Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers

With credit card fraud dramatically on the rise, particularly in the form of card-not-present (CNP) fraud across Internet and Mail Order/Telephone Order (MOTO) channels, it is important for private label issuers to understand the depth of this problem and how it affects their merchant portfolio and their ability to accept private label cards. Private label cards were often considered to be “low risk”, relative to traditional bank cards, but our current analysis has shown the contrary: fraudsters are increasingly using private label cards as the payment instrument in CNP channels and merchants are at great risk if specific strategies are not put in place to stop it.

  • Login to see the comments

Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers

  1. 1. Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers The Problems, Tools, Techniques and Technologies Christopher Uriarte Chief Technology Officer & Head of International Development Retail Decisions PLRT Conference May 1, 2009 Philadelphia, PA
  2. 2. About Retail Decisions: A Market Leader <ul><li>One of the leading global providers of transactional card fraud prevention and payment services </li></ul><ul><ul><li>Touched approx.16 billion card transactions per year for blue chip clients around the globe; 160 billion card transactions per annum worldwide (2007) </li></ul></ul><ul><ul><li>20+ years experience in card fraud prevention </li></ul></ul><ul><li>Fully-managed Fraud Prevention and Payment Services focused only on large and blue-chip customers: Merchants, Issuers and Acquirers </li></ul><ul><li>Blue-chip client base of more than 300 companies </li></ul><ul><li>Best-of-breed, unique proprietary technology and databases, including patented neural network technologies </li></ul><ul><li>Strong service offering throughout all pieces in the payment value chain: merchants, processors and banking institutions </li></ul>Retail Decisions (ReD) is a London-based specialty provider of transaction and card issuing service to banks, retailers, oil companies and telcos worldwide
  3. 3. Sample of ReD’s Clients and Focus Sectors Travel Telephony Retail Oil Banking Europe America Asia Pacific Other
  4. 4. Where We Sit & Where the Data Comes From Fraud Prevention & Gateway Services (CP&CNP) ReDShield TM ReD1Gateway TM CardExpress TM Fraud Prevention for Acquirers & Processors PRISM TM Fraud Prevention for Issuers PRISM TM Fraud Prevention for Merchants Fraud Prevention for Banking Institutions
  5. 5. Fraud Control Life Cycle Solutions implemented to reduce fraud Time lag for solutions to take affect New solution is implemented to reduce fraud Familiarity with weaknesses in cards and technology increases fraud Fraud begins to rise as new technologies are cracked and new weaknesses are found 2002 2009 ??? ??? Are We Here Now??? Implies Innovation Time Value of fraud
  6. 6. Counterfeit fraud driven by growth of plastic <ul><li>Increasing examples of large, sophisticated counterfeit card manufacturing operations </li></ul>170,000 cards seized in Taipei, Taiwan
  7. 7. Regular Occurrences of Organized & Social Engineering Efforts Arrests in card scam Wednesday, February 28, 2007 By Paul Grimaldi Journal Staff Writer Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000 The men allegedly stole the information by switching out checkout lane keypads with one of their own machines and then retrieving the units a few days later so they could copy the account data. To achieve this, they took shelf stocking positions at the supermarket, which gave them legitimate access to the facility during late hours in the evening. They recorded the stolen information on blank bank cards that they used to get money from ATMs in the area, the police said.
