PAYMENT FRAUD PREVENTION FOR MERCHANTS

Anuj KasatEngagement Manager, EXL Analytics

Namit Sureka Vice President and Practice Leader, EXL Analytics

lookdeeper@exlservice.com

Swati JainVice President, EXL Analytics

Written by

August 1, 2018

How merchants can reduce losses due to increasing payment fraud liability

WHITE PAPER

EXLSERVICE.COM 2

1. Increasing Fraud Liability for Merchants

In cases of fraudulent CP transactions, most of the liability is borne by the card issuer if the merchant is compliant in terms of payment acceptance procedure. However, most of the fraud liability lies with the merchant for CNP transactions.

Up until 2014, fraud could be easily categorized as the card either was or wasn’t present. With an increasing number of payment options, whether a transaction qualifies as CP or CNP became murky.

Under most circumstances, transactions that qualify as CNP includes:

• Online Purchases

• Recurring or subscription billing

• Electronic invoicing

• Orders taken over the phone

• Orders input manually

• Payment apps on smartphones or tablets

The list is constantly evolving. While counterfeit and lost/stolen fraud is expected to decrease by the end of 2018, CNP fraud is expected to increase by a factor of 2.5 as compared to the level in 2012. This presents a challenging situation for merchants accepting CNP transactions, as it directly impacts their bottom line and increases the possibility of restrictions or fines from network providers such as Visa or Amex.

Until recently, card-present (CP) transactions contributed to majority of credit card payment fraud. However, with the adoption of the EMV (Europay, Mastercard and Visa) standard, more frequent data breaches, and increasing digital sales and mobile payments, card-not-present (CNP) transactions have become a major component of payment fraud.

For CNP fraud, merchants bear the liability, leading to increasing the burden of fraud losses and directly impacting merchant’s bottom line. However, businesses can put in place a dynamic fraud prevention strategy supported by sophisticated data analytics tactics to contain fraud losses.

PAYMENT FRAUD PREVENTION FOR MERCHANTS How merchants can reduce losses due to increasing

payment fraud liability

Source: https://aitegroup.com/report/payment-card-fraud-man-agement-essential-tools-us-card-issuers, accessed on 05/10/2018

U.S. Card Fraud Losses (In US$ Billions)

$2.1$2.4

$3.0$3.6 $3.1

$2.5$1.8

$0.9 $0.8 $0.8 $0.8$0.8

$0.9

$0.9

$2.6 $2.8 $2.9 $3.1$3.8

$5.2

$6.4

CNP Lost/stolen Counterfeit

2012 2013 2014 E2015 E2016 E2017 E2018

EXLSERVICE.COM 3

1.1.3 Increase in Ecommerce

Customers are increasingly making purchases online. This shopping behavior is not only capitalized on by online mega-retailers such as Amazon, but has also led traditional merchants to follow an omni-channel strategy. While it provides additional sales opportunity to the merchants, it has also exposed merchants to CNP fraud liability. Any future growth in online sales will lead to higher CNP fraud liability.

1.1.4 Increase in Mobile Payment

More and more customers are frequently using smartphones to make purchases and payments. While traditional devices such as desktop and laptops have well established security features, smartphones are more susceptible to malware attacks and sensitive data leakages. As a result, it provides more opportunities of data theft and drives CNP fraud.

1.2 Top Industries susceptible to CNP Fraud

While all industries accepting orders through CNP transactions are susceptible to CNP fraud, the following industries have above-average digital sales growth and are most at risk:

a) Retailers: Ecommerce companies or traditional retailers which have adopted an omni-channel strategy

b) Travel & Hospitality: Online reservation of flights or other modes of transport

c) Entertainment: Online sale of tickets for movies, sports events or concerts, online gaming and gambling

The main driver for the trend is the ease of accessibility of products and services to customers and ease of completing transaction by storing card information on merchant portals or mobile applications. This trend

1.1 Drivers Increasing CNP Fraud

There are multiple factors which have led to increase in CNP fraud:

• EMV adoption

• Increase in data breaches

• Increase in e-commerce

• Increase in mobile payments

1.1.1 EMV Adoption

In October 2015, EMV was adopted in the US market to combat fraud. As a result, already active cards were replaced by cards with chip functionality, and any new cards were issued with chip functionality. In addition, merchants upgraded their in-store payment terminals to chip-enabled machines. This reduced the opportunity for fraudsters to use counterfeit or stolen cards in stores.

