Choke Point: Preventing Credit Card Fraud

After a customer loads up an online shopping cart, after he hands over a credit card number and a shipping address, after he hits the “buy” button—after all that, there is a moment of truth that has profound implications for the U.S. economy. That is the moment when the retailer decides whether or not to ship the order.

Just because the bank approves a credit card doesn’t mean it’s not stolen. Millions of compromised credit cards are in circulation, and many won’t be replaced until they are known to have been misused. With law enforcement overwhelmed by the problem, e-commerce merchants—not the credit card associations, not the banks—are often the ones left holding the empty bag. Therefore, they must make a snap judgment about each order and suffer the consequences.

This is the choke point. Choose wrong, and the retailer loses either a legitimate sale or the merchandise and the transaction fee. “You stick your neck out every time you ship something out without [getting] an imprint and signature,” says Joe Williams, CSO of the high-end retailer Sharper Image, which had $250 million of revenue in card-not-present transactions (comprising Internet, telephone and mail orders) in 2004.

Choose well, and the retailer has saved itself money and played a vital role in the fight against crime. Credit card fraud, as one vendor puts it, “is how criminals go to the bank.” Says Ted Crooks, VP of global fraud solutions for Fair Isaac, a decision-management consultant and software vendor, “The most serious fraud is the place criminals surface in the legitimate economy. Fraud is the best”—meaning the least nefarious—”thing they do every day.”

According to a survey by CyberSource, an antifraud service provider, companies lose about 1.6 percent of online revenue to fraud. To keep that number down, retailers are turning to an increasingly sophisticated and automated set of fraud-prevention controls. “During the first few years of the e-commerce boom, many merchants were willing just to get the sale at the expense of increased fraud,” says René Pelegero, former director of global payments for Amazon.com turned consultant. “Over the last two or three years, the tide has begun to turn.”

But there is another sea change that e-commerce merchants would like to happen, and that is in the risk-sharing system with credit card issuers. Merchants fervently want not only to prevent fraud but also to transfer some of the liability onto the credit card associations and banks, as brick-and-mortar retailers have done. The credit card industry says it is addressing those concerns with programs like Verified by Visa and MasterCard’s SecureCode, but adoption by retailers has been slow. (The Payment Card Industry Data Security Standard, an issue that has received attention lately, is a different program intended to make merchants improve their security by using standardized background checks, data encryption and other methods.)

All the while, online credit card fraud continues its inexorable rise, with the CyberSource study pinning 2005 losses at $2.8 billion, 8 percent more than the year before.

A Legacy of Tension

Merchants have never exactly had a harmonious relationship with the credit card associations and their member banks, the ones who put plastic into the hands of millions of Americans. With transactions done in the physical world, though, at least everyone understood the game. The retailer agreed to look at each card and get a signature. If a cardholder reported that a charge was fraudulent, the bank issued what’s known as a “chargeback”—essentially, the bank took back the money and gave it to the cardholder. If the merchant then submitted the cardholder’s signature, the merchant didn’t have to pay the chargeback. It was the bank’s problem.

If merchants didn’t follow the rules or racked up too many chargebacks, the card associations could ban them from accepting credit cards. But if merchants weren’t happy with the card associations’ rules, they could stop accepting credit cards.

Then came the Internet. Suddenly, the number of card-not-present transactions—once the domain of catalog retailers—shot upward to a point where, this past Christmas season, Visa reported that about 10 percent of all spending on Visa cards was for online purchases. The problem is, accepting a credit card online is riskier than accepting one in person. Merchants have no good way of verifying that the person holding the card is the person who actually owns the card. They can’t get a regular signature, and they are leery of introducing anything into the checkout process that slows down the transaction.

As a result, e-commerce merchants must accept liability for fraudulent purchases. There’s no disputing the chargeback.

