They say it's an ill wind blows no good. Such may be the case with credit card fraud, with banks collecting the windfall. Many large banks are trying to provide the wherewithal for their merchant customers to operate online as the proverbial one-stop shop for e-tailers. Such banks offer services that range from Web site design and hosting to acquiring online credit card transactions to providing cyber-merchants with checking accounts.
With the intense publicity given Internet fraud lately, the time seems ripe for banks to add fraud detection to their range of e-merchant services. Indeed, anti-fraud technology vendors report an increase in banks' interest in reselling that fraud software or referring their merchant customers to the vendor in question.
This year marked a shift in attitude toward the use of credit cards on the Internet. Fears about online credit card use seemed to peak a few years ago, consumer confidence translated to more than $7 billion in holiday shopping on the Web last year, and then the tone changed as various incidents of fraud surfaced early this year. Just before BTN went to press in early June, Microsoft Corp., Intel Corp., America Online and others were testifying before the Federal Trade Commission on ecommerce concerns, including how online credit card fraud might be reduced.
The renewed focus on fraud follows several highly publicized cases, one involving Microsoft. The Redmond, WA, computer giant would be expected to know something about online security, yet it took a $6 million charge to cover first-quarter fraud on its Expedia travel Web site. Some 485,000 credit cards were fraudulently used on Expedia.com after cardholder information was stolen from other ecommerce sites, Microsoft says.
Few merchants could survive such a hit. Almost all are worried, as emerged in a survey conducted late last year by CyberSource Inc., a San Jose, CA, vendor that entered the fraud detection business out of necessity. In its original role as online software vendor, back in 1994, it had more fraudulent transactions than legitimate ones. Most merchants (75%) told CyberSource they were very worried about fraud, and many (41%) did not know that they would almost certainly be liable for any fraudulent transactions on their Web site. (The burden of proof is on the merchant in any so-called "card not present" transaction, whether it occurs through the Web, the mail or a call center.)
Banks arguably have an opportunity to help their merchant customers in their hour of need, or-more cynically put-to avoid a customer backlash. As Avivah Litan, a research director with GartnerGroup, Stamford, CT, said recently: "Ecommerce can't go on like this. There's a lot of resentment against the credit card associations, among small merchants especially."
A number of banks are stepping in to stem the damage. In addition to providing tips and software to detect fraudulent transactions, banks are educating their merchants on how to store customer information safely or offering to store it for them.
Fleet Financial Group (now Fleet Boston Corp.) began hosting ecommerce educational seminars for merchants about a year ago, the latest taking place last month in Providence, RI. ABN Amro Corp. recently compiled a proprietary report on the prevalence and prevention of Web-based card fraud for its merchant customers. Sarah Billings, vice president and ecommerce strategic manager with the bank's Chicago-based U.S. subsidiary, says its merchant customers are "scared" and "very interested in benchmarking their fraud experiences."
Estimates on the prevalence of online fraud range widely, from 2% for physically shipped, low-value items to a reported 40% for instantly downloaded purchases, such as software and pornography. Despite big differences across different retail sectors, there had been something of a consensus that the overall average rate of credit card fraud was around 5% of online shopping, which would equate to about $1 billion worth in 1999, notes Ken Kerr, senior analyst with Gartner. The $5 of fraud per $100 spent online compares with a variously estimated six-to-nine cents of fraud per $100 spent offline.
One reason for the discrepancy in fraud rates online and off is that "real world" fraud declined throughout the 90s as fraud detection software was increasingly deployed. In the real world, where banks bear most liability for fraud, both banks and the bank-owned card associations have used the fraud detection software directly. In the case of Internet fraud, the wholesale side of the bank, often its merchant acquiring unit, offers fraud prevention services to its customers.
Preliminary results from a merchant survey conducted by Gartner suggests that Internet fraud may be lower than is commonly thought. Contrary to the consensus figure of 5% of online purchases being fraudulent, Gartner found an average of 2.5% of transactions result in chargebacks, only 1% of which is outright fraud (stolen credit card information used online). The rest is the result of legitimate consumer disputes, possibly with some so-called "friendly fraud," where consumers lie about not receiving goods they paid for.
However, Kerr admits that Gartner has not yet established how many of its survey respondents already use fraud detection software. It's possible that many do, meaning that the 2.5% chargeback rate is artificially low, he says. Gartner spoke to almost 200 merchants that sell partly or wholly online, including both small and large businesses. CyberSource, for instance, says that users of its fraud detection service can reduce Web fraud to less than 1% of total transactions.
There are other reasons, besides fraud detection, for why online fraud is higher even than that in other card-not-present channels. The scale, anonymity and immediate delivery potential of the Internet make it a tempting forum for a thief, who can rapidly buy items worldwide, all without leaving home. Purchases by foreigners from sites in the Unites States have been particularly problematic because the thieves are operating outside of U.S. jurisdiction.
