This may be the best strategy to reduce online fraud risk

RMA Journal, The, Oct, 2004 by Stephan Barney

Fraud losses continue to plague online retailers, even though some recent statistics suggest that the tide is turning. A new study by Experian fraud analysts explores an innovative new data enhancement strategy to help make mitigating fraud risk a reality.

On the face of it, online fraud appears to be declining--at a limited rate. Charge-backs due to fraudulent activity decreased in 2003, according to the Merchant Risk Council (MRC), a nonprofit membership organization that works to protect and encourage secure online commerce for merchants and consumers. In the MRC's 2003 member survey, only 10% of respondents reported fraudulent charge-back rates greater than 1%, compared to 18% of respondents in 2002. However, the MRC survey also reported that, in general, merchants are spending higher rates of their revenue on fraud prevention, with 17% of merchants spending greater than 2% on fraud prevention in 2003, versus 13% of merchants in 2002.

More at Stake

In actual dollars, fraud losses are growing as the volume of business conducted online continues to increase dramatically. Online consumer purchases were up 25-30% in 2003 (U.S. Department of Commerce) and are expected to rise at a similar pace for the next several years.

Online fraud also imposes hidden costs that go well beyond actual dollars charged back. Revenue is lost when legitimate orders are turned away because they look suspicious and can't be quickly verified. Manual review rates are trending up, tying up staff time and delaying shipping--a particularly unwieldy dilemma for large merchants. And now, tighter restrictions by some credit card issuers are adding new pressure to reduce charge-backs and avoid penalties.

A Dearth of Useful Information

Online merchants face two concurrent challenges in fighting fraud. First, they typically rely on a limited amount of internal and order information that is not always effective in detecting fraudulent transactions. For example, the information provided in an online order is usually limited to name, address, phone number, and credit card number, and a merchant's internal database may only tell them if the customer has previously ordered from the site. Second, cyber criminals are growing increasingly sophisticated in their efforts to exploit the vulnerabilities of card-not-present (CNP) transactions.

Could new sources of real-time, automated data put the power back into retailers' hands? That's the question Experian fraud analysts addressed in a recent study, Optimizing Data Sources to Prevent Online Credit Card Fraud. This groundbreaking analysis reveals that the best defense against CNP fraud is to incorporate external data into the fraud detection and decisioning process. For example, do the name and addresses that are being supplied seem to be a valid combination? Are any of the addresses high risk, such as mail-box stores, hospitals, libraries, prisons, or freight-forwarding companies--the types of addresses typically used by fraudsters? Does the consumer own the card that is being used? Has the consumer activated fraud alerts?

Bear in mind that from a regulatory perspective, using data for identity verification and fraud detection is much different from using data to make a credit decision. Merchants are not extending credit, only ensuring that the requested transaction is legitimate and that customers are who they say they are and live where the merchandise is being shipped.

Many merchants don't reach for data beyond their own walls to determine the legitimacy of the most basic information supplied by the consumer. But CNP merchants need to ensure that the consumers they're dealing with are who they say they are and that they are providing legitimate information. They have to be sure that all of the different pieces of customer ID and other data are in sync. When pieces are missing, incorrect, or don't match the database during the authentication process, there's a much higher probability that the transaction is fraudulent--this has been proven.

Typically, online merchants rely on front-end information to identify potential fraud by checking:

* Order data, such as name, address, shipping priority, and bill-to versus ship-to address.

* Credit card data, such as card verification number (CVN) match and stolen-card lists.

* Internal positive and negative databases.

These simple checks are most effective for customers who have previously shopped at the merchant's site. However, for a new customer or a repeat customer using a different billing address, it's difficult to make a judgment call without looking at external data. Otherwise, even with high manual review rates, many orders will be turned away because of insufficient decisioning information.

Combining Internal and External Data

The Experian study focused on actual transaction data from two major online retailers. The companies' internal and order data were combined with predictive external attributes to determine an optimal fraud prevention strategy.

Statistical tools were used to help identify the most predictive set of internal and external data attributes and to combine them to create several "risk-based" segments. These individual segments displayed varying fraud rates. Some were seen to predict high numbers of fraud accounts with low false positives, while others were seen to predict high levels of genuine transactions with low fraud volume. The individual segments were then ranked in order of overall fraud detection rates from best to worst.