Proponents of the merchants’ view say the charges are extreme. “If a merchant ships the [fraudulent] order, they lose merchandise, lose the transaction fee, lose the shipping fee and get a chargeback fee,” says Dan Clements, CEO of CardCops, which monitors the Internet for stolen credit card numbers on behalf of both merchants and individuals. “They lose, lose, lose, lose, and the issuing bank and the acquiring bank split the chargeback fee as revenue.”

To be fair, banks devote substantial resources to monitoring accounts for suspicious activity and blocking fraudulent charges (although they are loath to discuss it). But merchants know their customers and products better than anyone and are therefore in an excellent position to spot suspicious orders before a pattern of misuse on an individual account occurs. This means that merchants who do business online are being forced to invest in antifraud defenses—both technological and human—like they’ve never had to before.

Fraud Prevention 101

Whether or not the customer understands it, the majority of online transactions include two basic antifraud measures. The first confirms the billing address; the second tries to verify the physical presence of the credit card.

The billing address is used for the address verification service (AVS), which allows a merchant to find out whether the billing address provided by the customer matches the one in the bank’s records. Although the method isn’t perfect, 75 percent of online retailers use it, making it the most widely used tool, according to the CyberSource study.

For physical confirmation, retailers often ask for the card verification number (CVN, sometimes called CID or CVV). This is a three- or four-digit code that’s printed on the credit card but not included in any correspondence or on the card’s magnetic stripe. By the end of 2006, CyberSource projects that this method will be nearly as prevalent as address verification.

Tracy Brown, cochairwoman of the Merchant Risk Council, a trade group founded to help retailers control fraud, says that CVN was an attempt to move online credit card transactions from single-factor to dual-factor authentication. “The concept was that maybe you got my credit card number from a database, or you stole my billing statement, but the CID or CVV weren’t stored in those places,” says Brown, who is director of information security for American Eagle Outfitters. That meant that online credit card transactions required not just something the customer knew (the credit card number) but also something she had (the actual credit card).

The problem, Brown says, is that this method isn’t really dual-factor authentication. “Just because you have two [types of information] doesn’t make it dual-factor. It’s the same method: It’s information that you type into a system that’s stored in a database somewhere. Any kind of single-factor authentication is going to have a shelf life before it’s compromised.”

That’s just what has happened. In fact, if ever there were an example of how a 10-foot fence just inspires criminals to build an 11-foot ladder, this is it. Crooks are adopting CVN as quickly as merchants. CardCops’ Clements says that now when he sees thieves advertising stolen credit cards with “full information,” it means the information includes not only the cardholder name, billing address, credit card number and expiration date, but also the CVN.

How do the fraudsters get the information? Some phishing schemes ask for it. Also, despite rules that prohibit merchants from storing the number, some have, making security breaches all the more damaging. Experts also fear that fraudsters are figuring out CVNs by brute force or, worse, reverse engineering them.

“If you have enough cards and enough computing power, it’s not tremendously difficult to figure out what the algorithm is,” says Pelegero, the former Amazon.com executive who is now president and managing director of Retail Payments Global Consulting Group. “If I have 100 cards from the First Bank of Nowhere with the valid CVN, I can figure out how to generate additional CVNs.”

All of which is why credit card fraud prevention is much more complicated than the streamlined checkout process would indicate.

Advanced Transaction Studies

Every day, thousands of people log onto ShopNBC.com, the fast-growing jewelry and electronics merchant that brought in about $127 million in sales for parent Valuevision Media in 2004. Joan Radtke, director of credit, wants to make sure that once customers fill up their carts, the checkout process is efficient. But Radtke also wants to ensure that the incoming fraud rate, which she says is near the industry average (about 3 percent or so, according to CyberSource), doesn’t result in an unacceptable chargeback rate. (Rates under 1 percent are generally considered acceptable, although standards vary depending on the retailer’s industry.) So after the customer completes her order, ShopNBC’s homegrown systems kick in to evaluate the order for suspicious behavior.