However, there were unintended consequences. With the chip making duplication difficult (as merchants had updated their terminals in the physical stores) fraudsters shifted their focus online where merchants had no way of doing so. In addition, merchants were concerned that online fraud prevention techniques that potentially made it difficult for consumers to pay would lead to consumers abandoning their online carts. Since these online transactions are considered CNP, the liability of fraud shifted to the merchants, causing significant losses.

1.1.2 Increase in Data breaches

The occurrence of data breaches increased 40% from 2015 to 2016. Well-known entities such as Equifax, Whole Foods and the US Securities & Exchange Commission experienced significant breaches. This trend is concerning as the stolen data is used to fake customer identities, secure new cards or take over existing card accounts, and perform CNP transactions.

EXLSERVICE.COM 4

SecureCode, JCB J/Secure, and American Express SafeKey. When employed, payment authorization is completed by using an additional password known only to the cardholder and provides assurance that card owner is performing the transaction.

Pros:

• Fraud liability shifts to card issuer

• Assurance to customers about transaction security

Cons:

• Not useful for mail or phone orders

• Need to update the front end of websites or mobile applications and integrate merchant plug-in software modules

• Increased cart abandonment rate due to additional steps in completing the transaction

• Customer dissatisfaction due to forgetting their password or their card getting blocked due to multiple invalid authentication attempts

2.2 Fraud Prevention through Guaranteed Payments

A second option for payment fraud prevention is using guaranteed payments. This involves a third-party service provider taking control of accepting and declining transactions, and providing compensation for fraud on accepted transactions.

Pros:

• Fraud liability shifts from merchant to service provider

Cons:

• Cost per transaction for the service

• Rules are generic and not customized to a specific merchant

• Merchant loses control over false declines impacting customer experience

of storing card information has placed merchants at a greater vulnerability for both fraud and increased fraud liability losses.

1.3 Cost of Fraud for Merchants

While merchants have to bear the fraud liability for CNP fraud, there are additional associated costs.

The following are components of the overall cost borne by the merchant:

• Cost of goods on which fraud is claimed

• Overhead on goods for which fraud is claimed such as order processing and shipping

• Chargeback fees by card associations

• Administrative cost for processing chargebacks

• Penalties by card associations in cases of fraud rates or amounts exceeding certain thresholds

Fraud has always been costly. In this new CNP fraud reality, merchants are forced to take the hits to their profitability. However, there are solutions merchants can deploy to combat fraud.

2. Fraud Prevention Strategy for Merchants

Merchants can deploy fraud prevention strategies to control their fraud liability for CNP transactions:

• Payer authentication

• Guaranteed payments

• Static rules

• Dynamic rules supported by data analytics

2.1 Fraud Prevention through Payer Authentication

One of the easiest method for merchants to prevent fraud liability is to use a 3D security layer provided by the network providers such as Verified by Visa, MasterCard

EXLSERVICE.COM 5

3. Dynamic Fraud Prevention Supported by Data Analytics

Analytics-driven fraud prevention uses a layered approach leveraging historical fraud information to flag fraudulent transactions through outlier detection, artificial intelligence to score transactions and identify suspicious behavior, and real-time scoring engines to detect the latest fraud patterns.

It should have the following pillars of the decision framework to optimize performance:

• Data captured at source

• Data engineering to make data available for analysis

• Decision analytics to optimize the rule framework and incorporate fraud trends

• Monitoring to keep track of fraud operations and provide feedback in terms of recent fraud trends

3.1 Data Sources

Traditionally, merchants captured only transactional data such as order, payment and fraud details. However, the digital journey and device details help capture behavioral indicators that increase the ability to detect fraud.

To get started, there are a variety of data sources and attributes that should be captured to help devise an enhanced decision framework for fraud detection. They include:

• Order Details: This includes information such as products purchased, quantity of products, discount availed, shipping method, as well as shipping and billing details such as name, address, email, and phone number. This data is critical for creating red flags such as larger-than-normal orders and multiple orders for the same product.

• Payment Details: This includes information such as card number, card type, card issuer, amount, bin country, and AVS and CVV response.

2.3 Fraud Prevention through Static Rules

Another alternative is to implement a static, rule-based order flow. The rules will help categorize incoming orders as low, medium or high risk and respectively approve, flag for manual review or reject the orders.

Pros:

• One-time cost of creating the data and technology infrastructure and rule sets

Cons:

• Static rules become ineffective in the long term leading to inaccurate classification

• False declines impacting customer experience and sales

• Looking at historical data does not give a holistic picture as fraudsters are constantly evolving their tactics.

2.4 Fraud Prevention through Dynamic Rules

Supported by Data Analytics

An advanced option is to implement a dynamic rule-based order flow. This involves a feedback loop for the rule engine to ensure that rules are updated based on observed fraud rates, available manual review capacity and pending orders awaiting decisions.