The commonest method of fraud is stealing information on credit cards- from a merchant database, a dumpster containing financial documents, an unscrupulous store clerk peddling consumers' charge details or whatever. However, the cyber-thief may even more easily obtain this information online.
"As scary as it sounds," says Tom Spillane, director of marketing with fraud detection software firm Nestor Inc., Newport, RI, "you can, for instance, go to www.creditmaster.com, one of several sites that generate seemingly legitimate credit card numbers." Of merchants CyberSource polled that had been defrauded, such number-generating sites were the cause 10% of the time.
Billings says that software ABN Amro now offers to its merchants can tell whether a card number came from one of those sites-a capability that surprised Nestor's Spillane. The first of about a dozen merchants were going live at press time with the software ABN Amro co-branded with First Data Corp. The underlying software, FDC's SurePay, is an Internet payment gateway with fraud detection software, announced late last year. The bank's representative at FDC, a huge Minneapolis-based card processor, did not return BTN's calls.
Unlike many of the best-known fraud detection systems, SurePay is not, Billings says, a neural network, which is a form of artificial intelligence that allows a software system to continuously learn by picking out patterns in data. CyberSource, faulted by some competitors for not having a neural network, says it added in January a neural net developed by Visa USA to the rules-based system CyberSource originally had. Others with neural networks are Nestor and HNC Inc., San Diego, both of which have adapted fraud detection software they traditionally provided to card issuers for both merchants and their acquiring banks.
Vendors origins varied
Vendors of the new credit card fraud detection system are either neural net specialists from the card issuing side, such as Nestor and HNC; providers of Internet gateways, such as CyberSource and FDC; or operators of shopping sites, such as Seattle-based ShopNow Inc. ShopNow, which operates a co-branded site with Chase Manhattan Bank, www.chaseshop.com, says that site soon will use fraud detection software created by ShopNow. (A Chase spokesperson contacted was unaware of such plans.)
There's some debate as to which type of provider is best placed to detect Web fraud. Those whose history is in ecommerce (payment gateways and shopping sites) say they know the new online shopping field while those traditionally in the neural network business cite their expertise in that specialized technology. CyberSource had the detailed transaction history of online purchases that's needed to build predictive models, yet it sought Visa's experience in neural networks. Conversely, those that have worked on the bank side of the card business lack Web transaction history, though some may be resolving that through alliances. For instance, HNC presumably will gain more Web knowledge from forthcoming work with CyberCash Inc., a popular Internet gateway. Oakland, CA-based CyberCash told BTN that it will use HNC for fraud detection later this year.
When it comes specifically to the role of reselling fraud detection software through banks, vendors that already work with banks on the issuing side have an advantage in principle. "It does make a name for you and a lot of the banks like to work with one supplier," says Nestor's Spillane. "We've got contracts on the table at many of the big banks," he says. A payment gateway client is shortly to be announced, he adds. Card processor, Transaction System Architects became a client in May, and Nestor is rumored to have signed Bank of Ireland, one of Ireland's two largest banks. PRISM eFraud's first client, when it was introduced in January, was eSuccess, a Seattle-based online gambling provider.
However, Alan Jost, vice president of Internet risk management with eHNC, HNC's Web division, suggests traditional bank vendors don't have a "shoe-in" because of a disconnect within the banks. "Unfortunately," he says, "not a lot of issuers in the U.S. are also acquirers." The prospects are better overseas, he notes, with almost all banks that issue cards to consumers also processing card transactions from merchants.
"We would love to have banks that are acquirers package eFalcon forthe merchant," says Jost, adding that "there are some reselling deals in the works." eFalcon is HNC's neural network for detecting Internet fraud.
Self-servingly, perhaps, he makes what is nonetheless a logical argument for banks' intervention: "Banks have a real customer service issue with the whole online fraud problem. If something looks suspicious to the Net merchant, he will turn a customer down without ever sending the transaction through for approval. So when the customer calls his bank complaining that his card was rejected online, the bank doesn't even know about it."
Accurately identifying the con without risk of rejecting a good customer in error is a major concern of merchants. It is merchants' (78%) main source of apprehension regarding the use of fraud detection software CyberSource found in its poll last September.
It's an old technology debate whether automated credit, loan or similar decisions are best made by rules-based systems, which eliminate candidates based on a single attribute, or by neural nets, which arrive at a total score by weighing their pros and cons. The system user generally determines which rules to apply (say, outright rejecting all orders from Romania) or which score to use as the threshold to accept an order.
Some providers, such as CyberSource and ShopNow, combine the outcomes of the rules-based system and the neural net to provide a total score. For example, in creating E-Fraud ShopNow added its rules to eFalcon. Ultimately, the system produces a real-time score between 0 and 99, with a higher number indicating a higher likelihood of fraud. Bill Pittman, chief technology architect for ShopNow.com, says E-Fraud halved the fraud experienced by the site's 60,000 merchants since it went into use last November.
Fraud detection software is generally not licensed, but offered as a point-of-sale service, paid for through a combination of sign-up fees plus either flat monthly payments or per transaction charges.
