opinion
Jane Crossley discusses how retailers can protect themselves against cardholder not present credit card fraud and goods lost in transit
In early 2003 the first public chip and pin trial was conducted in Northampton. Following this success a UK wide roll-out of the technology followed in October of the same year. As a result, since the start of 2005 the majority of card transactions in the UK have been by chip and pin, and by early 2006 the UK was close to being a fully mature chip and pin market.
Yet card fraud is still a major issue for retailers and consumers alike. Chip and pin was hailed as the knight in shining armour of fraud prevention, but it is limited in its ability to combat every type of card fraud. It has certainly made something of a dent in overall card fraud; a 3% decrease from GBP439.4m in 2005 to GBP428m in 2006 (source APACS) which was largely attributable to chip and pin, as fraud committed at UK retailers fell by a whopping 47% from 2005 to 2006. However with only a 3% decrease overall, fraud must be increasing elsewhere. And indeed retailers face a growing threat from other forms of card fraud, particularly online, mail order or telephone based retailers, of which there are many and the number is growing.
Last year saw a 44% increase in online banking fraud with other card fraud increases coming from counterfeit card fraud, card identity theft and card not present fraud for transactions taking place by phone, internet, and mail order. Here, the safeguard of the chip and pin system isn't present, and the protection it delivers is circumvented by fraudsters, resulting in often significant losses for the retailer. Card-not-present fraud is now the biggest fraud type in the UK, costing over GBP212m in 2006, a significant 16% rise on GBP183.2m in 2005, and set to continue unless better fraud measures are in put place.
So what methods can retailers employ to counter instances of card-not-present fraud, in order to enjoy similar benefits to the headway made by the introduction of chip and pin?
Firstly it's important to note that it's the responsibility of the retailer to ensure that the card details are submitted by the cardholder during any transaction; and failure to do this can represent a significant cost to the organisation with charge backs allowed up to 90 days after the transaction took place.
There are ways which retailers can mitigate card-not-present fraud using additional authentication features. Address Verification Service (AVS), verifies the numeric parts of a customer address against the cardholder's statement address held on file. Card Security Code (CSC) verifies the card by requesting the security code printed on the reverse. This code is not present on the magnetic strip or card statement, so is at the least an assurance that the transaction is being undertaken from the physical card.
However, there are still flaws with both of these checks. CSC assumes that the card has not been lost or stolen and is still in the possession of the card holder. And AVS can be circumvented if the fraudster has access to address details for the cardholder.
Specific schemes set up by card providers, like Verified by Visa and Mastercard Securecode can also be used to try and counter fraud. However, it requires customers to register for the protection, setting up a password that is used to verify transactions. Whilst a forward thinking idea, there is little incentive for the consumer to register as it is not their risk and requires them to get involved in the process. Forcing consumers to use it is not currently feasible as they will simply look elsewhere for an easier transaction.
Often retailers insist on delivering goods to the cardholders address to mitigate fraud, however this also presents a customer service issue that could prevent the genuine customer from making the current or future purchases. Online shopping is meant to be convenient but not if the customer cannot receive delivery because they cannot be at home during the day.
The next step for retailers is to look to additional fraud prevention tools to help galvanise their defences when undertaking card-not-present transactions. There are many fraud prevention tools and products on the market and as a colleague once said to me, "Fraud tools are like handbags - you can never have too many". Of course getting the mix right is clearly important to ensure the cost of preventing fraud remains efficient and customer service doesn't suffer for genuine customers.
For those retailers that are victim of card not present fraud, there are tools available to help them avoid it; we have seen excellent results with simple to use postcode indicators that highlight high risk postcodes and allow the retailer to adopt alternative verification and delivery strategies.
For example, checking the likelihood of fraud at the card holders address against that if the delivery address allows the retailer to make decisions (either automated or manual) as to whether the delivery should be made without further question. Where there is a significant difference between the two it makes sense to intervene and ask the customer for further verification as to the validity of the purchase. By acting only on those where the likelihood of fraud is highest the retailer maintains the slick process that appeals to their customers whilst handling those cases where they are most likely to lose money.
For further protection, retailers (particularly those of high ticket goods) can use fraud identification models. When we used our generic model for an on-line electronics retailer 50% of fraud cases were identified in the top 10% of the file, and 80% of frauds in the top 20%; this was improved further by developing a bespoke model based upon the company's own file of previous fraud cases.
The retailer in question used both fraud models and postcode level address checks and delivered not only fraud savings, but an improvement in delivery times to the customer as a result of the work. It also ensured the company's policy of delivering to alternative addresses in most cases could be continued cost effectively.
Ultimately, fraud checking must ensure an acceptable balance is struck between the losses incurred as a consequence of fraudulent transactions against opportunity losses and resource costs as a consequence of overly stringent procedures or buying options.