Pros:

• Latest fraud trends captured in the rules engine, ensuring checks on fraud rates

• Levers to balance fraud liability cost, false declines and customer experience as per set targets and business priorities

Cons:

• Although there is only a one-time cost for data and technology infrastructure, there are recurring operational costs for the tools and analytics talent supporting the rules engine

EXLSERVICE.COM 6

• Data Aggregator: This allows for the option to send the order details to data aggregators who can help with reverse lookups to get any historical correlation between order attributes. For example, is there any historical correlation between the customer name and email used for this order?

• Fraud and Decline: This involves tracking orders against which fraud chargebacks were received, and the validation of declined orders to identify any false declines.

By collecting this exhaustive set of data, a merchant can create a rules-based solution that uses information derived from order details, payment details, digital journey and device history. For example, a visitor lands on the

• Digital Journey: This includes information such as marketing channel, keywords searched, time spent, products sorted, and pages visited. This helps to identify the path a customer has taken to complete the order. If the digital journey is out of range with expectations, the transaction may be flagged and sent for manual review.

• Device Information: Includes creation of a unique ID to keep track of devices and capture other device details such as IP address, device type, device operating system, browser type, browser language, and JavaScript enabled on browser. This, coupled with order details, can help in behavioral and location analysis.

Sales & Returns

Step 1Leverage data sources

Step 2Data Engineering

Step 3Decision Analytics

Step 4Monitoring

Payment Device

Customer Journey

External Data

Fraud & Declines

Extraction

Warehousing

Integration

Governance

Rules Efficiency

Auto Decision Rate

Fraud Trends

Decline Rate

True Fraud in Decline Orders

Time to Decision

Analytical Models

Reporting & BI

Implementation

Figure 1: Analytics Driven Fraud Prevention Framework

Decline Rate Sales ($)

Fraud Loss ($)

Auto Decision Rate

Fraud Operations Cost

Time to Decision

Feedback: Trends

ANALYTICS DRIVEN FRAUD

PREVENTION

EXLSERVICE.COM 7

• Key performance metrics are in line with set targets. The following metrics can be set to be monitored:

- Auto-decision rate

- Decline rate

- Fraud rate

- False decline within declined orders

- Time to decision

Additionally, merchants can also monitor sales trends by different attributes to capture spikes in trends and fraud ring operation. For example, if an unusually high number of orders from a particular IP address or particular card type are observed, it might be an indicator of a fraud attack.

4. Fraud Prevention Analytics Maturity Assessment

An existing fraud prevention strategy needs continuous improvement to diagnose, detect and respond to fraud.

merchant’s website through a search engine. This is the visitor’s first visit. The visitor searches for products they can easily resell, sorts products by price, selects highest priced product, pays more than $1,000 using a credit card and chooses expedited shipping. Such a transaction needs to be reviewed.

3.2 Data Engineering

Once data is captured, the next step is to ensure that data is standardized, validated through a data governance mechanism, stored in desired format and is readily available for analysis and input into the rule engine.

3.3 Decision Analytics

The quality data obtained after data engineering can be used to create and update classifications or scoring models as per latest fraud trends. Various classification techniques such as decision tree, random forest, and other advanced machine learning methodologies can be used to create the requisite model.

The model output can help segregate transactions by their risk severity based on history of order attributes including customer, card, address, email, and other factors, as well as behavioral indicators for the order. The orders can be categorized as low risk, medium risk, and high risk and can be automatically accepted, manually reviewed, or automatically declined, respectively.

3.4 Monitoring

It is imperative that key metrics and dashboards are created that constantly monitor these models and operations. This will ensure that timely feedback is provided to the rule engine to ensure:

• Latest fraud trends are incorporated

• Efficient order management during peak season

EXLSERVICE.COM 8

4.1 Data Strategy

A merchant’s data strategy assessment should involve understanding the following:

• Data sources required to capture fraud

• Coverage and quality of data

• State of data governance and availability of cleaned data for analysis

A thorough assessment of an existing strategy is based on the following parameters:

• Data strategy

• Decision science

• Organization

• Execution

Figure 2: Fraud Prevention Maturity Assessment Framework

ADVANCED

Integrates data from internal and external sources

Decision infrastructure is dynamic and incorporates advanced analytics and feedback from oprations team

INTERMEDIATE

Relies on traditional data sources and customer journey data

Decision infrastructure is based on suggestions from operations team

BASIC

Relies on traditional data sources Decision infrastructure is based on

static rules

BASIC

No data governance in place

Fraud Rate higher than industry standards

INTERMEDIATE

Mediocre data governance

Operations team managing rules with authorizations from business line leaders

ADVANCED

Robust data governance

Insight generation and updates to rules engine in real time

Dedicated fraud analytics leadership

Sophisticated Analytics

DATA

STR

ATEG

Y AN

D AN

ALYT

ICS

MAT

URI

TY

ORGANIZATION AND EXECUTION

Full Data Science Capability

Getting Started

Strengthening Operations

EXLSERVICE.COM 9

• How recent is the information available to the leadership team? What is the level of customization to the dashboards available to the leadership team?

