FRAUD PREVENTION AND MANAGEMENT
With all the negative impacts of fraudulent credit card activities – financial and product losses, fines, loss of reputation, etc, and technological advancements in perpetrating fraud – it's easy for merchants to feel victimized and helpless. However, technological advancements in preventing fraud have started showing some promise to combat fraud. Merchants and Acquirers & Issuers are creating innovative solutions to bring down on fraudulent transactions and lower merchant chargeback rates. One of the main challenges with fraud prevention is the long time lag between the time a fraudulent transaction occurs and the time when it gets detected, i.e., the cardholder initiates a chargeback. Analysis shows that the average lag between the transaction date and the chargeback notification could be as high as 72 days. This means that, if no fraud prevention is in place, one or more fraudsters could easily generate significant damage to a business before the affected stakeholders even realize the problem.
Fraud Prevention Technologies: While fraudsters are using sophisticated methods to gain access to credit card information and perpetrate fraud, new technologies are available to help merchants to detect and prevent fraudulent transactions. Fraud detection technologies enable merchants and banks to perform highly automated and sophisticated screenings of incoming transactions and flagging suspicious transactions. While none of the tools and technologies presented here can by itself eliminate fraud, each technique provides incremental value in terms of detection ability. As it will be discussed later, the best practice implementations often utilize several of these fraud prevention techniques, if not all of the tools discussed here. The various fraud prevention techniques are discussed below:
MANUAL REVIEW: This method consists of reviewing every transaction manually for signs of fraudulent activity and involves a exceedingly high level of human intervention. This can prove to be very expensive, as well as time consuming. Moreover, manual review is unable to detect some of the more prevalent patterns of fraud, such as use of a single credit card multiple times on multiple locations (physical or web sites) in a short span.
ADDRESS VERIFICATION SYSTEM: This technique is applicable in card not present scenarios. Address Verification System (AVS) matches the first few digits of the street address and the ZIP code information given for delivering/billing the purchase to the corresponding information on record with the card issuers. A code representing the level of match between these addresses is returned to the merchant. AVS is not much useful in case of international transactions.
CARD VERIFICATION METHODS: The Card Verification Method3 (CVM) consists of a 3- or 4-digit numeric code printed on the card but is not embossed on the card and is not available in the magnetic stripe. The merchant can request the cardholder to provide this numeric code in case of card-notpresent transaction and submit it with authorization. The purpose of CVM is to ensure that the person submitting the transaction is in possession of the actual card, since the code cannot be copied from receipts or skimmed from magnetic stripe. Although CVM provides some protection for the merchant, it doesn’t protect them from transactions placed on physically stolen cards. Furthermore, fraudsters who have temporary possession of a card could, in principle, read and copy the CVM code.
NEGATIVE AND POSITIVE LISTS: A negative list is a database used to identify high-risk transactions based on specific data fields. An example of a negative list would be a file containing all the card numbers that have produced chargebacks in the past, used to avoid further fraud from repeat offenders. Similarly a merchant can build negative lists based on billing names, street addresses, emails and internet protocols (IPs) that have resulted in fraud or attempted fraud, effectively blocking any further attempts. A merchant/acquirer could create and maintain a list of high-risk countries and decide to review or restrict orders originating from those countries. Another popular example of negative list is the SAFE file distributed by MasterCard to merchants and member banks. This list contains card numbers, which could be potentially used by fraudsters, e.g., cards that have been reported as lost or stolen in the immediate recent past. Positive files are typically used to recognize trusted customers, perhaps by their card number or email address, and therefore bypass certain checks. Positive files represent an important tool to prevent unnecessary delays in processing valid orders.
PAYER AUTHENTICATION: Payer authentication is an emerging technology that promises to bring in a new level of security to business-to-consumer internet commerce. The first implementation of this type of service is the Verified by Visa (VbV) or Visa Payer Authentication Service (VPAS) program, launched worldwide by Visa in 2002. The program is based on a Personal Identification Number (PIN) associated with the card, similar to those used with ATM cards, and a secure direct authentication channel between the consumer and the issuing bank. The PIN is issued by the bank when the cardholder enrolls the card with the program and will be used exclusively to authorize online transactions. When registered cardholders check out at a participating merchant’s site, they will be prompted by their issuing bank to provide their password. Once the password is verified, the merchant may complete the transaction and send the verification information on to their acquirer.
LOCKOUT MECHANISMS: Automatic card number generators represent one of the new technological tools frequently utilized by fraudsters. These programs, easily downloadable from the Web, are able to generate thousands of ‘valid’ credit card numbers. The traits of frauds initiated by a card number generator are the following:
• Multiple transactions with similar card numbers (e.g. same Bank Identification Number (BIN))
• A large number of declines Acquiring banks/merchant sites can put in place prevention mechanisms specifically
designed to detect number generator attacks.