Radtke’s is a typical toolbox, with several outside sources providing information. If there is a legally permissible reason to suspect fraud, the company can check customer information with one of the credit bureausto find out, for instance, if the customer has put a fraud alert on her account. The company can also check against public records compiled by LexisNexis. (Is the customer listed as deceased? Not a promising sign.) And the company can check against a database from the U.S. Postal Inspection Service that contains addresses involved with fraudulent activity.

ShopNBC.com also has its own tools for catching anomalous behavior, such as IP geolocation. If the IP address of the computer on which the order was placed is not geographically near either the shipping or mailing address, the order may be suspicious. “This particular rule helps with foreign fraud,” Radtke says.

In fact, fraud originating from outside the United States is such a problem that, according to Joseph LaRocca of the National Retail Federation, many merchants have implemented rules not to ship to certain countries or do transactions with individuals from certain countries. ShopNBC ships orders only within the United States, eliminating the need for country-based rules.

Another common tool that ShopNBC uses is what’s known as “velocity checking”looking for multiple orders that share common characteristics, such as shipping address, e-mail address or geolocation. Merchants don’t divulge many details about their velocity checks, but the concept is simple. Explains LaRocca, who is vice president of loss prevention for the trade group: “The people that are really good at credit card fraud, that result in significant chargebacks, are the ones that can execute credit card fraud and multiply that routine over and over again.” Velocity checks help stop the bloodletting.

As with most retailers that have sophisticated antifraud systems, the processes at ShopNBC are largely automated. Each order goes through a complicated, proprietary decision tree. At any point, the order can be released as good, pushed along for an additional check, or flagged as suspicious and sent to a team of 20 investigators. The investigators might then contact the customer, or have the bank contact the cardholder, to confirm that the sale is legitimate.

The rules are changed constantly to try to stay ahead of the fraudster’s newest tricks. “The hardest thing about fraud is it is so dynamic,” says Laura Lively, ShopNBC’s credit investigation manager. “What we’re chasing today is not what we’ll be chasing six months from now. The fraud schemes pop up, and they test your perimeter. They pop up; they go away; they pop up; they go away.” About 8 percent of orders make it to the investigators, and the majority of those orders are then cleared for shippingusually without the customer knowing that any additional screening has taken place.

And so it goes at merchants across the country. Moment after moment, decision after decision, day after day.

“It’s all about analyzing as many parameters as you can,” says Brown from the Merchant Risk Council. “Having a fraud list of people you know have been a chargeback is just as valuable as knowing that an e-mail account has been used for fraud or that a customer has just tried to buy 20 pairs of denim in the same order. Every piece of information has value. There is no single silver bullet for being able to separate a good order from a bad order.”

ShopNBC opted to build its systems in-house, as many larger retailers do. But service providers such as CyberSource, eFunds and Retail Decisions sell similar systems.

The ongoing challenge for retailers, whether they build or buy, is managing the tools. This means tweaking the rules. Continually. “That is an art,” Brown says, “because if you set [the bar] too high you’re reviewing too many orders and losing good customers and losing good money. If you set it too low, the fraudsters will figure out where your thresholds are set and try to attack you in a different way.”

The Liability Game

CompUSA has plenty of antifraud protections churning along, both homegrown and purchased. These include AVS, order screening, and an internally developed order and ranking system. The company also uses IP geolocation, which is part of a contract with CyberSource. But the privately held big-box electronics retailer took the bait on new services being offered separately by Visa (about three years ago) and MasterCard (about one year ago) that aim to make e-commerce a less risky proposition for everyone.

The programs are known, individually, as Verified by Visa and MasterCard SecureCode. The idea is that a cardholder signs up for the card-protection service with her credit card company, picking an extra password to authenticate herself online. Then, whenever she completes a transaction with an online merchant that has also signed up for the service, a third-party authenticator asks for the passwordideally, as a seamless part of the checkout process.

“If you don’t know the password, you can’t use the card,” says Steve Javery, CompUSA’s director of e-commerce, development and integration.

