update on developments in online payments vol. 5 issue 8, 15 june 2012

1 | 8 www.thepaypers.com Copyright © The Paypers

Update on developments in online payments Vol. 5 Issue 8, 15 June 2012

MRC DUBLIN: Reducing online payment fraud, im-

proving risk management strategies

Exclusive interviews with CyberSource 1

Expert opinion—SecureKey 3

Exclusive interviews with ReD 5

Exclusive interviews with TeleSign 6

The MRC European Spring e-Commerce

Payments and Risk Congress in Dublin

brought together European and global

merchants, solution providers, payment processors, and other industry stakeholders for a

three-day event discussing the newest breakthroughs and innovations in reducing online

payment fraud and improving risk management strategies in today’s ever-changing world

of technological advancements.

Key sessions included:

▪ Keynote address by the Honorable Richard Bruton T.D., Minister for Jobs,

Enterprise and Innovation;

▪ Industry benchmarking data;

▪ Digital & card issuer fraud;

▪ Expanding e-commerce beyond the EU;

▪ Transforming mobile payments;

▪ Law enforcement collaboration.

Dr Akif Khan joined CyberSource in December 2004. As Director,

Products and Services, he has become an industry thought leader and

influential speaker within the eCommerce payment and fraud arenas.

Helping and advising online businesses all over the world, Dr Khan has

witnessed the latest challenges faced by organisations in multiple

geographies and market sectors. Educated as a research scientist, and

with recent experience in the IT and finance industries, Dr Khan is well placed to work with

CyberSource’s customers, analysing their requirements and providing guidance to optimise

and grow their businesses with particular focus on minimising risk, reducing fraud and

moving into new territories.

What are some of the key findings of the joint MRC-CyberSource European Fraud

Survey?

Akif Khan: This latest fraud survey is built around the principle of our fraud management

pipeline; covering metrics relating to automated screening, manual review, order

acceptance/rejection and chargeback management. We asked respondents a range of

questions about their fraud experiences across each of these four areas (over 60 European

enterprise level merchants participated).

MRC EUROPEAN SPRING E-COMMERCE PAYMENTS AND RISK CONGRESS 2012

“A single tool will never be able to stop fraud” - Exclusive interview with Dr Akif Khan, CyberSource -

EVENT HIGHLIGHTS

https://www.merchantriskcouncil.org/

Update on developments in online payments


Vol. 5 Issue 8, 15 June 2012

The survey revealed that, on average, European fraud loss rates are a little higher than

those reported in our equivalent survey in the US. However, there are a whole host of

dynamics at play and the markets are very different. For instance, when asked about

fraud tool usage, 37 percent of respondents reported that they had implemented 3D

Secure, almost twice as many as in the US. Any merchant processing Maestro cards

online must enable 3D Secure, and of course Maestro is well known in Europe.

There is a lot of talk about new anti-fraud techniques…

Akif Khan: Yes. Within Europe about 36 percent of merchants who responded to the

survey said they use device fingerprinting. Significantly, when asked to list the anti-

fraud tools that they were planning to implement in the coming year, merchants

ranked device fingerprinting number one (34% of respondents stated that they would

be implementing this tool).

Businesses are using a range of methods to tackle the fraud challenge, and it’s clear

that no single tool will be able to stop fraud. I like to think of this as a jigsaw puzzle; the

more pieces you have, the greater chance you’ll see the whole picture and be able to

more effectively combat fraud. A word of caution though; these pieces must fit

together and complement each other – a mismatch could do even greater damage.

When looking at manual review, the survey results indicated that, on average, just over

14 percent of transactions are being evaluated in this way. Given the high transaction

volumes that the survey respondents see and the costs associated with this review

stage, European merchants should certainly look to optimize their review processes.

It is worth noting that there are variations between different industry sectors: for

instance, in the travel sector the manual review rate is considerably higher than

average, whereas in the digital goods sector it is lower. These differences relate to

particular businesses models that have been adopted. For example, in the digital goods

space orders are often fulfilled immediately; manual review may cause a delay in that

fulfillment so attention is focused on automating as much of the fraud management

process as possible.

The survey revealed that, on average, European merchants were rejecting over 6

percent of orders due to suspicion of fraud. Undoubtedly, some of these orders will

have been fraudulent, however it is very possible that some good orders will have been

rejected too. It is important for merchants to minimize the risk of turning away good

customers. Currently, the average order reject rate stands at 3.3 percent for US

merchants.