  8. 8. Implanted chips Criminals implant a chip directly into Point of Sale equipment The chip holds up to 1,000 account numbers Major occurrences in Taiwan, Malaysia and Brazil
  9. 9. Purpose Built Skimmer – Old Technology, But Still Popular <ul><li>Small battery operated skimmers can hold up to 1 million account numbers at a time </li></ul><ul><li>Devices are mainly produced in Malaysia and China </li></ul><ul><li>Manually manufactured from standard POS equipment </li></ul><ul><li>The skimmers were introduced to US in 1998 </li></ul>
  10. 10. Personalizing the Card Low tech: Embossing only “ Higher tech”: Transplanting Skimmed Card Data 3712 345XX8 95004
  11. 11. The Trend: No Longer a Low-Tech Crime <ul><li>Large groups of individuals work together </li></ul><ul><li>A real example 128 flights were successfully purchased in the names of 92 passengers to 3 destinations over 12 weeks with 33 different cards </li></ul><ul><li>Over $300,000 in total </li></ul>
  12. 12. What This Means In Regards to Fraud <ul><li>Credit card fraud continues to become more of an organized, professional crime – the case studies prove it </li></ul><ul><li>CNP fraud continues to aggressively increase. As more countries adapt Chip and PIN solutions, fraud will continue to migrate from CP to CNP channels </li></ul><ul><ul><li>APACS 2007 Fraud Study: For the first time, more than 50% of fraud was CNP fraud. </li></ul></ul><ul><li>As other countries implement Chip and PIN solutions, both CP and CNP fraud will increase in non-Chip and PIN geographies </li></ul><ul><li>ID Theft continues to increase, replacing counterfeit schemes, which are no longer valid in Chip and PIN geographies </li></ul><ul><li>Since fraud is aggressively expanding, legacy fraud prevention techniques are becoming less and less effective </li></ul>
  13. 13. Typical Merchant Fraud Assessment Process Merchant Order System, Storefront, Website, etc. ACCEPT ORDER DENY ORDER CHALLENGE ORDER (Manually Review) Fraud Prevention System and Tools (Proprietary or Outsourced) 90%+ Of All Orders ~2% Of All Orders 2%-8% Of All Orders (Where Applicable) <ul><li>Key Points: </li></ul><ul><li>Challenges or outright Deny categories may not work for all types of merchants </li></ul><ul><li>Merchants must find the balance: </li></ul><ul><ul><li>Too many manual reviews = too much staffing cost </li></ul></ul><ul><ul><li>Too many outright denies = too many false positives </li></ul></ul><ul><li>No Fraud Prevention system is perfect: You will have false positives. You will require manual review. Today’s strategy is to let the Fraud Prevention system identify ~95% of all good and bad orders and manually review the rest </li></ul>Examples:
  14. 14. Finding the Balance Between Key Metrics <ul><li>Key Metrics Merchants Must Track: </li></ul><ul><ul><li>Manual Review Rate (“Outsort Rate”) - % of orders reviewed by a person before shipped or cancelled </li></ul></ul><ul><ul><li>Outright Deny Rate - % of orders rejected by the fraud system without performing a manual review </li></ul></ul><ul><ul><li>Fraud Rate – Overall percentage of fraud, usually measured in % of overall transactions and % of $ value </li></ul></ul><ul><ul><li>Customer Insult Rate – Falsely identifying good customers as fraudulent OR degrading service to good customers as a result of slow/cumbersome fraud processes (e.g. manual reviews take so much time to complete that shipping windows are missed) </li></ul></ul><ul><ul><li>Revenue at Risk – How a particular fraud strategy could affect revenue </li></ul></ul>Highlighted in red : The most typical and critical results in each respective category When This Happens: This Could Happen: Manual Review Rates Increase  <ul><li>Fraud Rates - Decrease </li></ul><ul><li>Staffing Costs - Increase </li></ul><ul><li>Revenue at Risk - Decrease </li></ul><ul><li>Customer Insult Rate – Potential to increase (slower order turnaround) </li></ul><ul><li>Scalability – becomes challenging (Double my orders = Double my staff??) </li></ul>Manual Review Rates Decrease  <ul><li>Fraud Rates - Increase </li></ul><ul><li>Staffing Costs - Decrease </li></ul><ul><li>Revenue at Risk – Potential to increase </li></ul><ul><li>Customer Insult Rate – Potential to increase (due to higher deny rates) </li></ul>Hard Deny Rates Increase  <ul><li>Fraud Rates - Decrease </li></ul><ul><li>Staffing Costs - Decrease </li></ul><ul><li>Revenue at Risk – Increases (Much more false positives) </li></ul><ul><li>Customer Insult Rate – Increase </li></ul>
