E-Commerce Fraud: Protecting Data, Transactions and Consumers


Published on

This white paper shows how RSA’s solutions for fraud detection and prevention increase confidence in online shopping by addressing critical needs across the payment card ecosystem.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E-Commerce Fraud: Protecting Data, Transactions and Consumers

  1. 1. E-COMMERCE FRAUD Protecting Data, Transactions and Consumers White Paper EXECUTIVE SUMMARY Global e-commerce sales are growing at a steady clip and are expected to total almost $1 trillion worldwide in 2013. To no one’s surprise, e-commerce fraud is growing too, with fraudulent transactions rising approximately 26 percent, from $2.7 billion in 2010 to $3.4 billion in 20111 . Unfortunately, that total understates the true cost of fraud because it doesn’t take into account significant hidden costs. Most notably, these include revenue lost throughout the payment card ecosystem due to consumers’ fears about buying online, and stakeholders’ investments in fraud-detection technology, services and expertise. E-commerce fraud affects all parties in the payment card value chain, from the major card brands that sit at the top of the industry, to the billions of credit and debit cardholders worldwide who shop online. However, the risks and costs do not fall equally on all groups. This paper explores three major points of vulnerability that exist across the value chain and what solutions industry leaders are deploying to prevent, detect and block fraudulent activity in the e-commerce channel. The focus is on three use cases: –– Protecting the integrity of transactions through risk-based authentication –– Protecting consumers from payment card theft and related identity crimes by tokenizing cardholder data –– Protecting reputable brands and their customers by shutting down phishing and Trojan attacks that facilitate e-commerce fraud. Within this context, the paper shows how RSA’s solutions for fraud detection and prevention increase confidence in online shopping by addressing critical needs across the payment card ecosystem: –– Reducing fraud rates by evaluating transaction risk and blocking or challenging high-risk activities –– Reducing the high transaction abandonment rates and lost revenue that result from a poor user experience –– Reducing compliance costs by dramatically shrinking the footprint of sensitive payment card data in e-commerce environments 1 “2012 Online Fraud Report: Online Payment Fraud Trends, Merchant Practices and Benchmarks.” CyberSource. http://cybersource.com (accessed June 26, 2012). Page 1.
  2. 2. PAGE 2 –– Protecting consumers by thwarting phishing and Trojan attacks that facilitate theft of payment card data and users’ ecommerce credentials –– Containing operational costs for fraud prevention, detection and mitigation AN OVERVIEW OF THE E-COMMERCE LANDSCAPE Powerful trends are driving e-commerce growth all across the globe. These include a surging middle class in China, India and other emerging economies, the wide availability of broadband services and mobile devices, and increasing user confidence with shopping online. Goldman Sachs predicts that worldwide e-commerce sales will reach $963.0 billion by 2013, growing at an annual rate of 19.4 percent3 , and some industry watchers predict that web sales, which were 6.6 percent of all retail sales in 2011, will account for 20 percent within the next 10 years4 . Regional statistics reinforce the growth story. EMarketer—which publishes analysis and insight on digital marketing and commerce—projects that U.S. online shoppers will spend $224.2 billion in 2012, up 15.4 percent from $194.3 billion in 20115 . Latin America saw a 24 percent increase in online sales in 20106 . Africa and the Middle East are seeing rapid growth in Internet users, projected to rise from 150 million in 2009 to 297 million in 20157 . Annual e-commerce revenues in Australia are on track to nearly double, from $16.9 billion in 2009 to $33.9 billion in 20158 . In Asia-Pacific, online retail markets are growing faster than in the U.S. and Europe9 , driven in part by consumers’ adoption of mobile shopping. E-Commerce Fraud is a Growth Industry Too Where there’s smoke, there’s fire. And where there’s money being made, you can be sure that online predators will swarm. Therefore, it is not surprising that revenue losses from fraudulent e-commerce transactions have risen in parallel with e-commerce sales, more than doubling in the last decade. In its 2012 Online Fraud Report, CyberSource noted that fraud losses in North America rose from $1.7 billion in 2001 to a peak of $4 billion in 2009, experienced a two-year decline, and then resumed an upward trend. In 2011, e-commerce fraud losses totaled approximately $3.4 billion, a $700 million increase over 2010. These direct financial losses are largely borne by the merchant or card issuer and take two forms: –– Credits or reversals issued by the e-commerce merchant to consumers who claim fraudulent use of their accounts. –– Chargebacks by card issuers who (depending on the circumstances) return fraudulent transactions to the merchant bank or the ecommerce merchant as a financial liability. (Because fraudulent charges are almost always reversed, consumers are insulated from direct financial losses.) 