One of the main messages arising from this survey is that merchants want to

understand where the risk is originating i.e. for which countries are the fraud rates

likely to be higher and therefore warrant special attention. The challenge is that

different merchants analyze this information in different ways. As an example, we

asked merchants to categorize how they define where fraud is coming from. In total,

42 percent of respondents said that they define this country of origin as the country

that the IP is associated with. At the same time, 15 percent of merchants classify the

fraud location using the delivery addresses, while 8 percent base their decision on the

country where the credit card was issued. It has become clear that there is a need to

create a common set of definitions and standards so that we can better appreciate this

entire area. At MRC Europe we are exploring how we can work with our membership

community to achieve just that.

What are the main reasons for this higher percentage of fraud in Europe?

Akif Khan: If we analyze data by country or industry sector, we see that those

merchants with more online experience are generally better at managing fraud. This

means that the fraud rate is in part related to the merchant’s maturity within their

market. Furthermore, larger and more experienced merchants often have access to

more resources, both internally and externally.

It’s worth noting that when we’ve previously conducted fraud surveys in North

America, the merchants that are members of the MRC do seem to experience better

overall fraud metrics. Through its benchmarking activities, the MRC looks to further

empower merchants to better understand the impact that fraud is having on their

business. And by connecting merchants, vendors and members of law enforcement the

industry can begin to truly work together to address the challenge.




Retail has always been perceived as one of the driving forces for the economic

development of each country. Consequently, the level of retail sales is an important

indicator of the health of the economy and a raising level shows that consumers have

more disposable income and confidence in making purchases. In the US, national and cross

-border transactions in this sector, both over the internet and offline, have considerably

increased over the years, as data frequently shows.

A survey released by research company Real Capital Analytics points out that in Q1 2012

retail sales in the US have grown 87 percent as compared to the same period in 2011.

During the same period, on the online front, retail spending has reached USD 44.3 billion,

up 17 percent y-o-y, according to a research by comScore, a source of digital business

analytics. But unfortunately, the retail industry has also become a main target for those

who are constantly committing illegal activities. Thus, fraud has turned into a constant

challenge for traditional and online retailers forced to deal with organized fraudsters, who

are in constant search for new channels to exploit.

According to a survey released by retail trade association National Retail Federation (NRF),

96 percent of retailers, have declared that their company has been the victim of organized

retail crime (ORC) in 2012, up from 94.5 percent in 2011.

The eighth annual Organized Retail Crime survey also indicates that 87.7 percent of

respondents believe that organized retail crime activity has increased since 2009. With

regard to factors which may have determined this increase, the survey mentions the

current economic conditions, lower staffing levels at stores and the ease of selling stolen

merchandise in pawn shops/flea markets, online and other fencing operations. The study

shows that experts in the industry and even law enforcement are convinced that

organized retail crime in recent years has become more of a “gateway crime” than ever

before. These organized retail crime activities are normally performed by groups, gangs

and sometimes individuals who are engaged in illegally obtaining retail merchandise

through both theft and fraud in substantial quantities as part of a criminal enterprise.

Finally, the report points out that 54.4 percent of retailers believe that their top

management understands the severity and complexity of the problem. More companies

are reporting that their company is allocating additional resources to address this crime

(52.8 percent in 2012 as compared to 46.5 percent in 2011).

NRF’s survey was conducted from 17 April to 11 May 2012 on a sample of 125 retail loss

prevention executives representing department stores, discount, drug, grocery, restaurant

and specialty retailers. NRF represents retailers of all types and sizes, including chain

restaurants and industry partners, from the United States and more than 45 countries

abroad.

The National Retail Federation has been educating retailers, law enforcement, media

outlets and policy makers on organized retail crime since early 2005. The association

mitigates for the importance of continue training and awareness programs for staff and

other industry partners as well as strong collaboration with law enforcement in order to

understand and fight organized retail crime.

Today’s Online Fraud Realities

By Greg Wolfond, CEO, SecureKey Technologies

Fact: Consumers are overwhelmed by a proliferation of credentials increasing security and

privacy risk

Fact: Banks, Merchants, Enterprises and Governments are all battling authentication,

identity and payment fraud

The security measures that institutions use to protect their customers continue to increase

in sophistication and still online fraud is on the rise. Phishing attacks alone are up over 37%

FOCUS ON:

ORGANIZED CRIME AMONG RETAILERS ON THE RISE

EXPERT OPINION




year over year in 2011, representing only one mechanism to collect unauthorized user and

payment information.

Historically, the more security that is added, the less convenient it becomes. 3D Secure is a

great example; it is supposed to limit online fraud but it reduced merchant conversion rate

so much that most merchants in North America don’t use it.