The way it works is through a software package called 3D Secure, which hooks into the merchant’s order processing and does the confirmation for both programs. Javery is a pretty good, if unofficial, spokesman for Visa. He says the implementation cost was low. “It took just one developer less than a couple weeks to get this up and running and tested and deployed,” he says, noting that the system paid for itself in “a short time frame” and did not increase the number of shoppers who abandoned their shopping carts.

The payoffbeyond lower fraud ratesis exactly what merchants have been clamoring for for years. According to Visa, retailers who sign up for Verified by Visa get a 5 percent to 10 percent reduction in the rate they pay to process all Visa transactions that involve a consumer credit card or debit card. (MasterCard declined requests for an interview.) What’s more, if the customer enters the Verified by Visa password, the liability for that transaction shifts to the bank that issued the card if it turns out to be fraudulent.

Right after the holidays, MasterCard announced similar incentives; merchants who support SecureCode will be eligible for rates that the company describes as “comparable to those for face-to-face transactions,” or up to 16 percent lower than previous rates.

Avivah Litan, vice president and research director at Gartner, has been watching the situation for years, and she is heartened by the card associations’ taking on more risk. “Before, it was every online retailer on their own when it came to online commerce fraud control, and they were all duplicating their efforts,” Litan says. “It was extremely decentralized and extremely inefficient. But places like Citibank and Bank One have spent hundreds of millions of dollars protecting against fraud over the past years, and they’ve gotten really good at it. You’re just shifting the liability around, but if you can shift it to someone who can fight it effectively, we’re much better off.”

Still, that’s not happening on any great scale right now. Why not?

Widespread adoption would have to start with the merchants. Banks are in no hurry to speed adoption, since it increases their liability. Consumers, who have zero-liability protection against credit card fraud, have little incentive to sign up for the program. But retailers, who do have incentive, just aren’t signing up.

Michael Yakel, a Visa vice president who runs the Verified by Visa program, tries to put a happy face on the numbers, noting that the program has seen a 150 percent increase from a year ago. But only about 10 percent of e-commerce volume comes from merchants that support it, and a much smaller percentage of that volume is being authenticated with the program.

“I wish it were more,” Yakel says, “but we’re working on it.”

Incentive Issues

When asked, merchants blame the slow speed of adoption on a somewhat rocky start. Primarily, there were concerns about how the technology worked. But now that some of those concerns have been addressed, merchants raise another. In transferring the liability for online transactions, they also must transfer control over part of the checkout process. Fearful of losing sales, they simply don’t want to sign up until they know consumers are on board. At ShopNBC, Radtke says the ROI just isn’t there yet because “we don’t see enough customers using it.”

Ironically, the point at which enough retailers such as ShopNBC see the ROI of the program may be the point at which it stops having one. The 10-foot-fence principle is certainly at work: There have been reports of fraudsters trying to register stolen credit cards, phish the extra passwords or steal them via Trojans illicitly installed on customers’ computers.

The problem is that although Verified by Visa and MasterCard SecureCode are improvements, they are still single-factor authenticationinformation the customer types in that is matched against a database somewhere. And that information, Brown points out, has a shelf life. “By the time the industry totally adopted it, the phishing attacks would make it not effective anymore,” she says glumly.

The underlying issue may be that to a surprising degree, people still feel safe making purchases online. Online shopping is a victim of its own success. “The card associations have done a brilliant job convincing consumers that the cards are safe and that they have no liability,” Pelegero says. So until the merchants feel either more pain from fraud chargebacksor more benefit from transferring liabilityit seems inevitable that they’ll continue to pick away at the problem, trying to eliminate fraud where they can and write it off where they have to.

After all, there’s just one thing that’s worse for online retailers than arriving at that moment of truth, that moment after a customer loads up an online shopping cart, after he hands over a credit card number and shipping address, after he hits the “buy” button and the merchant has to decide whether or not to ship the order.

It’s not arriving at that moment at all.