  15. 15. Fraud Prevention Systems: Real-Time or Batch <ul><li>Real-Time Fraud Prevention </li></ul><ul><li>Immediate response at the time of purchase, usually at the time of card authorization: “in line with the purchase” </li></ul><ul><li>Applicable for all types of retailers </li></ul><ul><li>The only option for merchants who require an instant response: Digital download, content providers, point-of-sale, telephony services, etc. </li></ul><ul><li>Provides the opportunity for additional review after the real-time response </li></ul><ul><li>Screening focus is on current transaction and all prior transactions </li></ul><ul><li>Batch Fraud Prevention </li></ul><ul><li>Screening performed after the transaction takes place. Goal is to stop the “next fraud” or to screen before goods/services must be delivered </li></ul><ul><li>Has no impact on response to customer at time of purchase </li></ul><ul><li>Does not work for retailers who require an immediate response </li></ul><ul><li>Ability to assess prior transactions and some transactions that occur after this transaction took place (historical and forward-looking view) </li></ul>Merchants must first decide whether they require a Real-Time or Batch (non-real-time) fraud prevention system: Sophisticated Systems Can Combine BOTH Techniques
  16. 16. Fraud Prevention Systems: Tools and Technologies <ul><li>There are a number of tools and technologies on the market today which address different aspects of fraud. Merchants may choose to assemble a suite of these tools themselves, or use more advanced fraud prevention solutions from outsourced providers </li></ul><ul><li>Examples of Tools and Technologies Used Today: </li></ul><ul><li>Business Rules Engines </li></ul><ul><li>Negative Databases </li></ul><ul><li>Address Validation Tools </li></ul><ul><li>Personal/Identity Validation Tools </li></ul><ul><li>I.P. Geo-location </li></ul><ul><li>Device Identification / PC Fingerprinting </li></ul><ul><li>Neural Networks and Statistical Models </li></ul><ul><li>Public Records Validation </li></ul><ul><li>Pattern Detection (Tumbling & Swapping, etc.) </li></ul><ul><li>Other types of “transaction intelligence”: Card BIN analysis, Customer history analysis (Time-on-file, etc.), etc. </li></ul><ul><li>Generally-available Internet Tools (Google Maps,, etc.) </li></ul><ul><li>There are many different flavors and levels of sophistication for each of these tools </li></ul><ul><li>Many of these have a cost associated (flat fee or per-use cost) </li></ul><ul><li>Many return data elements and responses that require additional analysis in order to be useful. Many of these techniques are used in conjunction with each other. </li></ul>
  17. 17. Tool Example: IP Geolocation Instantly compare an online customer's registered address with his real-world location to flag potential fraud Pre-emptively block web site access to certain locales or IP origination points known to be frequent sources of fraud Real-world location
  18. 18. Technique Example: Combining IP Geolocation with Additional Transaction Analysis Unusual combinations of location details I.P. address in California Billing and/or Delivery address in London Card issued in Poland
  19. 19. Technique Example: Tumbling & Swapping
  20. 20. Technique Example: Email Tumbling & Swapping and Pattern Detection John1 John2 John3 John4 John5 John6 John7 John8 John9 John10 [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] [email_address] Up to10% fraud rate on free email domains
  21. 21. Technology Example: Neural Networks <ul><li>Advanced mathematical models which “think” in dimensions that the human brain cannot </li></ul><ul><li>Models are created based on large volumes of historical “good” transactions and fraudulent “bad” transactions </li></ul><ul><li>New transactions are screened against the model, which generates a score indicating the probability that the transaction is fraudulent </li></ul><ul><li>Used successfully for many years in issuer fraud detection systems, mortgage/card application fraud, etc. Using it to detect card fraud for merchants is relatively new and requires different approaches to be successful </li></ul><ul><li>Outsourced by merchants to specialist providers </li></ul>Neural Model Transaction Details Where does this fall?? GOOD?? BAD?? Score: 743 Scale: 0 to 999 0 = Good, 999=Fraud Transaction Details (Required fields varies depending on features & purpose of neural model) Score: 0 Score: 999 Good (Non-Fraud) Historical Transactions Bad (Confirmed Fraud) Historical Transactions Model Building And Training
  22. 22. The &quot;More Tools Create Greater Complexity&quot; Challenge No Matches Negative Data Device ID Check Address Validation Proxy Detection Neural Score Transaction Data Everything’ s OK; First time buyer Business Rules No History Address is Good; No match of Name to Address Could be behind a University proxy Score: 362 NOW WHAT? Should you accept it? Should you outright deny it? Should you manually review it? Challenge: Not just managing the individual components, but the sum of the parts!