Consumers are managing dozens, sometimes hundreds, of increasingly complex online

login IDs, and using them interchangeably with many online services, actually increasing

their risk and exposure to damaging online attacks. The security protocols that exist in the

physical world where driver’s licenses and payment cards are used don’t exist in the online

world.

Cards in the physical world were susceptible to fraud; it was quite easy to copy a magnetic

stripe payment card. But most of the world has moved to Chip and PIN cards. These new

EMV cards have small computer chips in them, they generate dynamic numbers on each

transaction, and they can’t be copied.

The combination of a chip card ‘something I have’ together with a PIN ‘something I know’

makes security strong and reduces fraud. Today’s online shopping is much like the old

cards; it uses static numbers and is easy to copy, so fraud is high.

In the UK, when chip cards were introduced, card-present fraud in physical locations

reduced dramatically. However ‘card not present’, or online fraud, went from 10% in 1998

to 54% of fraud in 2008 because the fraud migrated online where it was easier to commit.

The same is happening in Canada and will happen in the United States.

On the bright side, changes in consumer technologies are beginning to happen that will

allow the same principles that led to massive reduction in point-of-sale fraud with the use

of EMV cards to be applied online. What’s required is the same ‘what I have’ and ‘what I

know’ factors, or strong two factor authentication, and a secure issuance or registration

process. To truly curtail online fraud it must be affordable, work across all payment

methods, and be commonly available and convenient. A bonus is if it can also be used for

non-payment identity applications as well. New technologies, like Intel’s new identity

protection technology in the new ultrabooks for example, allow secure tokens to be stored

in a secure place much like a chip card.

SIM chips in phones have a similar capability, and many devices are coming with NFC

capability that will allow reading of PayWave, PayPass, ZIP or other in-wallet credentials.

Whether the security token is stored in the device or on a card tapped from my wallet, the

combination of that token, the ‘what I have’ with a ‘what I know’ factor of authentication

like a password, will make the security of online transactions much safer than they are

today.

What’s going to make all this work for consumers is simplicity. It’s not new regulations

and it shouldn’t be a burden on the consumer. The companies that solve the security

challenges have to create an enchanting customer experience. The same solutions that

apply to online shopping fraud will then solve many of the authentication and identity

challenges of the anonymous internet.

Tap my driver’s license on my tablet as part of the process to open a new bank account, or

my health card on my laptop to see my health records online. Register my BlackBerry,

Android or iPhone through a secure registration process to be my personal authentication

terminal and confirm all my high-risk transactions, purchases, transfers, even logins with

the push of a button on my phone.

Consumer technologies are evolving to make all this possible. It’s now up to the creative

folks to make it easy and usable by everybody.

http://www.securekey.com/




About Mr. Greg Wolfond

Greg has a successful track record bringing innovative solutions to the

financial industry. His expertise and entrepreneurial skills are

evidenced by his founding of Footprint Software Inc., a financial

software company which he started in 1983 and later sold to IBM in

1995. Additionally, Greg founded and was CEO of 724 Solutions Inc.

from 1997 to 2001, a wireless software infrastructure provider which

he took public in 2000.

Mr. Manish Patel, President EMEA, ReD, is a business professional

with over 20 years experience within the banking, payments and fraud

prevention industry.

Starting his career at NatWest Bank Plc, Manish spent ten years within

retail banking and international card acquiring before joining ReD in

2000. Since joining ReD, Manish has established himself as an

accomplished expert within the field of payments and fraud prevention

and has played a key role in the development of ReD’s business in

Europe. As President of EMEA, Manish is responsible for managing and leading the Sales,

Account Management, Risk & Customer Support teams for ReD in Europe, the Middle East

and Africa.

What kind of approach does ReD offer to online fraud mitigation?

Manish Patel: ReD offers a flexible, multi-layered approach to our merchant customers in

mitigating online fraud. We understand that each merchant’s business is unique and

therefore our solutions are tailored to meet the specific business objectives of the

merchants we work with. ReD has expert risk analysts located around the world who act

as consultants, offering guidance to our merchants on a daily basis.

The analysts` role is to ensure the fraud models we deploy for our merchants continually

deliver optimal performance in reducing fraud whilst ensuring that genuine consumers are

able to successfully make purchases. The analysts also advise our merchants on how and

when to change their strategies as soon as new fraud types are identified or fraud

migrates to a different channel to ensure they are protected immediately, reducing the

window of exposure. We also work with issuers, acquirers, processors, PSPs and switches.

Working across the entire payments value chain gives ReD a unique perspective which all

our customers benefit from.

Fraud will always be an issue. Where is the problem now? Is there not enough consumer

awareness, does the industry still lack the necessary technology to mitigate it?

