With fraud affecting up
to 5% of unfiltered Internet transactions for general merchandise, successful Internet merchants are taking steps to protect themselves. Let me explain the three basic fraud screening approaches open to small to medium-size enterprises (SMEs):
Basic AVS and Card Verification Code Screening
Rules-Based Fraud Screening
Neural Network Fraud Screening
Of course, systems don't always fit neatly into these three categories, but these distinctions will help you get a better picture of your choices are as a merchant.
For SMEs, fraud screening systems are generally offered through your payment gateway provider. While it is possible to secure sophisticated fraud protection services independent of your payment gateway, it is difficult for two reasons:
Pricing for sophisticated fraud protection starts at about $500 per month
Your ordering system must be programmed to coordinate the information you receive. No off-the-shelf shopping cart program I know of is pre-programmed to coordinate fraud protection independent of the payment gateway.
Let's take a look at the various kinds of systems and their pros and cons.
1. Basic AVS and Card Verification Code Screening
Nearly all payment gateways will pass on information from the credit card processor about AVS and Card Verification Code.
AVS (Address Verification Service)
AVS is available in the US and Canada at present and is gradually extending to some European countries. It checks the numbers in the address field and the ZIP code field and compares them to the billing address for the credit card. You get back one of three responses:
Y -- indicates a match. The address and ZIP matches are returned separately, so it is possible to get a match for only one of these.
N -- indicates a mismatch.
X -- indicates that the card-issuing bank doesn't provide AVS information to the credit card processor. This is usually the case for non-US addresses.
Once fraudsters have a valid credit card number from a given bank, they can generate other valid credit card numbers using a special mathematical formula -- without needing to steal a card. An AVS match indicates that the card number was
probably not generated in this fashion. But sometimes credit card fraudsters can buy lists of stolen credit cards that include the cardholder's name and address, so an AVS match doesn't necessarily indicate a good transaction. On the hand, a mismatch doesn't necessarily indicate fraud. People move, addresses change, and card issuing banks don't always keep up. AVS, however, remains a helpful indicator.
Card Verification Code
The Card Verification Code, is variously called CVV2, CVC2, or CID, depending upon the credit card company's particular terminology. Typically this consists of the last 3- or 4-digits found on the back of the credit card in the signature field. It is against policy for any merchant or system to store these numbers. This system has been available since 1997, but only in the last year or two have shopping cart programs begun to offer this functionality on order forms.
If the processor finds a match between the credit card number the CVV2, the merchant receives a Y. I find this reassuring, since it means (hopefully) that the purchaser had the actual plastic card in hand when the order was placed. However, I've found many good transactions where the CVV2 didn't match or wasn't given. And, I'm told that fraudsters can now buy lists of stolen cards that include the CVV2 number. However, I don't think I've ever run across a fraudulent transaction that had a positive match for the CVV2 number. I find it a very helpful indicator.
Some shopping carts and payment gateways allow merchants to reject orders that don't get full AVS and CVV2 matches. I think that's overkill and will cause the merchant to reject sales as a result of way too many "false positives," mistakenly rejecting perfectly valid transactions. Internet Retailer (6/23/2003) cited Jeff Foster of Retail Decisions USA, who reported that up to 16% of online orders being blocked due to suspicion of fraud, costing merchants many times the value of the fraud.
My recommendation is to observe whether or not you get AVS and CVV2 matches, but not base your entire decision on that factor. When in doubt, pick up the phone and call the customer. For more information on how to assess transactions manually, see my article "A Case Study in Order Fraud Detection,"Web Commerce Today, October 15, 2002 (www.wilsonweb.com/wct6/fraud_detect.cfm).
Just how important is it to move up to a more sophisticated fraud detection system? Paris Leung, a salesperson for CyberSource put it succinctly: "Fraud screening doesn't mean much," he says, "when you can review each of your ten orders per day. But when you have 1,000 or 10,000 to review, then fraud screening is vital."
As your business grows, you have less time to individually review transactions for fraud. You have to find systems that will do this for you with a high level of confidence.
2. Rules-Based Fraud Screening
A second kind of system uses various "expert rules" to reject or flag for review suspect transactions. They use AVS and CVV2 data, but go substantially beyond them. A good example of this kind of system is VeriSign Payment Systems' new Fraud Protection Services. They offer their payment gateway clients an array of fraud filters that can be used to flag questionable transactions. See a list of these filters on their site (http://www.verisign.com/products/payflow/filterFeatures.html). Here are a few offered in their Advanced Package:
High dollar amount. The merchant can set an appropriate dollar cap which flags orders for review over that amount.
High item number. If the quantity of products ordered reaches a certain threshold, the order is held for review.
High risk BIN. The BIN (Bank Identification Number) consists of the first 6 digits of a Visa or MasterCard card number and indicates the identity of the issuing bank. Some banks have a high incidence of fraudulent credit cards being used. This filter flags them for review when set.
High risk ZIP code filter
Freight forwarder filter. Some fraudsters give as their shipping address a freight forwarder that ships products outside the US. This filter helps detect them.
US Postal Service address validation filter. Checks against a list of valid addresses in the US.
IP address risk list match. Helps merchants detect open proxy servers that are often used to hide a fraudster's identity.
E-mail service provider risk list match. Filters out e-mail domains most commonly used for fraud.
Geo location filter. Plots a longitude and latitude for the IP address and compares it with the billing address. Those that are too far separated geographically are flagged for review.
High risk country filter. Probably includes countries with a high incidence of fraud, such as Nigeria, Easter European countries, Indonesia, etc.
International shipping/billing address filter, International IP address filter, and International AVS filter. Provide tracking for orders outside the US.