  23. 23. The Real World Challenge <ul><li>Using fraud tools & technologies effectively is not easy! </li></ul><ul><ul><li>Fraud does not occur within neat, well-defined spaces </li></ul></ul><ul><ul><li>Individual tools can only detect certain types of fraud </li></ul></ul>“ Islands of Fraud in a Sea of Good Transactions” Suspicious AVS Order Amount
  24. 24. The Real World Challenge: Example <ul><li>Example: Defining “bad” transactions using business Rule(s) </li></ul><ul><ul><li>If Order Amount is Greater than $X then Manually Review </li></ul></ul>Suspicious AVS Order Amount
  25. 25. The Real World Challenge: Example <ul><li>Example: Defining “bad” transactions using business Rule(s) </li></ul><ul><ul><li>If AVS Result is Suspicious then Manually Review or hard decline </li></ul></ul>Suspicious AVS Order Amount
  26. 26. The Real World Challenge: Example <ul><li>Example: Layering multiple business rules and Other Technologies </li></ul><ul><ul><li>If Order Amount is Greater than $X then Manually Review </li></ul></ul><ul><ul><li>If AVS Result is Suspicious then Manually Review or hard decline </li></ul></ul><ul><ul><li>Use I.P. Geolocation Screening to find Location/Shipping Mismatches </li></ul></ul>Problem: Strong Detection at the Cost of High False Positives! Rule 1 Rule 2 IP Geolocation Coverage Suspicious AVS Order Amount
  27. 27. The Real World Challenge: What a Fraud Prevention System Should Do <ul><li>A good, multi-dimensional fraud prevention system must seamlessly integrate many different tools and technologies to: </li></ul><ul><ul><li>Accurately Detect Fraud </li></ul></ul><ul><ul><li>Minimize False Positives </li></ul></ul><ul><ul><li>Return a Sensible Response </li></ul></ul>Suspicious AVS Order Amount
  28. 28. New Tools and Techniques Can Bring New Challenges <ul><li>Some technologies don’t fit our existing paradigms </li></ul><ul><li>Some technologies are expensive </li></ul><ul><li>Some address very specific fraud scenarios </li></ul><ul><li>More tools and technologies can actually make decision making more difficult </li></ul>Some may require additional customer data, such as SSN/last 4 or ask personal validation questions Cost per transaction increases when more techniques and technologies are added to the suite of fraud tools Fraud Evolves. Will these be valid in 2 years? 1 year? 6 Months? Could lead to increased manual review costs, false positives and customer dissatisfaction
  29. 29. Merchant vs. Issuer Fraud Prevention <ul><li>Merchant Fraud Prevention </li></ul><ul><li>Screening is transaction-centric </li></ul><ul><li>Primary goal is to protect loss of goods while staying out of compliance programs (e.g. Visa RIS) </li></ul><ul><li>Primary focus on CNP channels </li></ul><ul><li>Historical perspective on cardholder is relatively limited </li></ul><ul><li>Transaction Data set is very robust – Who? What? When? How? </li></ul><ul><li>More focus on real-time screening </li></ul><ul><li>Many more detection tools exist due to robust CNP data set </li></ul><ul><li>Issuer Fraud Prevention </li></ul><ul><li>Screening is more account- centric </li></ul><ul><li>Primary goal is to protect losses within issuing portfolio </li></ul><ul><li>Not primarily focused on CNP – in fact, CNP is often removed from some screening models </li></ul><ul><li>Historical perspective on cardholder is comprehensive </li></ul><ul><li>Transaction Data set is limited: Basic account and transaction details </li></ul><ul><li>Less focus on real-time screening (although this is changing) </li></ul><ul><li>Certain tools can be deployed much more effective (e.g. neural networks) </li></ul>Private Label transactions offer a unique “Issuer/Merchant” perspective, but consolidated Merchant / Issuing fraud prevention systems do not exist today!