Manish Patel: In my opinion, you need to take a holistic approach in the battle against

payment fraud. It is a global, multi-sector, multi-channel problem which does not

discriminate. Whilst continual advances in technology are fundamental to the fight,

technology alone is not enough.

Fraudsters too are using smart technology to perpetrate fraud. Industry initiatives such as

CV2/AVS and 3D Secure have been introduced to protect online merchants and these

initiatives have forced fraudsters to think differently and become even more creative.

Technology will always have a key role to play, but the human element is also crucial.

This is why experienced risk and fraud analysts who have a multi-sector, multi-

geographical, multi-channel and multi-payment perspective across the entire payments

value chain are critical to the fight. Perpetrators of fraud are highly sophisticated

individuals and we have to try and think the way fraudsters do.

“In 2011, we protected in excess of 17 billion transactions”

- Exclusive interview with Manish Patel, ReD -




Do you also help merchants educate their customers because there is still much

ignorance?

Manish Patel: Yes, ReD works very closely with our merchants to provide guidance and

support on how to best protect and educate their customers on payment fraud

prevention. Through our experience in dealing with some of the world’s largest merchants,

we are able to share best practice and provide tips to ensure our merchants are able to

communicate knowledgably and deliver a first class service to their customers.

In many cases merchants do keep themselves well informed, but despite best efforts, it

can be an arduous task due to the pace at which fraud patterns and techniques change

and migrate.

ReD helps merchants keep up to date with these changes and developments. How would

you describe the overall awareness of cyber-crime in the US and Europe vs. other

regions?

Manish Patel: Cyber-crime is a significant and well reported issue in the US. Over the past

decade, Europe has also experienced a significant uplift in cyber-crime with the popularity

of online shopping and banking. In recent years we have also seen cyber-crime increase

significantly in emerging markets such as Asia and Latin America. Analyst forecasters are

predicting Asia to out-perform the US for e-commerce by 2015; concerns are that cyber-

crime will also increase proportionately.

In your opinion, what are the main fraud indicators for consumers?

Manish Patel: The most common is when a consumer checks their bank and/or credit card

account online or receives a bank statement in the post, and sees entries which they do

not recognise. This is typically the first indication that fraud has been perpetrated.

Some voices are concerned that tracking technologies jeopardize online privacy. What is

your own opinion regarding this aspect?

Manish Patel: There are a number of new technologies entering the market which focus

on tracking consumer behavior. With these new technologies comes the ever increasing

risk of personal data being exposed and compromised. To combat this, we have seen and

are continuing to see, a tightening around regulation and compliance notably ‘Data

Protection’ and ‘P.C.I’ to ensure that companies who provide these ‘tracking technologies’

have the right security protocols and processes in place to securely deliver the services

they offer.

Ryan Disraeli brings an entrepreneurial savvy to his role of directing the

fraud services organization. Disraeli draws on his experience in

technical business management, professional services program

deployment, as well as launching new products in the Internet security

and telephony industries. Ryan was part of the original TeleSign team

and is currently responsible for working with clients on their fraud

strategy, while contributing to the product vision. Ryan consults with

many of TeleSign's enterprise customers, enabling them to leverage the

most out of TeleSign's technology. He can often be found contributing false information on

fraudster message boards.

First of all, it would be interesting to know what prompted your company to get into this

business. Why a phone-based verification approach?

Ryan Disraeli: Phone-based verification achieves an excellent balance between mobility

and security. The phone is one of the most widely used technologies, yet it presents an

“If I were to describe fraudsters using one word, it would

be entrepreneur” - Exclusive interview with Ryan Disraeli, TeleSign -

http://www.redworldwide.com/fraud-prevention/merchants




added complexity for fraudsters. Our customers think that phone-based verification is the

simplest, yet most effective way to authenticate their users.

During the MRC Dublin event you held a presentation about fraudsters. Could you please

give us a summary? What is the organizational structure of online fraudsters?

Ryan Disraeli: I began my presentation by profiling fraudsters and talked about how these

individuals are motivated to commit fraud. My presentation focused on the similarities

between online and offline fraudsters. There is an element of specialization that is

involved in both online and offline fraud and it is important to understand how these

groups are formed and communicate. Fraudsters are great at networking, examples of this

can be found across several online forums. A part of my presentation analyzes these

forums and illustrates the communication between fraudsters.

Could you make a profile of fraudsters?

Ryan Disraeli: If I were to describe fraudsters using one word, it would be entrepreneur.

It is difficult to create one profile of fraudsters since they come from a wide variety of

backgrounds. Fraudsters are distributed across the globe and can come from a mix of

economic backgrounds and age ranges.