2 Internet Retailer. “Online shoppers will boost Internet spending 15% this year.” www.internetretailer.com (accessed May 10, 2012). 3 Ibid 4 Moses, Lucia. “People are getting more comfortable shopping online, but they’re also demanding more of retailers.” AdWeek, April 18, 2012. http://www.adweek.com/news/advertising-branding/data-points- spending-it-139582 (accessed June 10, 2012). 5  Internet Retailer. “Online shoppers will boost Internet spending 15% this year.” 6 “Going Global Info Chart: Statistics on Global e-Commerce.” Brokers Worldwide. www.brokersworldwide.com/ http/infographic.htm (accessed June 26, 2012). Attributed to Euromonitor International. 7  “Going Global Info Chart.” Brokers Worldwide. Attributed to Cisco Systems Economics and Research Practice. 8  “Going Global Info Chart.” 9  “Going Global Info Chart.” Attributed to Forrester. Goldman Sachs predicts that worldwide e-commerce sales will reach $963.0 billion by 2013, growing at an annual rate of 19.4 percent2 .
  3. 3. PAGE 3 The Good Guys Keep Battling Back Not all news on the fraud scene is discouraging. The fraud rate by revenue—which measures fraud losses as a percentage of total revenue—has been declining for 10-plus years. In the 2001 CyberSource survey, merchants reported losing 3.2 percent of online revenue to fraud; that figure decreased to a low of .9 percent in 2010, followed by a slight uptick to 1% in 201110 . The largest merchants reported significantly lower loss rates (.4 percent). This discrepancy likely reflects their ability to make larger investments in tools, staff and training compared to smaller companies. A second key metric is also declining. Fraud rate by order is the number of accepted orders that later turn out to be fraudulent, expressed as a percent of total accepted orders. Between 2008 and 2011, the U.S. domestic fraud rate by order was almost cut in half, declining from 1.1 percent to .6 percent. The international rate fell from 4 percent to 2 percent11 . Any optimism inspired by these improvements should be tempered. In its third annual True Cost of Fraud Study LexisNexis reports that while the incidence of fraudulent transactions decreased in 2011, the average dollar value of a fraudulent transaction was higher than the previous year. Furthermore, the most lucrative areas of growth for retail merchants—international, mobile, and e-commerce—tend also to be the most susceptible to fraud. The following table represents the roles and challenges of all the players in the ecommerce ecosystem: The Card Payment Ecosystem: Roles and Challenges Major card brands Promote electronic payment solutions and operate transaction networks that link all players in the payment value chain. Visa and MasterCard lead the industry in developing standards, tools and best practices for fraud prevention. Major challenge: Strengthen overall trust in online commerce. Card issuers Financial institutions that issue payment cards and “own” the cardholder relationship. They evaluate transaction risk, verify cardholder identities and make authorization decisions. Major challenges: Detect and block fraudulent transactions. Acquirers/Merchant banks Act as intermediaries between card issuers and merchants. They process transactions for multiple merchants, handling payment and settlement services directly or with third parties. Major challenge: Ensure that merchant accounts hold fraud-related chargebacks to acceptable levels. eCommerce merchants Accept card-based electronic payments for goods and services. Major challenges: Reduce exposure to fraud-related charge- backs without inconveniencing shoppers. Protect consumers’ payment card data. The Hidden Costs of Fraud The costs of e-Commerce fraud go far beyond the $3.4 billion in goods and services that were ordered and delivered in 2011 but never paid for. According to the LexisNexis report, merchants incurred costs of more than $2.33 for every dollar of fraud committed12 . For example, they absorb the cost of fulfillment and delivery services for fraudulent purchases. They devote resources to investigating and administering fraud claims, and all parties in the payment card value chain make significant investments in preventive technology, services and staff. 10  “2012 Online Fraud Report.” CyberSource. Page 1. 11  “2012 Online Fraud Report.” CyberSource. Page 12. 12 “LexisNexis Study Finds Fraud Rates and Data Breaches Could Increase for Retailers Next Year.”
