After a customer loads up an online shopping cart, after he hands over a credit card number and a shipping address, after he hits the "buy" button—after all that, there is a moment of truth that has profound implications for the U.S. economy. That is the moment when the retailer decides whether or not to ship the order.
Just because the bank approves a credit card doesn't mean it's not stolen. Millions of compromised credit cards are in circulation, and many won't be replaced until they are known to have been misused. With law enforcement overwhelmed by the problem, e-commerce merchants—not the credit card associations, not the banks—are often the ones left holding the empty bag. Therefore, they must make a snap judgment about each order and suffer the consequences.
This is the choke point. Choose wrong, and the retailer loses either a legitimate sale or the merchandise and the transaction fee. "You stick your neck out every time you ship something out without [getting] an imprint and signature," says Joe Williams, CSO of the high-end retailer Sharper Image, which had $250 million of revenue in card-not-present transactions (comprising Internet, telephone and mail orders) in 2004.
Choose well, and the retailer has saved itself money and played a vital role in the fight against crime. Credit card fraud, as one vendor puts it, "is how criminals go to the bank." Says Ted Crooks, VP of global fraud solutions for Fair Isaac, a decision-management consultant and software vendor, "The most serious fraud is the place criminals surface in the legitimate economy. Fraud is the best"—meaning the least nefarious—"thing they do every day."
According to a survey by CyberSource, an antifraud service provider, companies lose about 1.6 percent of online revenue to fraud. To keep that number down, retailers are turning to an increasingly sophisticated and automated set of fraud-prevention controls. "During the first few years of the e-commerce boom, many merchants were willing just to get the sale at the expense of increased fraud," says René Pelegero, former director of global payments for Amazon.com turned consultant. "Over the last two or three years, the tide has begun to turn."
But there is another sea change that e-commerce merchants would like to happen, and that is in the risk-sharing system with credit card issuers. Merchants fervently want not only to prevent fraud but also to transfer some of the liability onto the credit card associations and banks, as brick-and-mortar retailers have done. The credit card industry says it is addressing those concerns with programs like Verified by Visa and MasterCard's SecureCode, but adoption by retailers has been slow. (The Payment Card Industry Data Security Standard, an issue that has received attention lately, is a different program intended to make merchants improve their security by using standardized background checks, data encryption and other methods.)
All the while, online credit card fraud continues its inexorable rise, with the CyberSource study pinning 2005 losses at $2.8 billion, 8 percent more than the year before.
A Legacy of Tension
Merchants have never exactly had a harmonious relationship with the credit card associations and their member banks, the ones who put plastic into the hands of millions of Americans. With transactions done in the physical world, though, at least everyone understood the game. The retailer agreed to look at each card and get a signature. If a cardholder reported that a charge was fraudulent, the bank issued what's known as a "chargeback"—essentially, the bank took back the money and gave it to the cardholder. If the merchant then submitted the cardholder's signature, the merchant didn't have to pay the chargeback. It was the bank's problem.
If merchants didn't follow the rules or racked up too many chargebacks, the card associations could ban them from accepting credit cards. But if merchants weren't happy with the card associations' rules, they could stop accepting credit cards.
Then came the Internet. Suddenly, the number of card-not-present transactions—once the domain of catalog retailers—shot upward to a point where, this past Christmas season, Visa reported that about 10 percent of all spending on Visa cards was for online purchases. The problem is, accepting a credit card online is riskier than accepting one in person. Merchants have no good way of verifying that the person holding the card is the person who actually owns the card. They can't get a regular signature, and they are leery of introducing anything into the checkout process that slows down the transaction.
As a result, e-commerce merchants must accept liability for fraudulent purchases. There's no disputing the chargeback.
Proponents of the merchants' view say the charges are extreme. "If a merchant ships the [fraudulent] order, they lose merchandise, lose the transaction fee, lose the shipping fee and get a chargeback fee," says Dan Clements, CEO of CardCops, which monitors the Internet for stolen credit card numbers on behalf of both merchants and individuals. "They lose, lose, lose, lose, and the issuing bank and the acquiring bank split the chargeback fee as revenue."
To be fair, banks devote substantial resources to monitoring accounts for suspicious activity and blocking fraudulent charges (although they are loath to discuss it). But merchants know their customers and products better than anyone and are therefore in an excellent position to spot suspicious orders before a pattern of misuse on an individual account occurs. This means that merchants who do business online are being forced to invest in antifraud defenses—both technological and human—like they've never had to before.
Fraud Prevention 101
Whether or not the customer understands it, the majority of online transactions include two basic antifraud measures. The first confirms the billing address; the second tries to verify the physical presence of the credit card.
The billing address is used for the address verification service (AVS), which allows a merchant to find out whether the billing address provided by the customer matches the one in the bank's records. Although the method isn't perfect, 75 percent of online retailers use it, making it the most widely used tool, according to the CyberSource study.
For physical confirmation, retailers often ask for the card verification number (CVN, sometimes called CID or CVV). This is a three- or four-digit code that's printed on the credit card but not included in any correspondence or on the card's magnetic stripe. By the end of 2006, CyberSource projects that this method will be nearly as prevalent as address verification.
