F OCUS ON F RAUD This May Be the Best Strategy to Reduce Online Risk

by Stephan Barney raud losses continue to plague online retailers, even though some recent statistics suggest that the tide is turning. A new F study by fraud analysts explores an innovative new data enhancement strategy to help make mitigating fraud risk a reality. n the face of it, online More at Stake A Dearth of Useful Information fraud appears to be In actual dollars, fraud losses Online merchants face two Odeclining—at a limited are growing as the volume of busi- concurrent challenges in fighting rate. Charge-backs due to fraudu- ness conducted online continues to fraud. First, they typically rely on lent activity decreased in 2003, increase dramatically. Online con- a limited amount of internal and according to the Merchant Risk sumer purchases were up 25-30% order information that is not Council (MRC), a nonprofit mem- in 2003 (U.S. Department of always effective in detecting bership organization that works to Commerce) and are expected to fraudulent transactions. For exam- protect and encourage secure rise at a similar pace for the next ple, the information provided in online commerce for merchants several years. an online order is usually limited and consumers. In the MRC’s Online fraud also imposes hid- to name, address, phone number, 2003 member survey, only 10% of den costs that go well beyond actu- and number, and a respondents reported fraudulent al dollars charged back. Revenue is merchant’s internal database may charge-back rates greater than 1%, lost when legitimate orders are only tell them if the customer has compared to 18% of respondents turned away because they look sus- previously ordered from the site. in 2002. However, the MRC sur- picious and can’t be quickly veri- Second, cyber criminals are grow- vey also reported that, in general, fied. Manual review rates are ing increasingly sophisticated in merchants are spending higher trending up, tying up staff time and their efforts to exploit the vulner- rates of their revenue on fraud delaying shipping—a particularly abilities of card-not-present prevention, with 17% of mer- unwieldy dilemma for large mer- (CNP) transactions. chants spending greater than 2% chants. And now, tighter restric- Could new sources of real- on fraud prevention in 2003, ver- tions by some credit card issuers time, automated data put the sus 13% of merchants in 2002. are adding new pressure to reduce power back into retailers’ hands? charge-backs and avoid penalties. That’s the question Experian

© 2004 by RMA. Stephan Barney is director of business development for Experian’s Fraud Solutions organization based in Costa Mesa, California. He has more than 13 years of experience in financial services and data management with a focus on credit and fraud risk management. Currently, he is responsible for transferring the risk management les- sons learned from the financial services industry to new markets, specifically card-not-present merchants and retailers.

50 The RMA Journal October 2004 This May Be the Best Strategy to Reduce Online Risk fraud analysts addressed in a fraudulent—this has been proven. ments were then ranked in order recent study, Optimizing Data Typically, online merchants of overall fraud detection rates Sources to Prevent Online Credit rely on front-end information to from best to worst. Card Fraud. This groundbreaking identify potential fraud by check- The most highly predictive analysis reveals that the best ing: external attributes included the defense against CNP fraud is to • Order data, such as name, following: incorporate external data into the address, shipping priority, and • Do the customer’s name and fraud detection and decisioning bill-to versus ship-to address. phone number match the process. For example, do the • Credit card data, such as card billing address? name and addresses that are being verification number (CVN) • Does the Protocol supplied seem to be a valid com- match and stolen-card lists. (IP) location match the billing bination? Are any of the addresses • Internal positive and negative address? high risk, such as mail-box stores, databases. • Is an IP anonymizer being hospitals, libraries, prisons, or These simple checks are most used? freight-forwarding companies— effective for customers who have • Is the credit card number ver- the types of addresses typically previously shopped at the mer- ified to the customer’s name used by fraudsters? Does the con- chant’s site. However, for a new and address? sumer own the card that is being customer or a repeat customer • Has the billing or shipping used? Has the consumer activated using a different billing address, it’s address been associated with fraud alerts? difficult to make a judgment call known fraudulent activity? Bear in mind that from a reg- without looking at external data. By incorporating this kind of ulatory perspective, using data for Otherwise, even with high manual external data into the decisioning identity verification and fraud review rates, many orders will be process, many more are detection is much different from turned away because of insufficient uncovered than by using inter- using data to make a credit deci- decisioning information. nal/order data alone. Segments sion. Merchants are not extending where customers raised red flags credit, only ensuring that the Combining Internal and External on these attributes had fraud rates requested transaction is legitimate Data ranging from 4.5% to 23%. This and that customers are who they The Experian study focused can be compared to internal/order say they are and live where the on actual transaction data from two attributes, for which the individ- merchandise is being shipped. major online retailers. The compa- ual fraud rates averaged around Many merchants don’t reach nies’ internal and order data were 2%. for data beyond their own walls to combined with predictive external • In the highest-risk segment, 54 determine the legitimacy of the attributes to determine an optimal frauds were found, compared most basic information supplied fraud prevention strategy. to 16 valid orders, equating to by the consumer. But CNP mer- Statistical tools were used to a fraud rate of 77%. chants need to ensure that the help identify the most predictive • The lowest-risk segment in consumers they’re dealing with set of internal and external data the study had six frauds ver- are who they say they are and that attributes and to combine them to sus 2,369 valid orders, equat- they are providing legitimate create several “risk-based” seg- ing to a fraud rate of 0.25%. information. They have to be sure ments. These individual segments In both segments, the pri- that all of the different pieces of displayed varying fraud rates. mary factor was the level of cus- customer ID and other data are in Some were seen to predict high tomer and address authentication sync. When pieces are missing, numbers of fraud accounts with present. Secondary factors includ- incorrect, or don’t match the data- low false positives, while others ed whether the credit card could base during the authentication were seen to predict high levels of be verified with the name and process, there’s a much higher genuine transactions with low address supplied, the shipment probability that the transaction is fraud volume. The individual seg- type, and the payment type.

