during the session, you can develop a fingerprint that can be pretty consistent at recognizing the device that that session is coming from. You can begin to see that the same device has placed an order with five people with different payment data in the last hour and that is probably something to look at. So, device fingerprinting is very popular among merchants.
“There are other things, like website behavior analysis. This is the fact that a fraudster is going to navigate your website differently, typically, from a valid customer. Partly because a lot of the fraudsters are highly automated so they are using botnets and programs they’ve written to quickly place items in the shopping cart to complete a checkout because they don’t want to spend time doing it manually if they don’t have to. The website behavior analysis tools will allow you to identify, for example, that most people don’t put six items in their shopping cart in under one second.”
PEC: Let’s change directions and discuss a fraud-prevention strategy for smaller merchants. What should a fraud detection strategy be?
Schwegman: “What might surprise the small businesses is that fraud detection tools are fairly accessible. You can get multi-merchant data and fraud patterns by subscribing to a service that is offered to small businesses. It might be $10.00 per month to give you a risk score on something. It brings to the top of the pile the two or three orders that you want to spend some time looking at.
“Authorize.Net has a fraud protection service that many merchants subscribe to. But if you don’t want to do that, the first place to start, as a minimum, would be to take advantage of the fraud tools and services that the card associations offer. American Express, MasterCard, and Visa all have things like payer authentication that you can enroll in and, on the website, if the card is enrolled in that then the cardholder has to validate the purchase with a password. And really we don’t see big impacts on shopping cart abandonment here. I think the consumers are impressed that you’ve gone to the trouble to provide extra security for their shopping experience and that gives them confidence.
“Some tools have been around for some time, like address validation system — AVS. That is where, in real time, it is checking the cardholder’s billing address on file with the issuing bank and see if it matches the address information they’ve provided to you. It is really only checking the numeric data in the address field. It will tell you whether it matches to what the bank has on file or not. If it says no, then it just means that you’ve got to look a little more carefully at that order.
“The last thing that most merchants are doing now, as a standard, that wasn’t true six to seven years ago, is collecting the three digit security code on the back of a card — sometimes they are on the front of the card.”
PEC: Anything else on your mind for our readers in regards to payment fraud?
Schwegman: “The thing that is popular at the moment is the emergence of the mobile order channel. People using their mobile devices to shop online. That is presenting new challenges to merchants because that’s a different set of data you’ve got to look at. Some of the data that you are familiar with may not be available to you and other new data may.
“In terms of managing fraud, it is very nascent, very new. No one really knows exactly how to approach it. We have found, as described in the fraud report, that 92 percent of the merchants do not currently track the fraud on their mobile orders. It is an emerging channel. I suspect fraudsters like these kind of things, high growth areas where they can probe for weaknesses. Merchants should keep that in mind if they are going down the mobile route.”