Tracy Brown, cochairwoman of the Merchant Risk Council, a trade group founded to help retailers control fraud, says that CVN was an attempt to move online credit card transactions from single-factor to dual-factor authentication. "The concept was that maybe you got my credit card number from a database, or you stole my billing statement, but the CID or CVV weren't stored in those places," says Brown, who is director of information security for American Eagle Outfitters. That meant that online credit card transactions required not just something the customer knew (the credit card number) but also something she had (the actual credit card).
The problem, Brown says, is that this method isn't really dual-factor authentication. "Just because you have two [types of information] doesn't make it dual-factor. It's the same method: It's information that you type into a system that's stored in a database somewhere. Any kind of single-factor authentication is going to have a shelf life before it's compromised."
That's just what has happened. In fact, if ever there were an example of how a 10-foot fence just inspires criminals to build an 11-foot ladder, this is it. Crooks are adopting CVN as quickly as merchants. CardCops' Clements says that now when he sees thieves advertising stolen credit cards with "full information," it means the information includes not only the cardholder name, billing address, credit card number and expiration date, but also the CVN.
How do the fraudsters get the information? Some phishing schemes ask for it. Also, despite rules that prohibit merchants from storing the number, some have, making security breaches all the more damaging. Experts also fear that fraudsters are figuring out CVNs by brute force or, worse, reverse engineering them.
"If you have enough cards and enough computing power, it's not tremendously difficult to figure out what the algorithm is," says Pelegero, the former Amazon.com executive who is now president and managing director of Retail Payments Global Consulting Group. "If I have 100 cards from the First Bank of Nowhere with the valid CVN, I can figure out how to generate additional CVNs."
All of which is why credit card fraud prevention is much more complicated than the streamlined checkout process would indicate.
Advanced Transaction Studies
Every day, thousands of people log onto ShopNBC.com, the fast-growing jewelry and electronics merchant that brought in about $127 million in sales for parent Valuevision Media in 2004. Joan Radtke, director of credit, wants to make sure that once customers fill up their carts, the checkout process is efficient. But Radtke also wants to ensure that the incoming fraud rate, which she says is near the industry average (about 3 percent or so, according to CyberSource), doesn't result in an unacceptable chargeback rate. (Rates under 1 percent are generally considered acceptable, although standards vary depending on the retailer's industry.) So after the customer completes her order, ShopNBC's homegrown systems kick in to evaluate the order for suspicious behavior.
Radtke's is a typical toolbox, with several outside sources providing information. If there is a legally permissible reason to suspect fraud, the company can check customer information with one of the credit bureausto find out, for instance, if the customer has put a fraud alert on her account. The company can also check against public records compiled by LexisNexis. (Is the customer listed as deceased? Not a promising sign.) And the company can check against a database from the U.S. Postal Inspection Service that contains addresses involved with fraudulent activity.
ShopNBC.com also has its own tools for catching anomalous behavior, such as IP geolocation. If the IP address of the computer on which the order was placed is not geographically near either the shipping or mailing address, the order may be suspicious. "This particular rule helps with foreign fraud," Radtke says.
In fact, fraud originating from outside the United States is such a problem that, according to Joseph LaRocca of the National Retail Federation, many merchants have implemented rules not to ship to certain countries or do transactions with individuals from certain countries. ShopNBC ships orders only within the United States, eliminating the need for country-based rules.
Another common tool that ShopNBC uses is what's known as "velocity checking"looking for multiple orders that share common characteristics, such as shipping address, e-mail address or geolocation. Merchants don't divulge many details about their velocity checks, but the concept is simple. Explains LaRocca, who is vice president of loss prevention for the trade group: "The people that are really good at credit card fraud, that result in significant chargebacks, are the ones that can execute credit card fraud and multiply that routine over and over again." Velocity checks help stop the bloodletting.
As with most retailers that have sophisticated antifraud systems, the processes at ShopNBC are largely automated. Each order goes through a complicated, proprietary decision tree. At any point, the order can be released as good, pushed along for an additional check, or flagged as suspicious and sent to a team of 20 investigators. The investigators might then contact the customer, or have the bank contact the cardholder, to confirm that the sale is legitimate.
The rules are changed constantly to try to stay ahead of the fraudster's newest tricks. "The hardest thing about fraud is it is so dynamic," says Laura Lively, ShopNBC's credit investigation manager. "What we're chasing today is not what we'll be chasing six months from now. The fraud schemes pop up, and they test your perimeter. They pop up; they go away; they pop up; they go away." About 8 percent of orders make it to the investigators, and the majority of those orders are then cleared for shippingusually without the customer knowing that any additional screening has taken place.
And so it goes at merchants across the country. Moment after moment, decision after decision, day after day.
"It's all about analyzing as many parameters as you can," says Brown from the Merchant Risk Council. "Having a fraud list of people you know have been a chargeback is just as valuable as knowing that an e-mail account has been used for fraud or that a customer has just tried to buy 20 pairs of denim in the same order. Every piece of information has value. There is no single silver bullet for being able to separate a good order from a bad order."
ShopNBC opted to build its systems in-house, as many larger retailers do. But service providers such as CyberSource, eFunds and Retail Decisions sell similar systems.