51 This May Be the Best Strategy to Reduce Online Risk

streamlining of the order I N THE STUDY, THE VERIFICATION SCORE DETECTED process. • The performance of order, 31% MORE FRAUD IN THE WORST-SCORING 20% OF consumer, and internal data CUSTOMERS THAN WOULD HAVE BEEN IDENTIFIED does not vary significantly across merchants. USING ONLY INTERNAL AND ORDER DATA. In the Experian study, the best combination of a merchant’s Card-Not-Present Score Provides A number of useful observa- internal data alone identified tions came out of this study, indi- 31% Improvement 53.1% of total fraud in the worst- The most predictive attributes cating a new and more promising scoring 20% of customers. When can be evaluated separately, but avenue for reducing online fraud: external data was added to • Optimal risk prevention can this is not very useful for time- enhance the decisioning process, sensitive Internet retail operations. be achieved by using internal, 84.1% of total fraud was identi- To make the information easy to order, and external data. fied—a 31% lift. Ì use, the study included the devel- • Segmentation can better opment of a CNP identity score define risk to help prioritize Stephan Barney may be contacted that synthesized the most relevant actions. by e-mail at data into a single number—essen- • Shared fraud data from other [email protected]. tially the higher the score, the industries is highly predictive. lower the level of risk in approving • Combining external and the transaction. This powerful internal data in the form of a score, which amalgamates both CNP-based score significantly internal and external data, can increases fraud detection rates reduce manual review significantly while decreasing manual and identify more fraud, with reviews. fewer false positives. • CNP-based scores have the In the study, the verification added benefit of allowing score detected 31% more fraud in high-risk or suspicious orders the worst-scoring 20% of cus- to be prioritized in order of tomers than would have been risk, allowing for additional identified using only internal and order data. This represents a siz- Figure 1 able lift (i.e., statistical improve- Lift of Using Internal, Order, and External and Data ment) in fraud identification with 100.0% no resulting increase in manual 84.1% of total reviews. fraud identified 80.0% An additional benefit of a Area represents lift of 31% over internal and order data score-based approach is that the 60.0% 53.1% of total score can be used to drive deci- fraud identifiedInternal and order data sion strategies. For example, a Cumulative fraud % 40.0% score representing a medium Enhancement with external data 20.0% level of risk may lead to an order being accepted if it relates to a 0.0% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% low- value purchase or rejected if Cumulative total % it relates to a high-value purchase Example: The best combination of a merchant’s own data identifies 53.1% of or a high-risk good, such as a plas- his or her total fraud at the worst-scoring 20% of the population—incorporation ma TV. of external data identifies 31% more of the total fraud.

52 The RMA Journal October 2004