Card Not Present Fraud Webinar Transcript All right let s go ahead and get things started, and to do that, I d like to turn it over to Fae Ghormley. Fae? Thank you for giving us this opportunity to share with you some insights into credit card fraud, specifically, for Card Not Present transactions. We will begin today with our definition of fraud and then talk about ways to identify when a transaction is fraud. Next, we ll talk about liability: Who actually pays for the fraud. And last, we ll review methods that help to reduce or prevent fraud. So what is fraud? There are many different types of fraud. For today s discussion, we describe fraud as an unauthorized use of a credit card account, the assumption of another person s identity to execute unauthorized transactions. The unauthorized use of a credit card could be with lost or stolen cards or from counterfeit cards created by criminals with information they obtained from compromised websites or any other database which contains card and personal information. Before we get into specifics, I want to clarify that we will be talking only about fraud disputes and chargebacks. Cardmembers can also dispute charges when they are unhappy about a product or service or when they do not receive the goods or a credit when expected. American Express refers to these disputed transactions as customer service issues and these are not included in our conversation today. Today we focus on what is often the work of organized criminal groups a way for criminals to obtain goods or services which are then turned into cash to be used for other elicit activities. With increased use of the Internet and social media, fraudsters have a large amount of information at their disposal that can be used for illegal purposes. The Internet provides a great opportunity to increase sales and reach many more customers than through traditional brick-and-mortar sales channels; however, it also opens the same door of opportunity to fraudsters who are always on the alert for a new way to commit fraud. Fraud impacts merchants, Cardmembers and credit card companies. According to the 2010 Lexus Nexus True Cost of Fraud Study, for every $100 in fraudulent transactions, merchants are paying a true cost of $310 in total losses. Merchants are not only suffering the loss from the fraudulent transaction, but also shouldering associated costs for fees and interest and costs for replacing lost of stolen merchandise. The actual amount of the fraudulent transaction represents only a percentage of the total loss incurred by the merchant. Fraud not only alters consumer victims monetarily but also alters perceptions and behaviors which can have a significant impact on retail merchants. Also from the Lexus-Nexus study, we find that more than one in three consumers who were victims of fraud avoid certain merchants. One in four report that they spend less money and almost one in three report switching payment methods; thus, it is up to all of us to take an active approach to mitigate fraud, to prevent the negative impact on consumer behavior and perceptions. Our conversation today is specifically about Card Not Present transactions. We identify a transaction as Card Not Present when a purchase is made by phone, through the mail or
online. The card as well as the cardholder are not physically present at the point of sale. It s no surprise the fraudsters increasing target Card Not Present sales channels. A fraudster does not have to create a card, risk getting caught on video or store security, or even leave their house the transaction is anonymous. It is up the merchant and the credit card company to determine if the person making the purchase is really who they say they are and where they say they are. Unlike swiped transactions at brick-and-mortar stores where the location of the purchaser as well as other attributes of the customer are tangible, in a Card Not Present transaction, a fraudster can be located in another country, half way across the world and the merchant would not know if they provide billing and shipping information that reflect otherwise. Fraudsters also create computer programs to systematically purchase goods using hundreds or even thousands of card numbers within minutes. As mentioned earlier with the increased use of the Internet and social media as well as other methods, unfortunately information and valid card numbers are rather easily obtained and used by fraudsters. Compromised shipping locations are also used another way to conceal the true identity of the purchaser. There appears to be an endless supply of gullible and trusting accomplices willing to receive and ship goods for a new friend or through work-at-home schemes. How do we identify fraud? Certain behaviors can indicate that a transaction has a higher risk of being fraudulent. Before we talk about ways you can identify a potentially fraudulent situation at your business, I d like to spend a few minutes describing some of the things that American Express does to identify fraud. American Express uses sophisticated processes to review each transaction at the point of sale to determine risk. It is during the authorization process that American Express reviews information and makes the best risk decision possible. The goal is to enable good sales while being precise to disrupt only those sales that are too risky to approve. Our risk analysis includes Cardmember spend patterns, such as has this customer ever purchased online, merchant patterns or a dramatic increase in the volume of transactions could indicate a fraud episode, and patterns we see across the network, such as use of a fraudulent shipping location. Many situations that could indicate higher risk are unknown to American Express, as they are specific to the merchant and channel. And risk assessment as well as risk tolerance vary greatly by business, sales channel and product. This slide identifies situations which may occur during valid transactions however could be suspicious. So let s talk about a few of these red flags that might be cause for concern: Rush orders. If the typical customer accesses your site, spends time shopping and checking prices, and only then heads to your checkout page, a transaction when the purchaser makes very few clicks and spends minimal time on the site could be suspicious. The purchase of multiple same items could indicate that the customer intends to resell the goods on ebay or elsewhere to obtain cash. Not only does the sale of these items impact your bottom line, but this impacts your brand and reputation. Certain products such as gift cards are of high value to fraudsters as these are easily sold and a way to obtain quick cash. It is important to include all transactions across all payment methods in your internal risk analysis even those that are declined to identify patterns and trends that are of higher risk and potential fraudulent activity.
