online fraud raising tide 04oct16...
TRANSCRIPT
Online Fraud
Prepare For The Rising Tide
FIS/Digital Transactions WebinarRené M Pelegero
President, RPGC Group, LLCOctober 4th, 2016
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Total Cost Of Fraud
• Reported gross card fraud losses globally $16.31B in 2014*– Of that US accounts for 48% with Issuers absorbed 62% and merchants 38%
resulting on fraud losses reported of approximately 0.05%• However, this number woefully understates fraud for CNP US merchants
– Global card fraud report also includes the volume of cash withdrawal at ATMs– Includes physical transactions where liability resides with issuers– Does not include additional costs associated with other fees associated with
chargebacks
For the purposes of this presentation overall fraud losses as reported from chargebacks shall be assumed to be 0.30%
* Source: The Nilson Report , July 2015, “Card Fraud Worldwide”
Running Total 0.30%
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Total Cost of Fraud
• The value of each fraudulent transaction is increasing – Q: In a typical month, approximately…
[w]hat is the average value of successful fraud transactions?
• Therefore, the cost of fraud as a % of revenue is also increasing– Q: What is the approximate dollar
value of your company’s total fraud losses over the past 12 months? Fraud losses as a percent of total annual revenue
* Source: LexisNexis 2016 True Cost of Fraud Study
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Further…
• Fraud reported as chargeback is only a portion of the total fraud experienced by online merchants*– “Did not receive”, “Came damaged”, “I did not sign up”– Carrier fraud
• These losses are usually refunded to the cardand, many times, are not included in overall fraud results– These losses account
between 65% and 75% of all losses depending on merchant size adding an estimated77bps to the runningtotal
* Source: Cybersource 2016 Annual Fraud Benchmark Report
Running Total 1.07%
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
In Addition
• Overall manual review rate is 29% in 2015 across all merchants – (up from 27% in 2013)
* Source: Cybersource 2016 Annual Fraud Benchmark Report
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Cost of Manual Review
• The cost of manual review adds from 0.53% to nearly 2% to the cost of payments– For the purposes of this analysis, we’ll add 93 bps to the running total
$5-‐$25 Million > $100 MillionOrders per month 10,000 1,000,000 Average sales transactions $ 50.00 $ 50.00 Average monthly sales $ 500,000 $ 50,000,000
Average manual review rate 29% 8%Number of orders manually reviewed/mo 2,900 80,000 Orders reviewed by an investigator per day 125 125Orders reviewed by an investigator per 20 day month 2,500 2,500 Number of investigators required 1.16 32Annual fully burdened investigator cost (e.g. salary, benefits) $ 100,000 $ 100,000 Monthly fully burdened investigator cost $ 8,333 $ 8,333 Monthly fully burdened investigator staff $ 9,667 $ 266,667 Monthly cost of investigator staff as % of sales 1.93% 0.53%
Running Total 2.00%
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Cost of Technology and Tools
• Tools and technology costs account for about 60% of total fraud management budgets
• If the cost of manual reviews was estimatedat 93bps, we estimatethat tools and technology costs to be another 50bpsRunning Total 2.50%
* Source: LexisNexis 2016 True Cost of Fraud Study and Vesta Javelin “The Impact of Fraud and Chargeback Management on Operations”, 2015
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Cost of PCI DSS Compliance
• PCI DSS Compliance Requirements– Level 1 – Onsite audit by a QSA– Others – Self Assessment Questionnaire
• May also require vulnerability scanning, penetration testing, and security training– Cost a factor of company size, locations, IP addresses
• Cost of preparation• Cost of audit and repairing of vulnerabilities• Cost of supporting new requirements (e.g. PCI DSS 3.2)• PCI Compliance fees from Acquirers
– Maintaining PCI Compliance can range from a few thousands to hundreds of thousands of dollars per year
• Cost of Non-Compliance– Non-Compliance fines from $5,000 to $100,00 per month– $3-$10 card replacement fine plus forensic audit costs, fraud on compromised
cards, lawsuits, loss of business, etc.
Retailers have collectively spent more than $1 billion so far on PCI DSS complianceSource: National Retailer Federation
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Fraud Fighting Impacting Customer Experience
• Two categories– Issuer declines– False positives
• Opportunity Cost– Issuer Declines 0.80%– False Positives 0.15%)
10,000 Orders10,000
Orders
BankCard
authorization process
(90% approval)
10,000 Orders9,000
Approved Orders
1,000 Declined Orders
6,390Approved Orders
“Good” declines (60%)
Do Not Honor (40%)
Retried SavedDeclines (80)
$4,000
Retried Unsaved
Declines (320)
FraudScreen &
29% review rate
2,610To Be
Reviewed Orders
Manual Review2.8% Reject
2,537Screened & Approved Orders
Retry 20% Save
15 (20%)Rejected “Good”
Orders $731
58 (80%)Rejected “Bad”Orders
(0.80%)
(0.15%)
Running Total 3.45%
* Source: LexisNexis 2016 True Cost of Fraud Study and Cybersource 2016 Annual Fraud Benchmark Report
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
Total Cost of Fraud
• Chargeback reported fraud– 0.30%
• Losses from fraudulent claims– 0.77%
• Cost from staff for manual reviews– 0.93%
• Cost from technology and tools to identify and minimize fraud– 0.50%
• Opportunity cost from issuer declines and false positives– 0.95%
The cost of actual fraud losses plus the cost of identifying and minimizing fraud adds between 3% to 3.45% in addition to the actual cost of payments estimated at
about 2% for online merchants
Copyright © 2010-‐2016 RPGC Group LLC All rights reserved
New Thinking Is Needed
• Current methods of payment (i.e. bankcards)– Improved tools and algorithms
• Increased needs for data will conflict with data privacy issues– Enhanced data flowing between merchants and issuers
• Significant structural changes required• Merchants want to work closer with issuers
• Develop/Implement new methods of payment– Turn the flow from pull to push
• Use OBeP solutions like it is done in some countries in Europe and Asia• Leverage new payment instruments like Same Day ACH and Faster Payment solutions• Merchants concerned about re-directing customers away from their check out flows and of
“buyer’s remorse”– Omni-channel and mobile to get consumers to “opt-in”
• Consumers are vetted up front and they give permission for use of their data• This up-front validation will allow the use of other payment methods (e.g. PLCC, ACH)
which will also lower overall costs
Retail Payments Global Consulting Group, LLC109 2nd St. S., Suite #437
Kirkland, WA 98033-9002 [email protected]
RPGC Group Proprietary & Confidential