It will hardly come as news to online retailers that card holder not present fraud is costing the industry serious money. The latest half-year CNP fraud figure from Apacs puts the amount at£161.9m for January to June 2008 – a jump of 18 per cent on the previous year.
A fraud report from CyberSource released in recent weeks also reveals that 18 per cent of merchants have seen losses from online payment fraud rise 10 per cent or more in the past year and 13 per cent have suffered an increase of more than 20 per cent.
Chris Gaines, a director within Deloitte’s security and privacy team, says massive hacking incidents are responsible for the increase in organised crime figures. He adds that the payment card schemes believe such crime will only increase in a downturn.
Deloitte has run focus groups on online fraud and feedback from consumers indicates that they expect a higher level of protection from a retailer than they do a bank. Consumers do not understand why retailers would store card data that could be compromised. So the issue is two-fold. Retailers need to protect any card data they hold and also ensure that they aren’t caught out by fraudsters using card data stolen from others.
CyberSource head of client and technical services Akif Khan has seen a rise in its retail customers that trade in countries in Europe, the US and Asia, and says they are potentially exposing themselves to more risk. He says: “If they are taking orders from Europe then the same checks may not apply.” For instance, UK retailers can expect strong correlations between where the card holder’s address is and where the product is either ordered from or to be sent to. But in Europe, consumers can live close to country borders and are more likely to live and work in different countries.
Another issue is language and local knowledge for fraud reviewers. Khan asks if staff can speak the languages of all the customers being served where they are reviewing suspect transactions manually. And even if staff can communicate with foreign-speaking customers, will they know what a risky transaction looks like in another country (for instance, immediately recognising a crime hotspot)?
Larger and more mature organisations are looking at metrics such as rejected and reviewed transactions, according to Khan. However, it is hard for them to tell how many transactions are flagged as fraudulent when they are actually legitimate.
Deciding how to set up your fraud screening can have a big impact on these metrics. Khan continues: “They are stuck between a rock and a hard place. The only way is to make very small incremental changes to your fraud screening and see a few weeks or months later whether there is any increase in chargebacks.”
Gaines adds that with big peaks and troughs in online trading, it is “not appropriate” to set the thresholds for which transactions will be accepted based on the average trading day, as the thresholds will have to be changed in line with trading. But he says the odd failed or delayed transaction for a legitimate customer is not the end of the world. “For most customers a failed transaction does not necessarily translate to a poor perception of the retailer – it can enhance it from a security focus,” he says.
At the moment few consumers are compelled to sign up to use either the Verified by Visa or MasterCard SecureCode system when shopping online, although the card schemes encourage that they do. Gaines says that it is a possibility that banks could begin pushing the issue further with card holders. Khan was forcibly enrolled in one of the 3D-Secure identification verification programmes by his bank, with his initial password being set the same as the one for his online banking account, despite the idea of the 3D-Secure password being that it is set by the card holder.
Tightening the security links
He also points out: “3D-Secure is very much geared towards the online environment. We tend to see an increase in fraud on non-MasterCard or Visa cards and a migration of fraud to the call centre.” He adds that this is one reason why retailers should invest in systems that allow call centre staff to see if a card has already been rejected on the retailer’s website. Khan says there is also no reason why multichannel retailers can’t cross-reference transactions taken at their tills and over their websites.
Gaines explains that most retailers he works with don’t cross-check the fraud they see at their tills against what goes on online. He says that the issue of who takes responsibility for securing card data is a grey area. “One challenge retailers have is who to assign responsibility to. Is it marketing who owns the data, IT or the fraud department? Those who are dealing with it effectively are putting together cross-business teams.”
Khan adds that minimising the costs of chargebacks that retailers bear is something that they should make a priority this year. He says: “In some cases there is a fraud team and then the chargebacks come in to the finance team. In other cases banks still provide chargeback notices by fax or letter.
“As soon as a chargeback comes in, retailers should look at it to see whether a delivery has been made. The merchant is given a request for information from the bank first and if they can’t provide a proof of signature or other information then it turns into a chargeback.”
He explains that the banks only give retailers a limited time to provide information on potential chargebacks and this can lead to retailers carrying the cost of goods that they have delivered.
Khan argues that the police could do more to assist retailers when goods are obtained fraudulently. He hears of retailers having long conversations with them that get them nowhere, despite the retailer always having a delivery address as the starting point for an investigation.
Gaines adds: “There isn’t a single solution to tackling fraud, but the level of collaboration needs to improve. I don’t think that retailers are that well linked into the banks or law enforcement to identify systemic fraud activity. Often the first thing a retailer knows about a fraud is when a bank tells them.”
If criminals continue to target retailers in the way that has been predicted, then all parties will need to think again about how this problem is tackled.
When RBS WorldPay and The Futures Centre co-hosted a round table on the issues in the payment industry, not surprisingly, payment security came up. What was interesting was that retailers do see that they have a role to play as much in protecting their customers’ information as they do in protecting their own businesses from loss through fraudulent transactions.
RBS WorldPay managing director Ron Kalifa crystallised the issue. “Payment systems are a bit like plumbing. It’s invisible to all consumers until it goes wrong. But when it does go wrong, it goes wrong massively,” he said.
HMV group treasurer Chris Egan said that there was an initial resistance in his business to a second stage of verification at the online checkout, because it adds hurdles that customers must overcome to complete a purchase. However, the retailer is coming around to the idea. “We’ve not gone live yet, we’ve agreed an extension with MasterCard to the initial deadline so we plan to go live at the end of March next year.”
He added: “I think in the past six months there has been a bit of a change in opinion and certainly initially it was considered an extra hurdle. It was this hassle at the end, whereas now it’s actually seen in a positive light because you’ve got a secure environment where people can transact and pass over their card details.”
Egan said that the group is also witnessing changes in consumer behaviour as a result of rising payment card fraud levels. “I’m seeing more and more people resistant to using cards that are directly linked to a bank account. Although there was a good system demonstrated to me a few weeks ago where you just connect direct to the internet banking portal and then you’re effectively pushing the payment through, so you’re not actually sharing your account details. I think this has some merit,” he said.
Steinhoff trades as Harvey’s Furnishers, Bensons for Beds, Sleepmasters, The Bed Shed and Cargo Home Shop. Its group audit manager Gary McDonald said that retailers do realise the growing sophistication of the criminals trying to steal payment card data.
He said: “The information that we’ve had is that they are getting cleverer and cleverer at this cloning technology and one of these days it’s going to be a big retailer that’s going to get hit. That’s an aspect the marketing or the sales side of the organisation doesn’t even think about. But the reputational risk of not having a decent, secure payment system in place is incalculable. It’s certainly something that we’ve started to think about more and more.”
However, he pointed out that all retailers need to come around to this way of thinking. “If everybody’s using this type of security, then that’s fine. If you are the one company in your sector that is and the other guys aren’t, then you potentially have a problem.”