  30. 30. Private Label Card Fraud Examples <ul><li>Merchant sample includes 3 very large, established major retailers with significant transaction volumes and private label portfolios </li></ul><ul><li>Includes CNP Fraud rates for transactions taken place in 2008, with the exception of Retail “B”, whose statistics are from July to December 2008 </li></ul><ul><li>Base on Retail Decisions merchant assessments, April 2009 (delay introduced to allow for confirmed fraud/chargeback resolution window) </li></ul><ul><li>“ Fraud Rate” is defined as known-fraud, but not necessarily chargebacks. Some fraud is detected and denied before a chargeback occurs. Actual chargeback rates for Other Card Types is significantly lower than reflected above </li></ul>Private Label Cards Other Cards Types Fraud Rate: % of Transactions % of Overall $ Value % of Transactions % of Overall $ Value Large Retailer “A” (Apparel, Home Goods) 0.08% 0.23% 0.16% 0.34% Large Retailer “B” (Mixed Retail) 0.44% 1.56% 0.41% 1.30% Large Retailer “C” (Mixed Retail) 0.50% 0.98% 1.5% 3.2%
  31. 31. Private Label Fraud: So What Does This Mean? <ul><li>The Good </li></ul><ul><li>Existing fraud prevention systems and techniques can be used to help prevent PL fraud – no special investment necessary </li></ul><ul><li>PL merchants have a full historical perspective of a consumer’s spending, which is valuable in fighting fraud (merchant/issuer perspective vs. a merchant only perspective with bankcards) </li></ul><ul><li>No association regulations/governance regarding chargeback rates, so balance between revenue and fraud rates can be adjusted such that chargeback rates can exceed 1% for extended periods of times </li></ul><ul><li>The Bad & The Ugly </li></ul><ul><li>Yes, Private Label Fraud exists! …and at relatively high levels </li></ul><ul><li>Private label card fraud has more of a negative impact on merchant from a consumer “trust” perspective vs. bankcard fraud (losing trust in the merchant vs. losing trust in the system) </li></ul><ul><li>Lack of consortium-based technology solutions in Private Label space from, both, an application and transactional perspective: i.e. negative files, consortium neural/statistical models, etc. </li></ul><ul><li>PL issuer/acquires have not traditionally focused on offering merchant fraud services and CNP fraud is still increasing at an alarming rate </li></ul>
  32. 32. Latest Trends: Private Label Gift Card and Stored Value Card Fraud on The Rise <ul><li>Gift Card Fraud: Defined as the fraudulent purchase of a virtual or plastic gift card </li></ul><ul><li>Extremely Dangerous for a number of reasons: </li></ul><ul><ul><li>Allows for easy monetization using fraudulent credit cards as the acquisition mechanism. Even if the compromised credit card is stopped by the issuer, the value on the gift cards usually persists and the merchant continues to be defrauded. </li></ul></ul><ul><ul><li>The purchase of the gift cards and the use of the actual gift card can occur across multiple channels, so the link is usually lost due to a lack of multi-channel fraud prevention systems (e.g. purchase the gift card online, use the gift card in-store) </li></ul></ul><ul><ul><li>Gift cards are highly fencible and a mature, legitimate resale market