"Big data" has been all the rage in the payments industry in recent years. While the hype seems to have subsided a bit, that might be because the most dedicated data-using merchants have put their heads down to focus on sifting through the data to investigate fraud.
"If you want to get ahead of the bad guys you got to spend time in the lab," said Skip Myers, director of loss prevention at Micro Center, a computer and electronics retailer with both brick-and-mortar stores and an e-commerce shop.
Merchants are spending more time following up on the leads they find through their use of big data. "I'm seeing a momentum shift in companies wanting to use more data to investigate criminals and actually going after them to prosecute them," said Myers, who spent about a decade in law enforcement in Atlanta, Ga., before joining Micro Center 20 years ago.
The idea with big data is this: a group of merchants aggregate their data to find fraudsters, and then blacklist them throughout the group.
Myers said more merchants are taking this process a step further by pursuing a legal remedy. "All it takes is a basic understanding of the things the justice system requires to build a case," he said. And to make a case to prosecutors, merchants must gather a substantial amount of data on the fraudsters. which requires merchants to work together by sharing data, he added.
Micro Center uses technology from Kount, an e-commerce fraud detection provider. Merchants connected to the Kount platform anonymously share customer data with each other. Kount provides a fraud score for all transactions, and merchants decide whether to accept or reject the payments.
The amount of data available to merchants now allows them to make decisions based on patterns. For example, said Myers, it looks slightly suspicious when a single device such as a laptop is observed making purchases with many different credit cards.
"Before Kount, we did [fraud management] in-house; we had our own set of rules and algorithms," Myers said. Micro Center was being attacked internationally, but the merchant didn't know those transactions were being initiated from outside the country because the fraudsters were using proxies.
Kount uses a number of features including device fingerprinting and proxy piercing. Proxy piercing allows the provider to see around an IP scrambling proxy to determine where the transaction actually originates. Micro Center has since set up a rule that automatically declines purchases that are imitated from an international location but look as if they're being originated from the U.S., Myers said.
While data-sharing for fraud mitigation makes sense on paper, in practice the process is a lot more nuanced, especially for international sellers, said Don Bush, vice president of marketing at Kount.
Myers agrees, noting that privacy laws vary from country to country. Data sharing laws in the U.K. are much stricter than they are in the U.S. Because of the Freedom of Information Act in the U.S., merchants and individuals can find a significant amount of data. When this data gets published on the Internet, a simple Google search may be enough to unearth a treasure trove of information.
Myers and his fraud management team at Micro Center were able to lead law enforcement agents to a particular fraudster who used stolen cards to purchase Micro Center's products online and then go pick them up in-store. The fraudster has an "interesting name," Myers said, so he Googled it and found a rap sheet with a picture of the woman. Myers contacted the woman's corrections officer and found out she had a Facebook page. Myers the looked at the Facebook page and found the woman bragging online about her conquests. She also mentioned her next planned offense, so Myers worked with law enforcement to set up a sting operation to catch her in the act.
Before the use of these fraud management and data analytics tools, "a lot of good customers were having transactions declined because the retailer was too paranoid to approve it," Myers said.
For example, a new customer at Micro Center had ordered $16,000 worth of electronics with an address that initially looked to be in a residential area. But on closer inspection Myers Googled the address it was determined to be an office building located near a residential area. Myers also looked into how long the address had Internet access to make sure it wasn't being faked to conduct fraud.
"The data out there, the value of it is in the eye of the beholder," Myers said.
Because of differing privacy laws, the number of non-merchant payment and fraud providers that offered data sharing tapered off in 2014 to 17.3%, down from 24.4% in 2013, according to the Mobile Payments and Fraud Report, commissioned by Kount, The Fraud Practice and CardNotPresent.com.
Another reason for the decline is that merchants are shy about sharing their data with competitors, Kount's Bush said. By picking good fraud tools, merchants can steer fraudsters away from them and towards a competing merchant that might have weaker defenses. While this may seem a "devilish way" to compete, it's the nature of retail business, Bush said.
The top merchants can afford to experiment with payment acceptance and fraud mitigation techniques, but small- and medium-sized businesses don't have the resources to integrate a product that isn't certain to provide a return on the investment, Bush said.
"There's been a lot of upheaval over the past six to 12 months," Bush said. Bush talks to nearly 100 merchants a week and "they're not sure what the best practices are or what horse is going to win the race...so there's a wait-and-see approach.
All the products and services in the industry are causing merchants to freeze up. This is likely one of the reasons Kount saw
While Kount launched as a vendor for merchants, as liability gets pushed upstream by regulators, the Boise, Idaho-based company has been able to sell to e-commerce platforms, payment gateways and payment processors as well.
Last month, Kount in partnership with Ethoca launched