Merchants can also build their own negative and positive lists:
Bad and good e-mail addresses
Bad and good credit card numbers
VeriSign's system can be set up so that transactions identified by the various filters are either rejected outright or flagged for later review. In addition, VeriSign protects the merchant from hackers by doing port scans to detect open ports and by limiting the IP addresses able to access the account. They also help the merchant protect against internal fraud from employees, since they can restrict individuals who can issue credits, look for transaction patterns that might indicate fraud, and provide password management. So far, VeriSign hasn't developed the capability for compound rules (such as: if filters A, C, and D are positive, then reject the order).
Some rules-based systems also tie into databases that provide "velocity checks" that determine how many times a particular card has been charged in the last few hours -- sometimes an indicator of fraudulent use.
PSiGate, WorldPay, and USA ePay also provide merchants with extensive rules-based systems.
3. Neural Network Fraud Screening
The third type of fraud screening builds on the databases and filters used in rules-based systems, to generate the relative probability that any given transaction is fraudulent. This probability is developed using computer neural networks and is given as a transaction score.
A neural network is a type of predictive computer model that recognizes subtle, hidden, and newly emerging patterns within complex data. It is made up of a series of series of mathematical algorithms developed from studying millions of transactions, both valid and fraudulent, to determine which factors are most indicative of a fraudulent transaction and which are most indicative of a valid transaction. Then it weights individual variables in relationship to other variables in such a way that the final score strongly represents the probability of fraud. Here is a graph showing the way such a neural system is able to separate between normal vs. fraudulent transaction data.
Source: Falcon Fraud Manager for Merchants.
Click for Larger View
http://www.wilsonweb.com/wct7/images/falcon_graph651x456.gif
Typically, merchants can develop rules on top of the transaction score. For example, some business might want to block transactions from certain countries no matter what the transaction score.
Falcon Fraud Manager for Merchants (http://www.fairisaac.com/Fairisaac/Solutions/Product+Index/Falcon+Fraud+Manager/) from Fair Isaac Corp (formerly eFalcon from HNC Software) offers this service for online merchants through several payment gateways: Paymentech, Authorize.net, and, until recently, VeriSign Payment Systems. Falcon Fraud Manager for Merchants has refined their predictions within about 20 different vertical markets, since fraud factors can vary between from one type of product sales and another.
Falcon provides a score for each transaction (1 to 999), and, for higher scores indicating probable fraud, up to three codes giving the reason for the high score. However, this information may not all get passed on to clients of payment gateways that resell the service. For example, Paymentech provides each transaction with a low, medium, or high risk indication rather than an actual score.
SureFire provides Falcon scoring to their customers.
ClearCommerce Risk Management Hosted Service (http://www.clearcommerce.com/solutions/hosting.html) is another such neural network risk management system, traditionally offered to large retailers. A new service catering to SMEs has been launched, available for Mercantec SoftCart and others. ClearCommerce FraudShield combines rule-based detection, neural network risk scoring, merchant configurable velocity checks, negative and positive databases, IP-based geolocation, etc.
ClearCommerce fraud detection solutions are also offered through merchant
acquirers and service providers, including First National Merchant Solutions,
LinkPoint, and NPC.
A similar approach that's been serving Internet businesses the longest is CyberSource (http://www.cybersource.com), which
gives an overall score (1 to 99) based on the fusion of three tests: merchant-selectable expert
rules, a Visa Matrix model, and a neural model. It is also sensitive to
inconsistencies resulting from IP address, physical address, and phone number
mismatches. CyberSource serves a number of merchant needs, including an international payment gateway, tax and shipping calculations, and fraud screening.
It has shown real strength in Europe. In particular, they support non-credit card transactions that are common in several countries, such as bank transfer, Giro, etc. When they sell their payment gateway and fraud screening services directly, CyberSource charges a $995 one-time set-up and transaction fees of 15.3¢ for Visa, 18¢ for non-Visa cards. Merchants must pay a minimum of $495 per month in fees. For merchants at a lower level of transactions, CyberSource resells its services through other companies that sometimes rebrand them -- Citicorp, CrimsonBow.com, Miva, and Capitol Advantage. CyberSource is available as a payment gateway using plug-ins for Able Commerce and Miva shopping carts.
CyberSource also offers a low price plan of $145 for up to 2,500 transactions
per month, plus 30¢ for additional transactions.
Another players in the neural network arena is Retail Decisions (RED, http://www.redplc.com/), that has typically served larger retail customers. Payment gateways that offer neural network fraud screening include Authorize.net ($20 per month plus 20¢ per transaction), CyberSource, Paymentech, and SureFire Commerce.
Rules Based vs. Neural Networks
I asked various company representatives to compare rules-based approaches to neural network systems. Steve Manning, Senior Product Manager at VeriSign Payment Services and owner of their security risk product, explains some of the reasons VeriSign developed its own rules-based system and dropping support for Falcon.
"Scoring systems are designed to be black boxes," Manning says. "You send in a transaction and out comes a number. Most merchants don't know what to do with that number. Black boxes are not intuitive to use and not very instructive. SMEs don't usually have in-house expertise that allows them to help them interpret those scores."
Jim Bishop, Product Specialist with Fair Issac's Falcon Fraud Manager for Merchants, sees it another way. "False positives are incredibly high with rules-based systems," he says. "Neural networks cut the number of false positives. For large companies that might flag 2% of their total transactions for review, these false positives get pretty expensive. Our neural network system can cut fraudulent transactions to about 0.5% without lots of rules. Because of that we offer scalability. Our merchants don't get buried with transactions at Christmas, while merchants with rules-based systems are often overwhelmed."
The Bottom Line
What's best for you? If you have only a few dozen to a few hundred transactions per day, a rules-based system is likely to work fine. But the more transactions you deal with, the greater the advantage of a system that includes both neural network scoring as well as merchant-selected rules.
