To maximize profits, Web merchants must block fraudulent orders while resolving "false-positive" transactions that initially appear suspect. How can merchants and acquirers separate the bad from the merely ugly?
There's no doubt fraud is a major problem for Web merchants. Gartner Research found that online merchants lost about 1% of sales revenue last year due to fraud, a loss rate 15 times higher than that of their card-present colleagues.
The Internet Fraud Complaint Center reports that it referred 48,252 fraud-related complaints to prosecutors in 2002, three times the referrals for 2001.
Identity-theft complaints have risen 238% since 2000, according to the Federal Trade Commission. When ID theft crimes occurred last year, the victim's information was used to commit credit card fraud in 42% of the cases.
Online merchants and their acquirers have been scrambling to build antifraud walls against the bad guys. Catering to this need are the vendors of fraud-fighting systems, those sophisticated software programs and gigantic databases of consumer information.
But as vigilance rises, so too does the incidence of a "false positive" where the merchant refuses an order with the appearance of fraud. Judging a book by its cover can be a mistake because most of those orders are fine. That means some good sales are being lost and customers inconvenienced.
The top 25 online merchants predicted to Gartner last year that during the 2002 holiday season they would reject $315 million in sales because the purchase looked fraudulent. About 6% of online consumer purchase requests are rejected because they appear suspicious, Gartner has found. Roughly one-third of the rejected sales, or 2% of total sales, are mistakenly rejected, the researcher estimates.
"False positive is an unfortunate by-product of employing stringent fraud-fighting systems," says Roy Banks, general manager at Authorize.Net, a payments gateway that offers several fraud-fighting programs. "You can be too risk averse."
There's no magic potion for curing the false-positive problem. Merchants and their acquirers must find the antifraud system that works best in their product arena and for the types of consumers they attract, says Ariana-Michele Moore, senior analyst at Boston-based payments researcher Celent Communications.
The major vendors of fraud-fighting tools for Web merchant acquirers and their clients usually include some program designed to address false positives.
Many large issuers and acquirers use Fair Isaac Corp.'s Falcon Fraud Manager, a neural network that builds profiles of cardholder behavior by reviewing billions of transaction records. San Rafael, Calif.-based Fair Isaac conducts risk analysis and predictive modeling.
Falcon also provides rules management, where orders are flagged if they meet predetermined criteria. Commonly watched factors include the dollar value of the transaction, the address of the purchaser and her Internet service provider (ISP), the frequency of purchases, and the time of purchase. In June, Fair Isaac introduced its Strategy Science for Fraud Referral package specifically designed to address false positives.
As an order is reviewed, it receives points for each indicator of fraudulent behavior. Fair Isaac uses a zero to 1,000 ranking, with 1,000 signifying the greatest risk. Typically, the card issuer will determine a cut-off number for accepting or declining an authorization.
Fair Isaac also calculates a false-positive rate for all transactions, says Stephen Platt, vice president, fraud analytics. For instance, if a merchant receives 16 orders with a risky 800 score, and one order has strong fraud indications, the false-positive ratio is 15 to 1, says Platt. The same merchant may receive 40 orders in the 600-score range, and only one of them looks shady. Those transactions earn a 39-to-1 false-positive ratio.
A merchant with a high-margin product probably won't mind losing one sale out of every 40 because it was falsely judged to be fraudulent. But a merchant with a low-margin product will probably want a higher false-positive ratio because she can't afford any fraud, says Platt.
"If your margin on a $1,000 item is 1%, you're only making $10 on each sale. But you could lose $1,000 for each fraudulent transaction," says Platt.
That's why merchants and their acquirers must balance carefully and find a false-positive ratio that works best for them, he says.
The focus for American Fork, Utah-based Authorize.Net is the 80,000 merchants that send orders into its gateway platform. Its system authenticates the merchant, ensuring that no hackers are piggybacking on the retailer to sneak into the processing network.
"Many (merchant) integration protocols are now dated and the hackers know how to break in," says Banks.
Authorize.Net markets its systems through merchant acquirers and independent sales organizations. The cost to an acquirer per authorized 'Net account is $99 for a one-time set up, a $10 a month fee, and 5 cents a transaction, according to Banks.
Authorize.Net integrates cardholder-verification data and will sell Fair Isaac's Fraud Screen for $20 a month and 20 cents a transaction, says Banks. "We are a virtual point-of-sale device," says Banks. "Instead of swiping, you enter card information digitally."
