Retailer who take a practical approach to fraud screening with a view to enabling as many transactions as possible across their channels will boost the bottom line – and retain customer loyalty, says Chloe Rigby
Do you want to prevent all fraud in your online shop? Simple. Close it down. Since such an approach would also spell the end of the business, many retailers prefer to take a pragmatic view, balancing an acceptable level of fraud risk against the potentially greater risk of losing customers through over-stringent fraud prevention measures. It’s a risk that’s currently front of retailers’ minds, according to a recent CyberSource study which found that UK online merchants were missing out on £1.8 billion a year in potential income when, for fear of fraud, they rejected valid payments. The primary challenge, cited by some 51 per cent of those questioned for CyberSource’s 2013 UK eCommerce Fraud Report, is the risk of losing good business as a result of turning away too many good customers while trying to detect fraud. The study also showed that while retailers taking part in the study rejected an average of four per cent of orders on suspicion of fraud, only 0.5 per cent of orders actually proved to be fraudulent.
“A lot of merchants will be wanting to minimise fraud rates,” says CyberSource’s director, products and services, Akif Khan, “but increasingly we’re seeing merchants becoming more sophisticated than just a few years ago. The focus is moving from minimising fraud to maximising profitability – the two don’t always go in hand.”
The challenge then for retailers is to take a practical approach to putting into place strong-enough fraud systems that don’t slow down sales.
HOW FRAUD SCREENING WORKS
When a shopper submits their payment details to an ecommerce website, fraud screening services running in the background assess the quality of the transaction in real time. In the past, such fraud screening would simply mean checking customer details and email addresses against a list of ‘good’ and ‘bad’ consumers. Today screening happens in real time. Governed by a variety of rules set by the retailer and/or fraud screening provider to assess the likely risk, each transaction is judged on rules such as the buying history of the card, previous use of the device from which the transaction is being made, previous suspicious transactions, the location of the device and the registered address of the cardholder. From these factors the transaction is given a score. Depending on the score, a transaction will be immediately be cleared against the set rules, declined, or fall into a grey area for manual checking by a fraud analyst. That fraud analyst might be a member of the retailer’s staff, or part of a team run by an outsourced fraudscreening provider.
The aim is to reduce the number of manual screenings that take place. Not only does reviewing transactions cost time and money, it also slows the customer experience considerably.
“You don’t want a fraud solution in place that is so rigid that it turns away good business,” says Belinda Robson, head of fraud and risk at DataCash. “The consumer experience is the most important thing for a merchant today – they spend so much money bringing consumers onto their websites, and competition is so strong so that if a fraud score rejects [a shopper] they’ll just go to the next site. They’re not going to retry and retry – they’ll just go somewhere where it can be accepted.”
So how do merchants balance that consumer experience with strong-enough fraud screening? Robson says the answer lies in analysing, evaluating and refining the fraud rules. “You can’t implement the solution today, leave it running in the background and see in six months from now that it will still provide the same results, because fraudsters change,” she says. “You need to keep refining in order to have pinpoint accuracy.” Robson suggests that retailers should be aiming to flag between two and five per cent of transactions for manual review.
As the volume of sales continues to grow, manual checks on two per cent of all transactions will develop into a steadily larger, and more expensive, workload. However, Cybersource’s recent study suggests that merchants are on average currently reviewing about 25 per cent of the transactions that they process. “That’s a huge overhead in terms of the headcount required and the impact on the customer experience,” says Khan. “Decisions are being delayed about whether the transaction will be fulfilled or not.”
BUYING INTO EXPERTISE
Many merchants decide to outsource their fraud screening systems, even if they choose to integrate different payments methods directly themselves. Doing so means that they can buy into the latest screening technologies and also benefit from the insights that fraud systems vendors gain when they work with large numbers of different retailers trading across the world.
But at the least, says Jeremy King, European director of the PCI Council, the organisation behind the PCI Standards that were developed in order to protect against card-related fraud, it’s important that retailers act to make sure that new payment methods or other systems are integrated safely into their website systems. That’s particularly important, he says, given that ecommerce was, according to Trustwave research of this year, the most targeted area for fraud in 2012. The organisation has developed a list of qualified integrators and resellers, the QIR programme, that retailers can safely use to integrate new software.
At a practical level, retailers can integrate with outsourced screening providers in one of two ways. First, they can integrate with screening technology at the back end of the website, with the practical effect that the consumer always stays on the merchant’s website and doesn’t feel they are moving to a thirdparty website. That approach carries the consideration that sensitive payment data is being entered directly on their website and means that they need to be compliant with the credit cards’ verification programmes through the PCI Council’s Data Security Standards (PCI DSS).
The second option for retailers is to integrate and the front end, opting for the payment and screening to happen on the provider’s website. While this might be preferred from a data point of view, many merchants see that feeling of moving to a third-party website as a downside.
