Total online fraud losses have dropped in the past two years with a raft of new security measures to prevent card-not-present fraud. Liz Morrell asks if the trend will continue
Ever since internet shopping first began, online fraud has been a major source of worry for retailers. But if the latest figures from Financial Fraud Action UK are to be believed, then the fraudsters may finally be meeting their match in the shape of the increasingly effective solutions that have been developed to combat it.
The figures, released in October last year, show that fraud losses on UK cards and cheques fell in the first half of 2010. For UK cards, total fraud losses fell to £186.8m between January and June 2010 - 20% down compared with the same period in 2009 and the lowest half-year total for 10 years.
Of the total fraud loss between January and June 2010, £118.2m was accounted for by card-not-present (CNP) fraud, down 12% on the first half of 2009 and the lowest since 2006. Visa Europe senior vice-president for fraud management Kevin Smith says: “That is a really positive figure but there is no single magic answer and everyone plays their part in this.”
Financial Fraud Action UK attributes the success to a number of initiatives - from the roll-out of updated chip cards in the UK to ongoing work to help retailers understand how to protect their Chip and PIN devices.
It claims Visa and MasterCard’s customer verification systems - Verified by Visa and MasterCard SecureCode respectively - are showing encouraging results. Visa claims that 53% of all its transactions in August 2010 were done via the Verified by Visa route as the system is increasingly adopted by banks and merchants alike. “It may have taken a little longer than I would have liked but it’s really taking hold now,” says Smith.
But not all agree such measures work. Marcus Whittington, chief operating officer at internet security specialist SentryBay, is doubtful because of the frequency with which customers forget their passwords and the frustration they can feel with the process when this happens. “It’s an example of something that doesn’t work and customers don’t like it. It may reduce a little bit of fraud but customers are more likely to be annoyed by the security than to be happy that the security is there in the first place,” says Whittington.
Retailers certainly have to be careful that they don’t complicate customers’ attempts to purchase. “The big problem is that every security device you put in front of the customer provokes lost shopping baskets and that’s a real problem,” says Professor Joshua Bamfield, director at the Centre for Retail Research.
Whittington says fraudsters can also still capture the information they need via keylogging - tracking the keys typed on a keyboard. However, Visa is about to launch the first commercial roll-out of its Visa CodeSure following six consumer and bank pilots across Europe. Similar to banks’ card readers, CodeSure is a unique code generator whereby the customer enters their pin into a 12 digit keypad on the back of their Visa card. An eight-digit code is generated that they then enter into their transaction to verify the purchase. “Consumer research is incredibly encouraging because it’s very intuitive and it also addresses the merchant’s concern of customer drop-out,” says Smith.
But beating fraud online isn’t just about cutting down on instances of fraud but on maximising sales too. “I’m not sure whether some retailers truly understand the full cost of fraud in terms of lost sales, high manual review costs, surcharges and fines from card companies and so on,” says Carl Clump, chief executive of fraud prevention firm Retail Decisions.
He believes just looking at the instances of fraud isn’t good enough because he says it’s not uncommon in the UK to see 8% of sales being rejected as bad sales. “The skill is to find who is friend and who is foe and a retailer should be rejecting 1% to 2% at most,” says Clump.
His rules-based decision making software allows a retailer to make a more informed, less costly decision on whether to let a sale through. Clump says: “We give retailers an uplift in revenue because we relax some of their draconian measures and typically reduce manual review costs by about 50% and increase online sales by about 25% by letting more good transactions through,” says Clump.
He says retailers should change their thinking about fraud prevention. “They should be looking at fraud prevention as a way of improving sales,” he says.
At John Lewis every 0.1% decrease in declined orders would add £500,000 in revenue, meaning that the pay-off to let more orders through is huge.
John Lewis analyst manager for business protection Liz Heaton says the retailer experiences significant amounts of attempted CNP fraud but has put in place measures to both control it but also to ensure genuine sales don’t get rejected. It works in partnership with Retail Decisions to provide the software and analysis that will determine if a sale is suspect or not. “We have a set of rules in place to challenge suspect transactions. The challenged transactions are assessed by John Lewis’ contact centre staff, who take the decision on whether to release or cancel the order,” says Heaton. She says a range of risk factors - from type of merchandise to order history and the origin of the order are considered and the contact centre agents then make the decision at an individual transaction level whether to cancel the order. “They assess all aspects of the order. This is to prevent blanket cancellation of orders that might actually be genuine,” says Heaton.
However, a retailer risks losing a customer for good if a purchase has been wrongly rejected. Clump says: “Some companies are overzealous in their attempt to control fraud so they reject good customers. This is an insult and in some cases those customers never come back.”
Decisions to reject custom must be fair. Home Retail Group has a number of measures in place to prevent CNP fraud. Homebase fraud prevention manager Mari-Ann Bayliss says: “All orders are screened based on pre-defined criteria including using shared information from external fraud agencies. A team of dedicated advisers manage orders that we identify as high risk and investigate further to determine whether delivery should go ahead or not.” But most importantly, Bayliss says a balanced decision is vital. “There is not one factor that would result in us turning down a transaction; the decision is based on a number of factors,” she says.
Online fraud prevention is a huge business and despite the apparently good news, many believe October’s figures show only a temporary reprieve. Clump says the actions being taken to beat online fraud are having some effect, but the figures are also influenced by the fact that there are softer targets at the moment. Australia, for instance, is just introducing Chip and PIN, so much of their fraud is migrating online. Fraudsters always attack the weakest link, and as such, he is unconvinced that the decline will last.
Bamfield says retailers must remain alert at all times. “The point about fraudsters online is that they can operate at any time of day or night and if they see a particular vulnerability they can drive a horse and coach through it in just a few days,” he says.
Heaton says John Lewis remains on its toes at all times with regards to online fraud threats. “Ensuring protection requires ongoing evaluation and we are constantly updating our rules in light of changes to our business, such as assortment changes or the introduction of our click-and-collect service.”
Bayliss agrees: “We continually monitor fraud risk and strive to reduce CNP fraud losses and new technology is key to this strategy,” she says.
But Bamfield doubts retailers will ever truly be victorious in their war against online fraud. “I don’t think we will ever win this battle, we just have periods where we are doing better than we were,” he says. Unlike shoplifting, online fraud constantly develops and while retailers have some of the brightest minds defending their businesses, they also have some of the brightest minds attacking them, too.
Card fraud in numbers
Card-not-present fraud on UK cards, January to June 2010
Source: Financial Fraud Action UK