So what information should be reviewed when assessing a transaction for risk? We recommend that merchants capture key elements about a transaction that can be used in internal risk controls and to manually review high-risk orders. Elements of importance in risk assessment are customer information, transaction information, payment product and session information. Let s review some elements of each: For customer information, loyalty programs, if it s a new or returning customer and login process is critical; transaction information; what is the IP address where the transaction originates from, what is the product being purchased and the volume of products, the payment information, is this a new payment method or some repeat use? And what are the results of verification from payment providers. And the session information what s the shopping time prior to purchases, the time spent on product comparison etc. Interestingly, I recently attended the Merchant Risk Counsel meeting where many sessions spoke about the need to review typical shopping patterns to identify out of pattern and risky transactions. The identification of the usual transaction flow creates a strong benchmark to identify risk. The Merchant Risk Counsel is a merchant-led trade association focused on electronic commerce risk and payments globally. The MRC leads industry networking, education, benchmarking and advocacy programs to make electronic commerce more efficient, safe and profitable. At the end of our presentation, I ll provide the Internet address for the MRC. So we talked about how to assess risk to identify fraud; now let s talk about what happens if a transaction is claimed as fraud. As mentioned, the goal is to enable good sales while being precise to disrupt only those sales that are too risky to approve. The challenges of ensuring a good experience for legitimate customers, balanced with the precise identification of a fraudulent transaction is indeed daunting, especially since merchants all have varying levels of risk tolerance. For example, a new company with an innovative product might be more concerned with rolling out their product to market quickly. In this situation, the company has likely invested more resources into their product and they do not want to risk lost sales or a negative shopping experience. Merchants who sell digital goods might also have a higher tolerance for risk because they are not physically shipping a product where the monetary loss might be greater. Alternatively, a company that sells luxury jewelry might be more cautious, as each sale and potential loss from fraud has a greater impact on the overall bottom line higher dollars lost and negative brand impact with merchandise sold on ebay or elsewhere. Unfortunately, with these challenges and the high volume of creative and hard working fraudsters, it is often not a matter of if a transaction is claimed as fraud, it is merely when and how often. Thus, the issue of who is liable for the amount of the transaction is concern. Before talking about ways to reduce liability, I want to describe the Chargeback process, as American Express s process differs slightly from other card companies. For many card companies, transactions that are disputed are immediately charged back to the merchant; then the merchant is given an opportunity to provide documentation in the hopes of winning and thus reversing the chargeback and having funds returned. In most cases with American Express when the transaction is claimed as fraud, the merchant is first given an opportunity to provide documentation. After review of the documentation, American Express makes a determination as to who is liable for the transaction the merchant or
American Express. It is at this time that funds are debited from the merchant if it is determined that they are liable. To reduce liability, merchants must follow card acceptance procedures. Card acceptance procedures are outlined in the Merchant Regulations. Obtaining a valid approval code and responding to requests for support within the specified time frame are critical to ensure reduced liability for fraud transactions. In addition to providing sufficient information to document the transaction, American Express requires that when physically shipping goods, they must be shipped to the billing address. Although many legitimate transactions occur when the shipping address differs from the billing address, this raises the risk of the transaction. This then becomes a business decision. For some companies such as florists or those who sell novelty items, most sales are gifts for others, thus shipping to alternate addresses is extremely common and required for customer satisfaction and continued sales. To reduce liability, your risk analysis is critical in these cases; as, should the transaction be claimed as fraud, if shipped to an alternate location, you will be charged back. Several years ago, American Express required a signature when the goods were delivered; however, this requirement has been discontinued. Merchants are still required to obtain proof of delivery at the billing address from the shipper. When doing so, ensure that the shipper provides the full address; in some cases, the shipper provides only the city and state, and this is not sufficient proof of delivery to the billing address. We described fraud, we talked about how to identify risky transactions, and we talked about liability. Who pays for fraudulent transactions? Now, let s take some time to review fraud prevention solutions. Since you ve all taken the time to attend this webinar today, I assume that you are interested in fraud, especially ways to control and