Here's How CyberSource Does It
Evaluating Online Credit Fraud Fraud With Artificial Intelligence
Vice President, CyberSource, San Jose, California
Web Commerce Today, Issue 11, June 15, 1998
Internet merchants are often amazed to find that fraudulent and non-approved credit transactions may comprise as much as 39% of total attempted orders. On the Internet it’s easy for someone to hide behind an assumed or stolen identity. In this "blind" environment a stolen or made-up credit card number combined with a stolen address or phone number can defeat traditional card authorization and AVS (address verification). In addition, AVS does not apply to international orders, which for many Web businesses constitutes a large percentage of their potential transaction volume. Many merchants have chosen to not accept orders from outside the US due to their fears of fraud.
The key is not to focus on the validity of the card, but rather the identity of the user and validity of the provided information -- in real time. To be effective, the solution must be fully automated. It must be fast, unobtrusive and flexible to adjust to the merchant’s business profile; and, it optimally leverages the experiences of merchants across the Internet to help identify fraud patterns beyond those experienced by a single merchant.
Automating Identity Validation
To do this with confidence and efficiency for hundreds or thousands of orders a day requires a detailed transaction history database coupled with a sophisticated, real-time artificial intelligence (AI) scoring system. The first step in developing such a system is to understand the "footprints" of Internet fraud. Once understood, fraud profiles can be developed and evolved, providing a basis for fraud detection using AI techniques. AI is then used to evaluate each order and assign a "risk score." This score is compared against a pre-determined score threshold, thereby enabling order acceptance or rejection in real-time.
Internet thieves do leave characteristic footprints. For example, many businesses see fraud rates increase at certain times of the day, and orders coming in from certain countries exhibit a higher percentage of fraud. Repeated attempts with slightly varied card numbers, different names and so on raise red flags. A shipping address different from the billing address is also a possible indication of trouble (although not for all businesses), as is an IP address at variance with other data. Because these "clues" do not carry equal weight, and are weighted differently in different businesses, the scoring methodology used by an automated system must be flexible enough to accommodate the uniqueness of a particular business.
A Merchant Controllable AI System
One such system, IVSTM from CyberSource, allows merchants to adjust their "score threshold" (e.g. the level of risk they wish to accept) as well as how various factors are to be weighted when calculating the risk score. When an order is received, the system reviews the order profile and transaction history, assigns weighted scores and compares those scores against a merchant’s pre-defined threshold -- the higher the score, the higher the risk that the attempted transaction may be fraudulent. With this approach, the merchant is able to determine the level of risk he wishes to accept.
The system captures 18 to 33 variables for each transaction and its AI logic performs 150 operations on that data to calculate a score. It also checks for similarities with other orders across the base of Internet merchants, such as an order coming in with a different name, card number and street address but using the same e-mail account as a previous order. All of the checking and scoring is accomplished in less than five seconds.
The downside of any fraud prevention system is potentially rejecting "good" orders, sometimes called the "insult rate." However, better automated systems provide for merchant adjustment and fine tuning, so such drawbacks are managed to an acceptable level (just as call centers seek a certain level of "busy outs" and "wait time" to maintain a balance between customer service and staffing expense).
AI Systems Get Smarter Each Time
The power of an artificial intelligence approach, when combined with shared experience database, is that the system grows "smarter" with each new transaction.
Each merchant taking advantage of the service benefits from this dynamic, drawing on the experiences of other merchants across the Web in pinpointing telltale signs of fraud. Manual checking methods, or proprietary single-merchant automated methods, lack this benefit and, consequently, the accuracy of this and similar techniques.
Across the base of customers using CyberSource’s IVS technology, 12.5% of all orders are scored out, equating to 25.8% of the dollar amount. Fraudulent orders are managed to within 1%. Had these merchants only used AVS, less than one-sixth (only about 15%) of the high risk orders would have been identified.
Steven W. Klebe is vice president for business development of CyberSource, 550 S. Winchester Blvd., Suite 301, San Jose, CA 95128, phone (408) 556-9100, e-mail stevek@cybersource.com. CyberSource (http://www.cybersource.com) provides fraud screening services for some of the highest volume merchants on the Web, including Symantec, OnSale, and others.