False positives and their opposites, false negatives, can be reduced by using tools that check every aspect of every transaction, says Victor Dolcourt, senior product manager for Mountain View, Calif.-based risk-control system vendor CyberSource Corp. CyberSource markets its Advance Fraud Screen system, which among other things, uses account numbers on the cards combined with the information the purchaser inputs at the online point of sale.
CyberSource reviews another 150 factors such as the consumer's shipping address, billing address, transaction value, and the number of recent transactions with the card. CyberSource uses a 100-point scale with 100 indicating the highest risk.
"A merchant may automatically process anything with a score of zero to 40, send those between 40 and 60 for manual review, and deny anything over 60," says Dolcourt.
An average CyberSource merchant runs $5.1 million in annual online sales, but the firm has been expanding into smaller merchants. It signed a master reseller agreement with First Data Corp. to use the sales forces of the Greenwood Village, Colo.-based payments giant and its merchant-acquiring bank clients to sell its systems to their merchant clients.
Below are brief descriptions of some other antifraud systems.
* Retail Decisions and its U.S. group, ReD U.S., markets its risk-management service for card-not-present transactions under the name ebitGuard. ReD began 16 years ago with systems monitoring credit card phone transactions. Its Web programs include a neural scoring system that also includes rules-based features.
ReD will customize ebitGuard to reduce online fraud rates to as low as 45 basis points though that means the merchant will increase the false-positive rate, says Jeff Foster, executive vice president. All potential transactions are matched against a database of 75 million files that contain a fraud indicator. ReD also will build a custom file for a merchant that can monitor 8,000 indicators.
ReD claims ebitGuard pays for itself because it reduces the need for manual review of orders by customer-service reps by as much as 66%.
An initial risk assessment and set-up can cost between $25,000 to $250,000 depending on the size of the e-tailer, the overall complexity of the job, the client's product or industry, and other factors. Once a system is installed, ReD will charge a per transaction fee, with rates ranging from 9 cents to 17 cents, depending on volume.
* VeriSign Inc. targets the small to mid-size market with a four-part, online fraud-fighting package. A basic service with filters that check the seven major indicators of a fraudulent transaction costs $19.95 a month and five cents per transaction. An advanced service that checks 20 fraud indicators costs $49.95 a month and 10 cents per transaction. Merchants can add a buyer-authentication service for $9.95 a month that checks if the cardholder is enrolled in either Verified by Visa or MasterCard SecureCode, the card associations' authentication programs. And an account-monitoring service for $29.95 a month will review a merchant's sales, looking for buying spikes and other unusual activity.
* Clear Commerce Corp. markets to larger merchants. The Austin, Texas-based firm builds a customized rules-based, scoring system for each transaction. It reviews millions of transactions, checking chargebacks, and other order attributes. One particular concern is the Internet service provider's address, according to a spokesperson.
"If the (ISP is) in Rumania, the order ships to New York and the cardholder is in Illinois, that's suspicious," the spokesperson says.
Clear Commerce offers a customizable software licensing deal for merchants starting at $50,000 annually. A perpetual license package designed for merchant acquirers starts at $90,000. That deal also comes with an annual maintenance fee.
* Card processor Total System Services Inc. (TSYS) markets a fraud-fighting system dubbed Card Guard to issuers. CardGuard customers can select from a buffet-style package that includes Falcon and Retail Decisions Inc.'s Prism card issuer fraud-detection system. CardGuard also provides Visa International's Cardholder Information Security Program (CISP) and MasterCard International's RiskFinder, a neural-network built with HNC Software Inc., which Fair Isaac bought last year.
"Issuers can choose one or a combination. They can select the statistical score from MasterCard or build a super score" from the vendors, says Ronald B. "Skeet" Rolling, director of business systems.
TSYS added in April a notification feature that flags orders that fall outside a cardholder's normal transaction behavior. The cardholder is either called or e-mailed immediately. He has the option to confirm the transaction, send it to a family member that may have made the purchase, or call a customer-service representative.
Merchants and acquirers need to be thinking over the best way to control fraud while ensuring they don't turn away any good orders. It won't be long until the holiday season, the six weeks starting around Thanksgiving, when 30% of all retail Web business is done. Finding the right system now could mean a happy New Year.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In