A combination of better fraud-detection technologies and stronger consumer-authentication strategies is helping e-commerce merchants hold the line on fraud losses, a study from payments consultancy Mercator Advisory Group says. This is the case even though more criminals are practicing their dark art in the online channel as EMV cards roll out in the United States.
Fraud detection and transaction decisioning technology are anywhere from 90% to 99% effective in helping e-commerce merchants root out fraud, even while e-commerce sales continue to grow by double-digit rates, says Raymond Pucci, associate director, research services for Maynard, Mass.-based Mercator.
The Mercator study, entitled “Card-Not-Present Fraud: The Merchant Empire Strikes Back,” details the state of CNP fraud in the U.S. and strategies merchants are using to prevent it. E-commerce fraud losses continue to hold steady at 0.9% of sales, according to Mountain View, Calif-based CyberSource, a Visa Inc. company, the Mercator report says
One of the keys to neutralizing online fraud is that e-commerce merchants are doing a better job of securing their databases storing consumer transaction and card data by working with data-security firms, rather than assigning that task to their information-technology staff, Pucci says.
“Data-security firms can help merchants find where the vulnerabilities in the network lay to prevent being hacked,” says Pucci. “Using credit card accounts stolen in a data breach to make a purchase online has been a core part of online fraud in recent years.”
Acceptance of mobile wallets, such as Apple Pay and Samsung Pay, are also giving e-commerce merchants additional tools to fight fraud, as the technology tokenizes account numbers before the transaction is initiated. Tokenization replaces sensitive payment data with a randomly generated algorithmic code or token that cannot be mathematically reversed. The cardholder’s actual account number is stored elsewhere on a secure server, usually in the cloud.
Exchanging single-use digital tokens at the point-of-sale prevents online merchants from receiving actual card-account numbers that can be intercepted online. It also makes certain that any account information stored in the merchant’s database is useless in the event of a data breach.
Biometrics to authenticate a consumer making a purchase through a mobile phone is another layer of technology e-commerce merchants can use to stymie criminals, Pucci says. San Jose, Calif.-based PayPal Holdings Inc., for example, offers accountholders the option of biometric authentication at checkout. When a PayPal user with a Samsung Galaxy S5 phone links her fingerprint to her PayPal account, she can scan her finger on the device when checking out on any m-commerce site that accepts PayPal.
Checkout is an area where e-commerce merchants can layer in even more fraud detection by authenticating the mobile device being used to make a purchase, Pucci says. Device fingerprinting allows fraud analysts to recognize a device by revealing its true location and IP address. Many criminals will spoof a device’s IP address to disguise their true location from merchants, such as a country known to be a hotbed of fraud. Fraud analysts can also check whether the device has a history of fraud. Such techniques not only help lower fraud, but reduce the risk of false positives that can cost merchants sales.
“Using algorithms that learn over time, as opposed to rules-based applications, is also helping cut down fraud,” Pucci says. “What e-commerce merchants need to remember is that fraud detection is an arms race with criminals. The more layers of detection they put into place, the more they can lower their fraud risk.”