The type of information these systems gather and weigh in search of fraud indications include the location of the user's computer (indicated by his Internet Protocol address), his email address, how many shopping sites he has visited, how many orders he has placed and whether he has asked for rush delivery. "If the billing address is in California, the shipping address is in Arizona, and the IP address is in Poland, either this guy is a Delta pilot or he's stolen someone else's credit card," comments William Donahoo, CyberSource's vice president of marketing.
In the absence of fraud detection software, merchants' main defense is the address verification system (AVS), which checks if billing and shipping address correspond. However, it doesn't work for overseas' orders. That's a growing problem as business goes global and given Spillane's observation that "there are sophisticated criminal syndicates, many funded by foreign government's, such as Nigeria's."
Debra Rossi, executive vice president of Wells Fargo & Co., San Francisco, still considers AVS useful-especially with, she estimates, 95% of Wells' merchant orders coming from the U.S. Wells, which has ecommerce packages for both small and midsize merchants, also refers its 9,000 cyber- merchants to CyberSource's fraud detection service. This optional service is priced by CyberSource according to how many services merchants obtain from it, including payment authorization and tax calculation, among others. For additional fraud prevention, she adds, "We're always watching transactions after the fact." Rossi says Wells' merchants suffer less than 1% fraud; what percentage of that low rate is attributable to CyberSource, she couldn't say.
It is on merchant demand that the bank has bundled fraud detection, Web hosting, multi-currency online purchase acceptance and other merchant services, Rossi says. "We hear over and over again from merchants 'We don't have time to deal with this.'"
Some have questioned the viability of banks attempting to be ecommerce hubs for their merchant customers, and there have been signs that banks may be struggling in that role (see "Closing Up eShop?," June BTN, page 4). Yet within nine months Wells has tripled the number of merchants from which it takes Web credit card transactions and, Rossi says, "It's not only a growth business, it's a profitable business."
Merchants a hard sell
Fleet Boston, a pioneer in merchant ecommerce packages dating back to early 1998, originally had a do-it-yourself attitude toward storefronts fleet, which has somewhat devolved. The bank began reselling fraud detection software from SkipJack Inc., Cincinnati, at the start of the year. SkipJack is now Fleet's preferred Internet gateway-a role CyberCash previously held-although Fleet now allows cyber-merchant customers to use a range of gateways.
"One of the primary reasons for us migrating from CyberCash to SkipJack is that we like the fraud detection and risk management tools SkipJack provides the merchant," says Greg Radner, marketing manager for business payment solutions at Fleet. The bank would not say how many customers use the service or how many cyber-merchants it now has as customers, as compared with the 120 it had last July.
First Union Corp., another bank offering what Vice President Lou Anne Alexander calls "a basket of services for small and midsize (online) merchants," also has fraud on its mind. The service bureau that runs First Union's cyber-merchant offering, SecureSales, has an arrangement with a fraud detection software provider, Alexander says. "We're taking a look at that," she says, adding that the "well-known" product probably would not be made available to the bank's merchant customers before the fourth quarter.
In First Union's case, it's not the merchant acquiring area that would be involved in a possible resale, since the Charlotte, NC, bank is not directly involved in that business. SecureSales is First Union's brand name of a discounted and heavily customized version of virtual store software that the bank resells from a leading provider, Open Market Inc., Burlington, MA. Any additional fraud software would be offered through First Union's bureau running Open Market's software, the Nashua, NH-based application service provider iComs Inc. "Obviously, this is coming to market because of fraud concern on the Internet," Alexander says.
To the extent banks will participate in equipping merchants to fight fraud, reselling is becoming favored over referring arrangements. Wells, for instance, now refers business to CyberSource, but that's only pending implementation of a system to remunerate the bank for reselling CyberSource's service, explains Steve Klebe, the vendor's vice president of payment alliances. "Wells will earn a healthy margin-between 15% and 50% of both the merchant's registration and per-transaction fees, depending on volume," he says. Merchants pay a "click-fee" every time they use CyberSource's hosted service and CyberSource does all necessary integration with the merchant's site, Klebe explains.
Both banks and vendors spoke in favor of reselling such services. First Union treats merchants' business as part of an ongoing relationship, Alexander says. "We want accountability, so we would most likely go for a reselling arrangement and, even though the system might be outsourced, it would be offered on a private-label basis."
CyberSource prefers reselling because, Klebe says, "Banks have an opportunity for serious profit margins and, therefore, they're more engaged in promoting the product. CyberSource already has referring/reselling arrangements with many of the 50 or so domestic entities that dominate cyber-merchant acquiring, including Bank of America Corp. and Silicon Valley Bank, plus card processors. The vendor still has others to court- including trying to persuade both BofA and Wachovia Corp. to resell instead of refer, Klebe says. "We're not so much into numbers," he adds. "A lot of banks are into what we call a Barney relationship: I love you, you love me, but they don't put any elbow grease into it."