• What analytical methodologies are used to capture latest fraud trends?

• What target metrics guide the decision process?

4.3 Organization

Organization readiness for using analytics-based solutions can be gauged by evaluating:

• Sophistication levels of talent, technology, governance and processes used to support a fraud decision engine

• The ability to influence decisions in near real time

4.4 Execution

The analytics solution execution capability can be assessed by evaluation of the following parameters:

• Agility of the organization in implementing a fraud prevention strategy

• Performance of fraud and operational metrics as compared to market benchmarks

For instance, a merchant would be categorized at a “Basic” level as outlined in Figure 2 if it is only utilizing order and payment data for fraud analytics. It could be considered at an “Intermediate” level if it involves the customer journey data, and it could be considered “Advanced” if it integrates internal and external data.

4.2 Data Science

A merchant’s data strategy needs to be supplemented by data science to be effective. Basic fraud prevention systems are capable of listing the historical losses and techniques used by fraudsters in the past. However, approaches to fraud keeps on evolving. Basic systems lack the ability to analyze and predict where fraud could happen next, lag in terms of data recency, and are limited in terms of conducting predictive analysis of fraud across multiple platforms. An advanced, real-time, actionable strategy involves setting triggers and notifying the merchant as soon as there is abnormal transaction activity.

Finding responses to the following questions will help in assessing decision science capabilities:

• To what extent is analytics being used to drive fraud prevention rules?

EXLSERVICE.COM 10

References1. http://www.experian.com/blogs/insights/2017/03/e-

commerce-fraud-rates-spike-in-2016/, accessed on 05/10/2018

2. https://www.securitymagazine.com/articles/88451-e-commerce-fraud-loss-reaches-578-billion, accessed on 05/10/2018

3. https://aitegroup.com/report/payment-card-fraud-management-essential-tools-us-card-issuers, accessed on 05/11/2018

4. https://www.gpayments.com/blog/article/5-industries-most-affected-by-card-not-present-fraud/, accessed on 05/09/2018

5. “Online Payment Fraud Whitepaper 2016-2020” published by Juniper Research

6. “2017 North America Online Fraud Benchmark Report” published by Cybersource

7. Essentials of Online Payment Security and Fraud Prevention by David Montague

8. http://blog.directpay.online/is-3d-secure-right-for-your-business, accessed on 05/23/2018

5. Conclusion

The past decade has seen adoption of EMV and a phenomenal growth in ecommerce and mobile payments, leading to a deluge of largely unused data.

There is a wealth of information available across the electronic payments ecosystem. This information could collectively be used by merchants to combat fraud by devising an analytics-based dynamic fraud prevention strategy. It involves comprehensive data coverage, good data governance, advanced analytics and continuous monitoring.

By implementing a fraud analytics decision framework optimized for performance, merchants can reduce fraud liability costs, increase sales, and improve customer experience.

EXLSERVICE.COM

GLOBAL HEADQUARTERS280 Park Avenue, 38th FloorNew York, New York 10017T +1 212.277.7100 F +1 212.771.7111

United States • United Kingdom • Czech Republic • Romania • Bulgaria • India • Philippines • Colombia • South Africa

EXL (NASDAQ: EXLS) is a leading operations management and analytics company that designs and enables agile, customer-centric operating models to help clients improve their revenue growth and profitability. Our delivery model provides market-leading business outcomes using EXL’s proprietary Business EXLerator Framework®, cutting-edge analytics, digital transformation and domain expertise. At EXL, we look deeper to help companies improve global operations, enhance data-driven insights, increase customer satisfaction, and manage risk and compliance. EXL serves the insurance, healthcare, banking and financial services, utilities, travel, transportation and logistics industries. Headquartered in New York, New York, EXL has more than 27,000 professionals in locations throughout the United States, Europe, Asia (primarily India and Philippines), South America, Australia and South Africa.

© 2018 ExlService Holdings, Inc. All Rights Reserved.For more information, see www.exlservice.com/legal-disclaimer

lookdeeper@exlservice.com