  4. 4. PAGE 4 –– The major card brands offer fraud-prevention tools for merchants and issuers. The most familiar are Card Verification Number (CVN), Address Verification Service (AVS), and the payer authentication services Verified by Visa and MasterCard SecureCode. –– Merchants and card issuers—using internal resources or working through partners— deploy an arsenal of automated screening tools and decision systems to evaluate the risk of incoming orders and improve the accuracy of accept/decline decisions. They also employ skilled fraud analysts to manually review and dispose of high-risk cases. –– Acquirers/merchant banks process transactions from multiple e-commerce merchants. Because they can be de-listed by the card networks if their merchant accounts exceed acceptable fraud levels, acquirers invest in monitoring and managing the quality those accounts. All these investments qualify as “profit leaks” that reduce the bottom line for players in the payment card ecosystem. Though it’s impossible to quantify, e-commerce fraud probably has its biggest impact on the top line. Consumer distrust slows the growth of online transactions, reduces merchants’ online revenues and cuts into the various transaction-based fees collected by other stakeholders in the value chain. Even when consumers are willing to shop online, cumbersome security procedures increase the rate of transaction abandonment, which Forrester Research estimated to be 75 percent for the first half of 2011. In the U.S. alone, $18 billion is lost annually to abandoned transactions, with concerns about security being one of several key reasons cited by consumers14 . (Others included high shipping and handling costs, people not being ready to purchase the product, and the preferred payment method not being available.) ANTI-FRAUD SOLUTIONS: THREE USE CASES E-commerce fraud causes pain and poses challenges across the entire payment card ecosystem. However, the direct costs of fraud and the responsibility for stopping fraudulent transactions fall primarily on two groups: merchants and card issuers. The following use cases highlight key areas of vulnerability and solutions that are being deployed to improve fraud detection and prevention. Use Case #1: Protecting Transactions with Risk-Based Authentication Once a fraudulent transaction is approved, the resulting loss is almost never recouped. For this reason, there is a big focus on preventing fraud in real-time at the point of transaction. As an early step in this direction, Visa in 2001 developed the Three Domain Secure protocol (3D Secure) to enhance the security of Internet payments. 3DS was designed to strengthen real-time verification of cardholder identities by requiring an additional layer of password authentication. Services based on 3D Secure are offered by several major card brands: Visa (under the name Verified by Visa), MasterCard (MasterCard SecureCode), JCB International (J/ Secure), and American Express (SafeKey). With these services, cardholders are encouraged—and in some countries, required— to enroll through their card issuer, at which time they create a password. Every time an enrolled user shops at a 3DS online merchant, the individual must complete an extra step during payment by inputting their password before their purchase is authorized. In the U.S. alone, $18 billion is lost annually to shopping cart abandonment, with concerns about security being one key reason cited by consumers.13