exists. In many cases the </li></ul></ul><ul><ul><li>actual user of the gift card is not a criminal. </li></ul></ul>Key: June – December 2008 [January-February 2009] Virtual Gift Cards Plastic Gift Cards Other Cards Types (Non-PL) Fraud Rate: % of Transactions % of Overall $ Value % of Transactions % of Overall $ Value % of Transactions % of Overall $ Value Large Retailer “A” (Apparel, Home Goods) 0.80% [1.50%] 1.00% [1.70%] 0.03% [0.60%] 0.03% [0.90%] 0.16% 0.34% Large Retailer “B” (Mixed Retail) 4.10% 10.6% 2.10% 3.05% 0.41% 1.30% Large Retailer “C” (Mixed Retail) 1.70% [6.70%] 2.60% [5.5%] 0.70% [2.7%] 2.80% [2.6%] 1.5% 3.2%
  33. 33. What can be accomplished? Customer Case Study – Top 10 Retailer <ul><li>Prior to implementation of ReDShield (January 2007), Retailer had a charge-backs rate of 0.5% by value, with revenues growing by $3 million per month </li></ul><ul><li>As at December 2007, Retailer average charge-back rate was 0.08% by value </li></ul><ul><li>Total value and volume continue to grow (~200% in value in 2007) charge-backs continue to decrease and the decline rate remains low at 3.8% </li></ul>23 Retailer Chargeback Data
  34. 34. Customer Case Study – Top 5 Digital Download / Gaming 24 <ul><li>Top 5 online gaming merchant with over 12 million active customers </li></ul><ul><li>ReD Shield helped to significantly reduce Digital Merchant’s deny rate from 14% in May 07 to 3% in March 08 </li></ul><ul><ul><li>Total of 8,646 chargebacks received for a total volume of 2.5 million transactions </li></ul></ul><ul><ul><li>Chargeback rate reduced from 1.64% in May 2007 to less than 0.02% in March 2008 </li></ul></ul>
  35. 35. Customer Case Study – Top 5 Global Travel Site (£ ‘000) 25 <ul><li>In January 2007 Travel Site began to make use of ReD Shield – after six months, 90% of the total fraud losses were stopped </li></ul>Country Total Fraud Total Fraud stopped by ReD Percentage Stopped UK 1,356 1,186 88% Germany 356 330 93% France 504 476 95% Italy 6 4 60% TOTAL 2,221 1,996 90%
  36. 36. Day 1 Customer Case Study – Fraud Ring for Top 5 Jeweller Individual IP address, phone numbers, email address, card numbers & shipping addresses all shared and used in one attack 26
  37. 37. Day 3 Customer Case Study – Fraud Ring for Top 5 Jeweller Individual IP address, phone numbers, email address, card numbers & shipping addresses all shared and used in one attack 27
  38. 38. Day 7 Tried to get £30,000 worth of goods in just 7 days Customer Case Study – Fraud Ring for Top 5 Jeweller Individual IP address, phone numbers, email address, card numbers & shipping addresses all shared and used in one attack <ul><li>55 delivery addresses, 30 computers, 64 email addresses, 55 credit cards and 50 telephone numbers </li></ul>28
  39. 39. Customer Case Study – ReD Shield Consistent Results <ul><li>UK Top 5 High-Street Retailer began using ReD Shield in August 2007 </li></ul><ul><li>International Mobile Phone Operator began using ReD Shield in June 2002 </li></ul>Total Chargeback Rate Total Chargeback Rate 29 Mobile Phone Operator Major High Street Retailer (Pharmacy/Cosmetics, etc.)
  40. 40. Christopher Uriarte [email_address] US: +1 732.452.2440 UK: +44 (0) 1483 728700 Thank You! Please feel free to contact me with any questions!