prevent it. We know that fraudsters network with other fraudsters and take the time to train others on how to commit illegal acts. There are websites and chat rooms providing fraudsters compromised cards to purchase and additional information on how to commit fraud; thus the involvement of merchants, card companies and cardholders is critical in combating fraud and we especially appreciate your interest and partnership. Card companies have fraud prevention solutions and it is strongly recommended that you take advantage of all fraud solutions available. Since the fraudsters are continually evolving and changing their methods to commit fraud we recommend a layered approach for fraud control there is no silver bullet. When good decisions are made, the result is increased sales and reduced fraud. American Express has invested heavily in our infrastructure to enable review of numerous elements at the time of authorization, many of which are not available from other payment methods. There is no fee for any of the fraud solutions that we will discuss. Electronic Verification and Enhanced Authorization are fraud solutions used at the time of authorization to ensure the best risk decision possible. Charge Verification is a solution that provides additional review after a transaction has been approved but before fulfillment. We ll take some time now to talk about these tools in more detail. First we ll talk about Electronic Verification and the variables that make up this tool. When more information is available for review, the risk decision is improved. This means that more legitimate transactions are approved, resulting in greater sales and revenue, and high-risk transactions are declined, resulting in reduced fraud. Most card companies and Card Not Present merchants are familiar with the security number to validate the card.
American Express uses the CID, the 4-digit number on the front of the card, and Visa and MasterCard use the 3-digit number on the signature panel. For Cardmember authentication, the postal ZIP code and billing address are used. For the most part, online shoppers are familiar with the request to provide these pieces of information, as this is fairly standard in today s environment. It is important to understand that verification of this information is helpful to American Express in assessing risk and it is helpful to you to also help assess risk. American Express might approve what is perceived as a low risk transaction even if some data elements do not match. All data elements provided within a transaction request are used in making an authorization decision. Where each element is important, no single element alone is used to approve or deny a transaction. It is important that merchants deploy all fraud prevention tools available to them at the point of sale. These tools enable American Express to receive additional information and make a more informed authorization decision. Our fraud prevention strategy is to stop as much fraud as possible at the point of sale while balancing good member spend. In addition to the standard verification of CID, postal ZIP code and billing address, American Express has the ability to verify the Cardmember name, billing phone number and email address. When this information is sent to American Express in the authorization request, this information is reviewed and used in our risk decision and verification of all elements is provided to you in the authorization response when the transaction is approved or declined. The verification results can then be incorporated into your internal risk analysis and used to determine your next steps: Do you fulfill the order right away, perform a more manual, more intense review, or decline if other elements like we talked about the product or behavior identify greater risk. Lets look closer at two variables: phone and email. While all data elements provided within an approval request are used in making an authorization decision, and each element is important, some elements are greater differentiators of risk. Billing phone number and email address verification are extremely valuable in risk assessment, as even if this information was available to the criminal, it would not be used by the criminal, as merchants typically phone or email customers to confirm or provide information about the order, such as shipping date, back order, etc. If a criminal uses the Cardmembers true contact information, the customer would be alerted to activity they did not authorize. American Express research from August of 2011 reflects that when a phone number matches the one on file with American Express, the transaction is up to nine times less risky. And even more powerful, transactions where the email address matches are up to 11 times less risky. Not only does this additional information identify high-risk transactions, it is also extremely helpful in enabling good sales. Thus, a transaction appearing to be risky might be a [sic] legitimate and could be approved with the added assurance that the phone number and/or email address provided match our American Express records. The electronic verification process we just discussed all happens systematically in the authorization process. The information is captured by the merchant and sent to American Express. American Express reviews everything available and either approves or declines the transaction. It is at the same time that American Express sends the approval code or the decline message that it sends back all the verification results: Does the CID match or