  5. 5. PAGE 5 15 “Advantages of a Risk Based Authentication Strategy for MasterCard SecureCode.” MasterCard, 2011. Page 6. 16  “Advantages of a Risk Based Authentication Strategy for MasterCard SecureCode.” Page 5. The Shortcomings of Enrollment-based 3DS Merchant participation in 3DS services is not mandatory, but merchants who implement the program benefit from a significant liability shift, as they are no longer responsible for fraud-related chargebacks; instead, those become the responsibility of the issuing bank. Despite this incentive, adoption of enrollment-based 3DS services has been much slower than expected. Where enrollment is voluntary, a large percentage of cardholders opt out15 . Among enrollees, users report being locked out of valid transactions or having their card rendered useless, necessitating time-consuming help desk calls. More than 10 years after the launch of 3D Secure, consumer frustration is still evident in an ongoing stream of tweets devoted to the topic. (A typical complaint from May 2012: “Constant confusion and mistrust when prompted for extra info.”) All this is bad news for merchants and card issuers. If consumers are sufficiently annoyed, they’ll abandon the sale, causing the merchant to lose revenue. Or worse, they may choose to shop with another merchant or card issuer altogether. In many cases, merchants have elected to absorb e-commerce fraud losses rather than risk the high rates of transaction abandonment that can result from an inconvenient shopping experience. Who, But a Thief, Buys Six Large-Screen TVs All At Once? In response to these shortcomings, stakeholders began to explore a risk-based approach to 3-D Secure authentication that would improve detection while eliminating the need for passwords and the associated enrollment process. Rather than relying on a few pieces of static data to validate the cardholder, risk-based authentication (RBA) uses a risk engine and decision tools to evaluate a wealth of transactional, behavioral, and cross- institutional data in real-time before authorizing or blocking a transaction. For example, comparing the user’s transaction history to known fraud patterns—such as buying multiples of the same big-ticket item in one transaction—can help spot likely fraud (Who, but a thief, buys six large-screen TVs all at once?). IP geo-location data, device fingerprinting and the currency being used in a transaction can flag suspicious purchases originating in foreign countries or from an unfamiliar device. (If you ordered a bathing suit online two hours ago from your home computer in Ohio, who’s using your card right now to buy an expensive camera from a smartphone in Eastern Europe?) Based on this kind of dynamic assessment, risk-based authentication assigns a risk score (low, medium or high) and only challenges transactions determined to be suspicious. In those cases, the transaction may be declined and terminated, or the cardholder may be asked to answer a challenge question or provide a different payment method before the transaction is approved. Fast Results from Risk-Based Authentication RSA played an early role in developing risk-based authentication for e-commerce. The company had already launched a risk-based transaction monitoring solution for online retail banking, which is now called RSA® Adaptive Authentication. This capability was the industry’s first cross-institution fraud network for tracking and sharing fraud-related data among members. By integrating its existing technology into the 3D Secure system, RSA was able to quickly bring these same resources to bear on e-commerce fraud. Card issuers who were early to adopt the RSA solution achieved dramatic results. A pilot program in the U.K. saw an 85 percent reduction in checkout time, a 70 percent reduction in transaction abandonment, and only caused an interrupted shopping experience for five percent of customers. These improvements were achieved without the fraud rate increasing at all16 . Many merchants choose to absorb fraud losses rather than risk the high rates of transaction abandonment that can result from an inconvenient shopping experience.
