Most every ecommerce merchant has experienced credit card fraud. But fraud-prevention efforts can vary greatly from merchant to merchant. Cybersource, the payment gateway company, tracks online credit card fraud activity, and for 11 years it has assembled a free, downloadable report called “Online Payment Fraud Trends, Merchant Practices and Benchmarks.” To learn more about current levels of credit card fraud, we recently spoke with the report’s architect and author, Doug Schwegman, director of customer and market intelligence for Cybersource.
PeC: What is the state of online credit card fraud in the U.S. from the perspective of ecommerce merchants?
Doug Schwegman: “Interestingly, we’ve actually seen some improvements over the past two years, particularly in a lower percentage of orders that are being rejected due to suspicion of fraud. Merchants are getting better at separating out the good orders from the more suspicious orders and accepting more orders, and that’s important as the economy slows down.
“In 2009 we saw a drop in the total amount of fraud losses, and that’s really the first drop we’ve since about 2003. So, there’s good progress to report.”
PeC: According to your report, both the percentage of revenue and the absolute raw dollars dropped in 2009. Is that correct?
Schwegman: “That’s right. We have seen a lot of stability in the percent of revenues lost to fraud over the last few years, but last year we did see a small drop, which was encouraging. And as a result of that, and slower ecommerce growth, the total dollars lost to fraud dropped a little bit last year.”
PeC: Why do you think that is?
Schwegman: “We don’t have any hard data from the survey, but we do have some theories about it. One, as merchants get more online experience, they get better at managing fraud and reducing their fraud rate. Just having another year under your belt helps all the merchants manage the problem better.
“The other factor is that slower growth in online sales last year gave merchants a chance to catch their breath, and it gave them more time to review orders and improve their fraud management process. We think that’s what led to the positive trend last year.”
PeC: What would you estimate is the percentage of online orders that are manually reviewed?
Schwegman: “Twenty-five percent is the average across all sizes of merchants. Some merchants are reviewing even higher percentages and some of the larger merchants can get it down, through automation, to 10 percent or less in some cases.
“Generally speaking, smaller merchants are reviewing a lot of orders. That’s what they rely on to defend against fraud, trying to contact the customer, for example, either by email or phone to make sure they place the order. Historically, this percentage hasn’t changed very much.
“Half the fraud management budgets are spent on manual review, so there’s a lot of money invested, and it’s important to try and streamline that process as much as possible.
“The point is you can do better than 25 percent. You’ve probably got to invest in some better tools on automation to really do that, but it is possible to do better.”
PeC: What are some of the variables that will initiate a manual review?
Schwegman: “It varies a lot by type of merchant, and we find that the merchants that really manage fraud well are tuning their process and systems to their own business. Some merchants will keep a list of good customers and addresses, and many merchants keep a list of bad addresses where they’ve had fraud losses, and so just looking at the address is one flag.
“There are a lot of free services available through the credit card authentication process, like address verification service, that store up various flags, like whether the billing and the shipping address matches what the bank has on file. There are a lot of different flags you can set to flag an order for further review. Many, many different variables can be looked at.”
PeC: What are the principal types of credit card fraud in your report?
Schwegman: “There are two main categories of fraud we hear about. There’s the fraud that criminals perpetrate either individually or as organized crime, and the other category goes by the moniker ‘friendly fraud.’ That’s where a cardholder has repudiated that they’ve authorized the purchase; perhaps someone else in their family made the purchase and they say it wasn’t authorized. Or, they’ll claim they haven’t received the goods. But, in many cases, you can claim back those fraud claims if you can prove through your common carrier that the goods were signed for and delivered.
“It’s very difficult to separate out exactly how much is friendly fraud and how much is organized fraud, but it is significant and for some merchants it can be quite high.”
PeC: Let’s assume a merchant has $500,000 in annual revenue and a pretty tight profit percentage. With that small of a business, what should his or her credit-card-fraud-prevention budget be, in your view?
Schwegman: “That’s a question we get asked a lot by merchants and it’s very dependent on the type of goods they’re selling online. If you’re looking at merchants selling $500,000 or less in annual online sales, but they’re selling a high-risk category like consumer electronics, we would see probably an average around 1 percent being spent. That would include some manual review cost, as well. But, probably about 60 percent of merchants in that size category say they don’t spend any money on managing fraud, even though you can get entry level tools very cheaply, maybe for $100 to $200 a year, to help manage the problem.
“We also see in this category that 15 percent of merchants say they’re spending over 1 percent of their revenues. Again, they might have larger profit margins to be able to afford that. We see that the amount people spend depends a lot on their gross profit margin. If they have narrow gross profit margin and their cost of goods are high, then one fraud loss means that they have to sell ten valid orders to make up for the one loss. Merchants reject a lot of orders just on the fear they might be fraudulent because one loss will cost them so much and they have to make so many good sales to make up for it. So, we tend to see higher order rejection rates in those areas, but 1 percent would not be unusual for this type of scenario for a merchant to invest in managing fraud, and that includes all costs associated with managing the problem. I should also mention that as you go up in size, the ratio comes down pretty quickly.”
PeC: Do the various payment gateways share credit card fraud information with each other?
Schwegman: “There are quite a few laws and regulations around payment processing and these laws (basically privacy laws and other laws) really prohibit us from sharing any information we receive with third parties. However, we can use the data we get from our merchants’ base, which is nearly 300,000 merchants, and we processed over $120 billion in online payments last year for ecommerce. We can look at that data to tune our systems and see where a stolen card may have been used at one merchant just a few minutes ago versus another merchant. So, even though we can’t share between gateway providers or processors, we can look at our data pool.”
PeC: Anything else on your mind for our readers relating to credit card fraud?
Schwegman: “Even if you don’t have a lot of fraud problems today, you should start thinking about building out your fraud management process and system. It’s kind of like firefighting. It’s better to put the smoke detectors in your house before the fire breaks out because it’s a lot more expensive and difficult to put the fire out than to just put some basic prevention methods in place.
“You’ve got some pretty good tools, like address verification service (AVS), and the three digits on the back of the card, the card verification number (CVN), offered by the card associations or as part of what you pay for when you do a credit card authorization. They provide data that can help you defend against fraud, and you should take advantage of that.
“And, some of entry-level solutions are not that expensive. For $10 a month, for example, we provide fraud-screening tools to merchants to help manage fraud. We do consistently see, as merchants grow their business, there comes a point (especially if you’re selling anything that is desirable in terms of goods or easy to resell on the black market) where all of a sudden you pop up on the fraud radar screen. And you can get hit very quickly, almost overnight, with a lot of fraud charge backs and fraud problems once you’ve been targeted. So, it’s good to think about it ahead of time and put some basics in place before that happens to you.”