does it not match, does the address match or not match etc. This is the recommended approach, as it is systematic, requires less manual work, and provides American Express additional information to use in our risk analysis. Due to technology issues, some merchants might not be able to pass this added data in the authorization request, or they might not be able to receive the verification results. Thus, a stand-alone verification product is available. Verify It is a stand-alone verification tool that provides a method for you to obtain information outside of the authorization process. Although a manual process, this tool is helpful for merchants unable to make systems changes or for those where authorization information is not available in the review or fulfillment process. The Verify It tool is easy to use; users can perform up to five inquiries concurrently. It s always available 24/7, and as with all our other tools, it is free. To register and use this tool, just go to americanexpress.com/verifyit. Let s discuss our next tool, Enhanced Authorization. The Enhanced Authorization tool enables merchants to increase sales and prevent fraud through the review of additional transaction details included in the authorization request. American Express reviews elements for known fraud patterns across our network; thus, a transaction that appears to be legitimate might look entirely different when the shipping address is provided and this address was previously identified as used for fraud shipments. By providing these additional data elements in the authorization request, American Express can compare this information across our network to identify risky patterns and trends. For example, a fraud episode could be identified if the IP address is sent to American Express where it could be saying that [sic] unusually high velocity of transactions across cards and merchants were all originating from the same IP address within a short amount of time. The more information available to review, the better the risk decision. When this information is reviewed and compared against the millions of transactions that enter our network daily these data elements become even more valuable in assessing risk. Elements that are available for you to send in the authorization request are email address, IP address and shipping information. Unlike the Electronic Verification tool that I previously told you about, there is not a match/no match response sent back to you for the IP address or the shipping information. As these variables are essential to complete the purchase, the customer is not asked for any additional information nothing to delay the checkout process; merely send American Express all the information already collected from the customer in order to complete the transaction and these elements will be included in our risk analysis. The additional data elements sent to American Express in the authorization request builds our negative and positive databases. This information helps to identify risk as well as enable legitimate sales. For example once we know that a shipping location is confirmed as fraud, this information is available to identify fraud for subsequent transactions from different merchants and card numbers. This information is updated within hours of the original authorization, thus, benefits fraud protection virtually in real time. There is no need to wait for a Cardmember to be billed for a fraudulent transaction that occurred weeks or even months ago to leverage this valuable data. According to research from the American Express Fraud Study from August of 2011, merchants who implemented Enhanced Authorization experienced on average a 40% reduction in fraud, comparing before and after implementation and there is no increased in disruptions;
rather, in many cases reduced disruptions due to the elements which make us more confident of the legitimacy of the transactions such as matching email and phone number. The value for this fraud-prevention tool for all merchants continues to increase as transactional history grows. Another tool offered by American Express free of charge is Charge Verification. We ve spoken about ways to detect risk at the time of the authorization and thus reduce fraud. As we discussed there are many data elements that could reflect high risk that are unknown to American Express. The product, the transaction behavior etc. The Charge Verification tool enables review of approved charges that you feel are risky and would like to research further. For approved transactions that you believe are suspicious, just contact the Charge Verification Group. Call American Express before you ship goods or provide services. American Express will attempt to contact the Cardmember to validate the transaction, and once the Cardmember is reached, we will contact you to let you know if the transaction was authorized by the Cardmember no systems or technology requirements, no fee. Thank you for taking the time to attend our Card Not Present Fraud Solutions Webinar. We ve covered a lot of information today; we described fraud and talked about how to identify risky transactions; we discussed liability issues who pays for fraudulent transactions; and we provided information on American Express s capabilities and fraud tools. We hope that you consider our recommendations, build internal processes and controls to identify risky transactions and send additional data to American Express for an improved risk decision. And we encourage you to attend and participate in the fight against fraud with fellow merchants through non-profit merchant associations. For implementation of Electronic Verification and Enhanced Authorization, please contact your payment provider; for Charge Verification, contact American Express.