  6. 6. PAGE 6 Similarly, Indue of Australia quickly cut its fraud losses at 3D Secure merchants by 90 percent and lowered its abandonment rate to roughly three percent, well below the industry average at the time. Germany’s Deutsche Postbank Group reduced fraudulent transactions by 85 percent and eliminated support costs associated with enrollment- based 3D Secure. Reducing the Burden of Helpdesk Calls Risk-based authentication has also helped dramatically reduce 3-D Secure-related help desk calls at a dozen U.K. and U.S. issuers. Those using a risk-based approach received an average of 58 percent fewer calls related to account lockouts and password resets, compared to those using the enrollment-based system. One top-10 global issuer saw 3-D Secure customer service activity drop nearly 97 percent after eliminating enrollment17 . The results further suggest that improving the accuracy of fraud detection can reduce a major element of fraud management cost: the manual screening of flagged transactions that turn out to be legitimate and ultimately are authorized. More accurate screening also reduces the incidence of “customer insult” by ensuring that far fewer valid transactions are declined or challenged. In evaluating six leading providers of risk-based authentication solutions used in the financial services industry, Forrester analysts wrote this about the risk-based authentication capabilities that underlie RSA® Adaptive Authentication for eCommerce: “RSA dominated this Forrester Wave because it has a huge customer base that dwarfs other vendors and has been striving to provide customers with a wide selection of authentication methods and tokens and well-rounded case management. RSA also offers a leading data aggregator’s data sources for identity vetting and proofing for out-of-wallet security questions.”18 Use Case #2: Protecting Consumers by Tokenizing Credit Card Data Where risk-based authentication protects online transactions by detecting and blocking high-risk activity, tokenization protects consumers from payment card fraud and merchants from payment card data breaches by safeguarding payment card data. The connection between credit card theft, e-commerce fraud and related identity crimes first came to wide public attention in 2003, when Citibank produced a series of commercials that depicted fraud victims “channeling” the people who had ripped them off. In one famous ad, a middle-aged man sits in his paneled den and speaks in the nasal voice of a Valley Girl who has used his identity information to buy herself a $1,500 leather bustier. Nearly 10 years later, consumers are more knowledgeable and wary about credit card theft and fraud, but the problem remains largely beyond their control. Millions of cardholder accounts are compromised annually as a result of data breaches at organizations that retain card data. A Problem That Won’t Go Away E-commerce merchants, traditional retailers and other businesses struggle with how to protect the cardholder data entrusted to them. In many settings, the challenge is made more difficult by the fact that the data is duplicated across multiple systems, applications and databases—where it is stored unprotected. Securosis, an independent research and analysis firm, has pointed out that, historically, credit card numbers have been used as a primary identifier in retail environments, even when there is no need to access the actual number. “As the standard reference key, credit card numbers are stored in billing, order management, shipping, customer care, business intelligence, and even fraud detection systems. They are used to cross-reference data from third parties to gather intelligence on By eliminating the enrollment requirement for 3D Secure services, risk-based authentication ensures an uninterrupted shopping experience and lower abandonment rates. 17  “Advantages of a Risk Based Authentication Strategy for MasterCard SecureCode.” Page 8. 18  Cser, Andras and Maler, Eve. “The Forrester Wave™ : Risk-Based Authentication, Q1 2012.”
  7. 7. PAGE 7 consumer buying trends. Large retail organizations typically store credit card data in every critical business processing system.”19 Forrester. February 22, 2012. Added to these, unprotected card data may also be archived on backup tapes and disks, replicated for disaster recovery, and downloaded to employee laptops for analysis. Even if some of these points are well defended, others remain vulnerable, with access controlled by nothing more static passwords that can be easily defeated by hackers or malicious insiders. Once these protections are breached, the data can be stolen, transmitted or misused by anyone with access to it. The Mandate: Protecting Data from End to End Due to the evolving nature of today’s threats—and the stringent requirements of the Payment Card Industry Data Security Standard (PCI DSS)—merchants need to protect all this data from end to end: at the point of capture in the application layer (where many damaging breaches now occur), at rest in databases across multiple locations, and in transit between diverse applications and systems. With its strong protection mechanisms, encryption has been the preferred method for safeguarding cardholder data. However, tokenization has rapidly gained acceptance as an alternative because of its many compelling benefits. First and foremost, rather than trying to protect cardholder data from theft or exposure, a tokenization solution removes it altogether from any systems and applications that don’t specifically