In your opinion, what kind of techniques do fraudsters use to exchange information?

Ryan Disraeli: Fraudsters exchange information similar to other industries. Networks exist

where fraudsters communicate their strategies and also buy and sell commodities like

credit card numbers and bank accounts. Online forums are often used for this purpose and

look similar to forums about any topic. Instead of talking about sports or movies, the

topics range from hacked servers to the best place to buy credit card numbers.

How do online fraudsters leverage common offline fraud techniques?

Ryan Disraeli: Online fraud is actually quite similar to offline fraud and more fraudsters are

participating in both. The same strategies around agility, specialization, and networking

are applied to both online and offline fraud.

What solutions does the market provide for merchants, in order to stay ahead of the

growing fraud climate?

Ryan Disraeli: There are a variety of vendors that have developed excellent solutions to

fight fraud. The best fraud strategy implements a variety of these tools along with your

own custom rules. One thing that merchants need to embrace is that they need to stay as

agile as the fraudsters. The fraud climate changes extremely fast and it is important to

constantly evaluate your strategy to ensure it is up to speed to fight against the growing

threats.

What kind of industry segments does your company serve?

Ryan Disraeli: We work with some of the largest companies in eCommerce, Cloud services,

social networking, payments, gaming, and financial services. Our team has the expertise to

meet the complex regulations and requirements that are specific to these industries.

Sending a one-time password or authentication code by SMS can be regarded as not

being very secure. If a mobile device is lost or stolen and if another person takes

possession of a user's phone, they could use it to authenticate fraudulently. In this

context, do you agree that some industries might recognize the need for stronger online

authentication?

Ryan Disraeli: The phone is such an integral part of our lives that when it is lost or stolen,

we usually replace it immediately. Having said that, a good fraud strategy encompasses

multiple solutions and should never rely on one technology.

What is your perspective on mobile phone fraud? As mobile phones increase in

popularity and functionality, are security issues affecting online payments likely to be

“Fraudsters and entrepreneurs share some common characteristics, both can be

incredibly disciplined, resourceful, and scrappy. “




transferred to the mobile channel?

Ryan Disraeli: There is no doubt that security issues are already being transferred to the

mobile channel. While a lot of vendors are working on solutions to combat this type of

fraud, we ultimately need to see better cooperation with the mobile operators to continue

to stay ahead of the growing threats.

Imperva, ThreatMetrix to add device identification, fraud malware detection to ThreatRadar Global data security services provider Imperva has entered a partnership with

ThreatMetrix, a US-based provider of integrated cyber security services, to add

ThreatMetrix device identification and fraud malware detection to ThreatRadar Fraud

Prevention. Read more

North America: Gemalto, nAppliance roll out new authentication service Dutch digital security company Gemalto has joined forces with nAppliance Networks, a

provider of Microsoft based networking and security appliances, to roll out a new

authentication service for the North American market. Read more

Socure, ValidSoft team up to deliver cyber security, identity theft protection to social networks Socure, a US-based identity and reputation applications developer, has inked a contract

with Irish-based authentication technology provider ValidSoft. Read more

In the next editions of the Online Paypers newsletter, we will continue to focus on some of

the most important developments and initiatives in the online payments and e-commerce

space, structured per regions, in parallel with a series of exclusive interviews with

representatives of payment services providers whose role on the online payments market

is not difficult to define: Alipay, Ogone, WorldPay and Chase Paymentech.

If you would like to contribute with an expert opinion on any of the topics above or make

any other suggestions, do not hesitate to contact us at [email protected].

YOUR OPINION IS IMPORTANT TO US!

About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal for

payment professionals.

Editors: Adriana Screpnic, Mihaela Mihaila, Ionela Barbuta and Melisande Mual.

Website: For more information, please visit our websites: www.thepaypers.com

Contact: For more information, you can contact us at: [email protected]

Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year

subscription price: €495

Copyright: 2011 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit

prior written permission of The Paypers is prohibited.

Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept

any responsibility for any possible inaccuracies.

NEWS

http://www.thepaypers.com/news/e-identity/imperva-threatmetrix-to-add-device-identification-fraud-malware-detection-to-threatradar/747837-26

http://www.thepaypers.com/news/e-identity/north-america-gemalto-nappliance-roll-out-new-authentication-service/747838-26

http://www.thepaypers.com/news/e-identity/socure-validsoft-team-up-to-deliver-cyber-security-identity-theft-protection-to-social-networks/747851-26

http://www.telesign.com/

update on developments in online payments vol. 5 issue 8, 15 june 2012

Documents