opinion
Jane Crossley reviews some CNP Fraud Prevention techniques.
The arrival of the internet has been the catalyst to one of the largest retail revolutions in history. Broadband proliferation has provided consumers an instant and accessible marketplace in which to shop, and the relative ease of paying for goods and services purchased online has resulted in a massive increase in the number of transactions taking place.
But whilst the internet presents brands with a fantastic opportunity to connect with vast numbers of customers, the increase in online shopping has served to compound an existing problem - that of card not present (CNP) fraud. CNP fraud is exactly what it says on the tin so to speak; instances of fraud that are committed during a transaction where the customer is not present. Mail order and phone transactions can result in CNP fraud, as of course can all transactions which take place over the internet.
Whilst the implementation of chip and PIN in the UK has seen significant success in deterring fraud at the counter, it has had little bearing on the prevention of home grown CNP fraud cases. CNP fraud losses increased by 37 per cent last year, and now account for more than half of all card fraud losses. This is somewhat expected considering the huge and continued increase in online shopping, where the value of online shopping transactions alone increased by 358 per cent (up from 6.6 billionGBP in 2001 to 30.2 billionGBP in 2006), yet still represents an unacceptable loss for UK retailers.
Consumers are themselves becoming all too aware of this very real threat, with APACS figures showing an increase in the number of individuals who have signed up to specially designed card protection services such as Verifired by Visa and Mastercard SecureCode. The result of this rise means that well over 10 million cards are now protected by these systems; a seemingly encouraging statistic until we remember that there are around 140 million credit and debit cards currently in use in the UK.
Yet whilst some consumers recognise the threat of fraud and make efforts to combat it, the majority are not taking advantage of the preventative measures such as the card protection services mentioned above. And why should they? These services require the consumer to register and set up a password which will be requested as a means of verification during every online CNP transaction they make. If they are a victim of fraud and flag it up early enough, the cost will be passed on to the retailer; the only hardship for the consumer is the inconvenience of having to cancel their card. Without any reason to want to engage in these processes, most people will happily chance their luck, hoping that they won't become a victim. These verification systems are also generally specific to online transactions, so leave consumers and brands vulnerable during other CNP transactions by phone and mail order.
If they are used, card protection schemes provide another safeguard for both the consumer and the brand, but brands need to tread carefully when presenting such a system. Customers could be put off and choose to shop elsewhere if faced with a verification system they don't want to use and don't have to use elsewhere, so enforcement isn't a straightforward practice. Beyond this, brands need to look at other ways of reducing fraud.
As we've seen, CNP transactions include all of those conducted over the telephone, mail order and via the internet. In a typical case the fraudster will give details of a valid card which at that time is in the cardholder's possession. As it's the brand's responsibility to take the customer's details during any transaction, it is the brand that will be liable for all charge backs, with the potential to result in significant costs when fraud does occur. CNP fraud is now also a much more significant issue to brands that trade through the internet because of the increasing volume of transactions taking place, and the growing value of these transactions. As consumers have embraced the internet, they have become much more accustomed to making larger purchases online, resulting in much heavier losses for brands when fraud does take place.
There are a number of ways that brands can protect themselves during these potentially risky transactions. Card issuers offer two services, one of which is the address verification service (AVS) which verifies numeric parts of an address and cross checks them with the bank details held on file. The other is the card security code (CSC), which verifies the security code printed on the signature strip of the card. This code does not appear on the magnetic strip of the card and so this method at least assures the brand that the consumer actually has the card in their possession during the transaction. With these systems, the onus is again on the brand to decide whether to proceed with each individual transaction, basing this decision on the information that they receive from the card issuer.
However, there are significant flaws with both these two systems. Firstly CSC assumes that the card has not actually been lost or stolen, and has simply not yet been reported by the consumer. And AVS can easily be bypassed if the fraudster has access to the address details of the cardholder. Whilst no system is perfect, these precautions are a step in the right direction, and having them in place is, at the bare minimum, a deterrent to those that are attempting fraudulent CNP transactions.
Another step taken by many brands is to stipulate that goods can only be delivered to the cardholder's address, as a means of limiting the locations to which fraudsters can have goods delivered. Whilst a potential deterrent this isn't always practical from a customer services point of view. Often a consumer will require goods to be delivered to an address that's most convenient for them, whether this be their home or work address, or because the purchase is a gift for a friend or family member, who lives at a different address.
However, there are a number of other methods of fraud prevention that brands can employ themselves to further bolster their CNP defences.
Using a form of analysis based on postcode information has proven to deliver significant results. A brand can employ postcode indicators that highlight those areas that are deemed high risk, based on known cases of fraud and other social and economic factors. Transactions that originate in an area that has been flagged as a high risk can undergo more rigorous verification process, perhaps requesting additional information from the cardholder to further prove the validity of the transaction. In other cases the brand may instead adopt a different delivery strategy, stipulating at this point that the delivery must be made to the cardholder's address on file.
Being able to cross reference the cardholder's address with the delivery address allows brands a greater freedom in deciding if the delivery should be made without further question. Where there are significant differences between the two, it makes sense to intervene and ask the customer further questions to ensure the validity of the purchase. And by only investigating those that pose the highest threat, the retailer is then able to maintain a slick verification process for consumers in those areas that are less of a risk.
The development of fraud protection models can also engender positive results. These models use previous examples of fraud to identify accurately which transactions are more likely to include instances of fraud. Again the ability to highlighting these 'at risk' transactions, additional methods of verification can be implemented, without the need to increase verification across the board. This method is obviously important from a cost savings perspective, as it pinpoints only high risk transactions, negating the need to invest in additional verification for every transaction that takes place. It can also be self fulfilling, becoming a source of identified and prevented fraud cases to further enhance the fraud model.
In a campaign with an electronics brands we used a generic fraud model to screen online transactions. 50% of fraud cases were identified in the top 10% of the file and 80% of cases in the top 20%. These results were further refined by developing a bespoke model based upon the company's own file of previous fraud cases. The brand in question used both fraud models and postcode level address checks. As a result they delivered not only a decrease in fraud cases, but an improvement in delivery times to the customer as a result of the work. It also ensured the company's policy of delivering to alternative addresses could be continued by negating the fraud risk associated with this practice.
In the ongoing battle with fraud, one could suggest that a brand can never have too many methods of fraud prevention in place. But efforts to reduce cases of CNP fraud must ensure an acceptable balance is struck between the losses incurred as a consequence of fraudulent transactions and the operating costs of overly stringent procedures. This balance also needs to take customer service into account, making a clear distinction between the need to request additional verification on some transactions with making the purchasing process as quick and efficient as possible for the consumer. Ultimately, just like rain in the summer, all brands need to understand that there will always be a certain level of fraud present that cannot be prevented. But this needn't be a significant amount if the right defences are employed.
Click here to view a PDF of the article as it appeared in the magazine
Click here to download Adobe Reader for free