require it. This is a major game changer: Thieves can’t steal what isn’t there, so business risk is drastically reduced. Merchants don’t need to protect what they no longer store, so related security costs are reduced. Furthermore, by shrinking the footprint of sensitive data across the environment, tokenization can significantly reduce PCI compliance costs. Some RSA customers have achieved reductions of 30 percent or more in PCI compliance costs. How Tokenization Works With tokenization, a consumer’s card data is protected at the point of capture, transmitted to a central repository and encrypted in a secure vault. Only those few applications that require the actual card number are authorized to access the vaulted data. For any other application, the system provides a randomly generated substitute value, called a token, which can be seamlessly passed between applications, databases and business processes without risk. Tokens are analogous to the chips that are issued by a casino: You exchange your cash for chips, which are then accepted as a form of payment throughout the casino. However, if they’re removed from the environment, they have no cash value and cannot be used for payments. Similarly, credit card token values are useful to the merchant but have no value to the attacker. If tokens are stolen or exposed, the information is useless in perpetrating e-commerce fraud. One of the primary benefits of tokenization is that it enables a merchant or payment processor to consolidate payment card data from dozens or hundreds of systems down to a few points, and then focus security resources on safeguarding those high-risk points. This consolidation makes it easier and far less costly to protect this sensitive information. The RSA Approach Believing that tokenization should be a core component of any layered security strategy, RSA incorporated comprehensive tokenization functionality into the RSA® Data Protection Manager platform, combining it with application encryption, data-at-rest encryption, and comprehensive key lifecycle management. In collaboration with First Data, the largest payment processor in the industry, RSA also created the industry’s first secure payment solution to offer both encryption and tokenization of cardholder data as a hosted service. The hosted model frees merchants 19  “Tokenization vs. Encryption: Options for Compliance.” Securosis. July 2011. Page 3.
  8. 8. PAGE 8 from the cost of building and maintaining this component of payment processing infrastructure. And by shifting cardholder data from the enterprise to the payment processor environment, it also shifts much of the risk and cost of PCI compliance to a trusted third party. The wide adoption of tokenization within financial services has inspired other industries to follow suit, using the technology to protect other sensitive personal information, such as birth dates, account numbers, Social Security numbers, and even elements of an individual’s electronic health record. To understand how tokenization and risk-based authentication work together to protect payment card data, please refer to Appendix A “End-to-end Protection for Payment Cards.” Use Case #3: Protecting Brands (and Their Customers) from Cyber Attacks The collective impact of technology-based protections has certainly helped to slow the growth of e-commerce fraud. Unfortunately, as these safeguards become more pervasive and robust, humans constitute one of the weakest links in payment card security. That’s why phishing and Trojan attacks continue to be employed in eCommerce fraud and other forms of cybercrime. Through these methods, cybercriminals attempt to extract sensitive information by exploiting trusted relationships (respected brands, friends and colleagues, social networking contacts) and routine behavior (such as opening email received or clicking on links when directed to). For example, despite its lack of sophistication and low response rates (a result of consumers becoming more educated), phishing still remains popular in fraud circles because of its low execution cost, easy-to-use attack tools, and access to new distributions channels via poorly defended social networking sites. Cybercriminals today can buy phishing kits for just a few dollars, and each month, tens of thousands of unique phishing attacks are launched all around the world. In June 2012 alone, RSA identified 51,906 unique phishing attacks targeting global organizations. The Menace Concealed by a Familiar Face The most effective attacks are carefully crafted to establish credibility and trust. They appear to come from a reputable brand or an individual who is known by the recipient (see Figure 1). Unlike the crude efforts of the past, which often contained telltale grammatical errors and simplistic visuals, today’s phishing attacks use “scraping” tools to closely mimic the legitimate brand, down to the correct type fonts, color palette and business jargon. In the case of spear-phishing attacks, which target high-level individuals with access to extremely valuable information, the email will often allude to details (gleaned from research) that an outsider is unlikely to know. Tokenization enables merchants to consolidate payment card data from dozens or hundreds of systems down to only a few points that require protection. Figure 1: An example of a real phishing attack that mimicked a leading consumer brand with the promise of easy financial rewards to manipulate people into disclosing payment card data and other personal information.