CROSS-CHANNEL FRAUD PREVENTION
Just as genuine customers and fraudsters move across sales channels, merchants increasingly need to adapt to multichannel screening. If a transaction fails on the website, it’s possible that a fraudster or a genuine, frustrated, shopper might ring the call centre to try to buy again. Cross-channel fraud systems allow call centre operatives to see what happened on the website. “If a consumer has been rejected, do customer services’ teams have visibility to look at the results from the fraud screening system and use that to help steer the conversation with the consumer?” asks CyberSource’s Akif Khan. “If a consumer is rejected by the fraud screening because their address appears to be invalid, the customer service operator may then be able to elicit the correct information from the consumer in order to turn that into a good purchase.”
This comes with the caveat that customer service teams need to be well trained so they don’t inadvertently give away information about the fraudscreening processes. “That’s why it’s critically important,” says Khan, “that things like fraud screening and payment aren’t really left as an afterthought but are an integral part of setting up any online or multichannel business so that the data can be integrated into all aspects of a modern multichannel retailer’s environment.”
Mobile is a key part of this multichannel challenge, warns Ronan Le Mestre, head of risk at fraud prevention specialists ReD, who detects an increase in fraudsters targeting new sales channels that they perceive to be less well protected. The fast-emerging mobile sales channel is a particular challenge for fraud screening because verification procedures that work well online, such as 3D Secure, do not currently operate on mobile. Equally, fraud-screening approaches such as checking the IP address of the device from which an order is placed do not apply to mobile devices.
Nonetheless, says the PCI Council’s Jeremy King, while fraud may be adapting to new sales channels, the fundamental safeguards remain the same.
“Regardless of whether you’re accepting a payment on a traditional POS device or using a phone, it comes back to the basics,” he says. “You need to know what data you have and where it is, and then understand the risks associated and how to address them. From there it’s about making sure you have the pieces in place to secure the data – including the people, process and technology. Remember, security is not just a technology choice, it’s a business decision.”
ReD’s Le Mestre suggests that retailers can remove doubt presented as sales opportunities widen by learning to recognise ‘good’ customers. That means taking into account shopper history in the rules that retailers set, such as how many successful purchases a shopper has previously made. “If you know your good customers it’s much easier to identify the fraudsters among the population,” he says.
Meanwhile, it can also be easier to identify likely fraudsters by introducing screening rules around certain products, such as consumer electronics. “If you are a big retailer maybe you don’t want someone buying socks to end up in a queue for one of your agents to review,” says Le Mestre. “If you are selling laptops or iPads that’s the kind of order that you want for the verification so you need a system that allows you to get that granularity at a product level.”
By setting rules retailers can also recognise common approaches to fraud. Account takeover, for example, sees a fraudster start to use an existing account at a retailer, entering user names and passwords that they already know. From there, it’s a simple step to change email addresses and shipping addresses. Equally, these can be changes that take place perfectly innocently. “Any change of account, such as email address, shipping delivery, is not necessarily suspicious but you have to be careful,” says Le Mestre.
Another approach to targeting fraud, Le Mestre suggests, is to put in place ‘safer’ delivery alternatives. Introduced correctly, he argues, click and collect should be safer because the shopper can be asked to show the card that they used to make the purchase when coming to collect an item.
An emerging trend most often spotted in the USA, as yet, is the move towards reshipment fraud. Here the fraudster places an order for shipment to a genuine address, on a genuine account. But after the order has been placed they will later contact the retailer’s customer service to say that the item needs to be shipped to a different address. A further step, also more familiar in the US, is that the fraudster contacts the delivery company to make the change. The solution here, says Le Mestre, lies in the agreement that the retailer makes with their shipping company not to allow subsequent changes to the delivery address.
It’s easy to be daunted by ecommerce fraud, currently running at high levels, but there are practical, and often simple, steps that retailers can take in order to avoid becoming a target.”
Speaking from Experience
“Fraud is like a game of chess – you make one move as a provider, fraudsters try and figure that out and make another move.”
Belinda Robson, head of fraud and risk, DataCash
“The price, typically, of having very low fraud rates is that you reject very good customers. We’ve seen a shift in merchants’ activities to make sure they maximise the number of good customers.”
Akif Khan, director, products and services, CyberSource [IRDX VCYL]
“We have noted that the fraudsters are migrating to the call centre and especially, mobile payments. Retailers need to prepare as transactions continue to grow to experience a lot of fraud unless they have the right strategy in place.”
Ronan LeMestre, head of risk, ReD
“Retailers need to make sure they understand the risks that any new technology, device or system introduces to their business so they can ask the right questions and make sure they’re working with right business partners and service providers who will help them do so securely.”
Jeremy King, European director, PCI Council
Fraudsters have increasingly gone cross-channel as the way that we shop changes. That means retailers now need to think not only of online protection but also of channels such as their call centres and, most especially, of mobile commerce, now growing fast as a payment channel