  9. 9. PAGE 9 Thusly convinced that the communication is authentic, the recipient is directed to an equally authentic-looking website where they are lulled into disclosing the sought-after information. Or they may click on a link in the email or be sent to a website that transparently installs malware on their system. Eroding Trust in Respected Brands and Everyday Tools These attacks undermine the brand that has been hijacked to deliver the attack, and they erode trust in the everyday tools and interactions on which businesses rely. Email marketing is now so tainted that consumers are rightfully wary of messages from their bank, insurance agency or favorite retail stores. Users worry if they are being directed to a legitimate website or whether they may be downloading a malicious Trojan capable of stealing their credit card numbers, e-commerce login credentials, or online banking credentials. For merchants whose brand is being tarnished by phishing and Trojan attacks, the most effective defense is to monitor the Internet for threats that target one’s own brand and shut down the offending sites in the shortest possible time. Toward this end, leading vendors have developed sophisticated anti-fraud capabilities that can identify and short- circuit many attacks in a matter of minutes and stamp out advanced attacks in just a few hours. RSA has been a pioneer in this realm; the RSA® FraudAction™ service offers a template for what a comprehensive solution might include such as: –– Monitoring and detection. Billions of URLs are scanned daily to identify and analyze suspicious sites and detect phishing attacks that specifically target the customer’s brand or sub-brands. –– Around-the-clock analysis. Trojan attacks are studied to identify new threats and fast- changing variants, detect methods of operation on infected systems, and extract triggers, communication points, drop and update points. –– Alerts and updates. Once a new threat is confirmed, customers are immediately notified and fraud data is updated within the RSA® eFraudNetwork™ . –– Site blocking. An extensive network of blocking partners prevent end users from accessing confirmed phishing and malware sites, reducing their risk of exposure to fraudulent sites. –– Rapid shutdown. Through relationships with more than 14,000 hosting authorities worldwide, “cease and desist” notices are issued and offending sites are quickly shut down. –– Credential recovery. This feature allows merchants to proactively notify customers whose credentials may have been compromised so they can monitor their account activity. Recovery of stolen credit card data allows merchants to decline transactions made with a stolen card. RSA’s approach has been highly effective. For example, RSA analysts have shut down more than 650,000 cybercrime attacks, the highest shutdown volume for any provider in the industry. CONCLUSION With e-commerce sales guaranteed to grow over the next 10 years, the growth of fraud is sure to follow. All stakeholders in the e-commerce value chain are hurt by fraud and all share responsibility for detection and prevention. While it will never be possible to completely eradicate e-commerce fraud, experience shows it is possible to slow its growth by implementing protections at critical points of vulnerability. Those brands that are early in deploying the best tools and strategies for fraud detection and prevention—and ensuring their partners in the value chain do as well—will gain critical advantages as a result. These include increased consumer trust in online commerce, higher transaction volumes, lower fraud rates, reduced fraud prevention and mitigation costs, and greater profitability. RSA analysts have shut down more than 650,000 cybercrime attacks: the highest shutdown volume for any provider in the industry.
  10. 10. PAGE 10 The combination of tokenization and risk-based authentication includes these steps. 1. Checkout: Shopper enters credit card data, which is protected during checkout. 2. Tokenization: Merchant encrypts, vaults card data for later transactions. Token issued to replace card number in subsequent uses (order management, shipping, etc.) 3. Risk score: Risk engine dynamically analyzes transaction/behavioral, known fraud patters from eFraudNetwork and data from many sources in real time, assigns risk score. 4. Authentication: Access Control Server (ACS) transparently approves low-risk transactions, challenges or declines high-risk purchases. 5. Authorization: Issuer digitally signs receipt, returns authorization to merchant. 6. eFraudNetwork: Known threats, fraud patterns are updated and shared to improve accuracy of fraud detection. ACS Checkout Risk Score Fraud Patterns Authentication 3 3 1 4 4 5 Authorization Acquirer Token Server Vaulted Card Data Merchant Cardholder Issuer 5 eFraudNetwork6 2 FFFFrFFrFrFrFrFrauauauauauddddd Patterns Risk Engine Authentication History Appendix A End-to-end Protection for Payment Cards
  11. 11. RSA, the RSA logo, EMC2 , EMC and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA. ECOMM WP 0712 About RSA RSA is the premier provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated. www.emc.com/rsa