FRAUDULENT MERCHANTS: Both MasterCard and Visa publish a list of merchants who have been known for being involved in fraudulent transactions in the past. These lists (NMAS - from Visa and MATCH- from MasterCard) could provide useful information to acquirers right at the time of merchant recruitment preventing potential fraudulent transaction.
Fraud Prevention Technologies: While fraudsters are using sophisticated methods to gain access to credit card information and perpetrate fraud, new technologies are available to help merchants to detect and prevent fraudulent transactions. Fraud detection technologies enable merchants and banks to perform highly automated and sophisticated screenings of incoming transactions and flagging suspicious transactions. While none of the tools and technologies presented here can by itself eliminate fraud, each technique provides incremental value in terms of detection ability. As it will be discussed later, the best practice implementations often utilize several of these fraud prevention techniques, if not all of the tools discussed here. The various fraud prevention techniques are discussed below:
MANUAL REVIEW: This method consists of reviewing every transaction manually for signs of fraudulent activity and involves a exceedingly high level of human intervention. This can prove to be very expensive, as well as time consuming. Moreover, manual review is unable to detect some of the more prevalent patterns of fraud, such as use of a single credit card multiple times on multiple locations (physical or web sites) in a short span.
ADDRESS VERIFICATION SYSTEM: This technique is applicable in card not present scenarios. Address Verification System (AVS) matches the first few digits of the street address and the ZIP code information given for delivering/billing the purchase to the corresponding information on record with the card issuers. A code representing the level of match between these addresses is returned to the merchant. AVS is not much useful in case of international transactions.
CARD VERIFICATION METHODS: The Card Verification Method3 (CVM) consists of a 3- or 4-digit numeric code printed on the card but is not embossed on the card and is not available in the magnetic stripe. The merchant can request the cardholder to provide this numeric code in case of card-notpresent transaction and submit it with authorization. The purpose of CVM is to ensure that the person submitting the transaction is in possession of the actual card, since the code cannot be copied from receipts or skimmed from magnetic stripe. Although CVM provides some protection for the merchant, it doesn’t protect them from transactions placed on physically stolen cards. Furthermore, fraudsters who have temporary possession of a card could, in principle, read and copy the CVM code.
NEGATIVE AND POSITIVE LISTS: A negative list is a database used to identify high-risk transactions based on specific data fields. An example of a negative list would be a file containing all the card numbers that have produced chargebacks in the past, used to avoid further fraud from repeat offenders. Similarly a merchant can build negative lists based on billing names, street addresses, emails and internet protocols (IPs) that have resulted in fraud or attempted fraud, effectively blocking any further attempts. A merchant/acquirer could create and maintain a list of high-risk countries and decide to review or restrict orders originating from those countries. Another popular example of negative list is the SAFE file distributed by MasterCard to merchants and member banks. This list contains card numbers, which could be potentially used by fraudsters, e.g., cards that have been reported as lost or stolen in the immediate recent past. Positive files are typically used to recognize trusted customers, perhaps by their card number or email address, and therefore bypass certain checks. Positive files represent an important tool to prevent unnecessary delays in processing valid orders.
PAYER AUTHENTICATION: Payer authentication is an emerging technology that promises to bring in a new level of security to business-to-consumer internet commerce. The first implementation of this type of service is the Verified by Visa (VbV) or Visa Payer Authentication Service (VPAS) program, launched worldwide by Visa in 2002. The program is based on a Personal Identification Number (PIN) associated with the card, similar to those used with ATM cards, and a secure direct authentication channel between the consumer and the issuing bank. The PIN is issued by the bank when the cardholder enrolls the card with the program and will be used exclusively to authorize online transactions. When registered cardholders check out at a participating merchant’s site, they will be prompted by their issuing bank to provide their password. Once the password is verified, the merchant may complete the transaction and send the verification information on to their acquirer.
LOCKOUT MECHANISMS: Automatic card number generators represent one of the new technological tools frequently utilized by fraudsters. These programs, easily downloadable from the Web, are able to generate thousands of ‘valid’ credit card numbers. The traits of frauds initiated by a card number generator are the following:
• Multiple transactions with similar card numbers (e.g. same Bank Identification Number (BIN))
• A large number of declines Acquiring banks/merchant sites can put in place prevention mechanisms specifically
designed to detect number generator attacks.
FRAUDULENT MERCHANTS: Both MasterCard and Visa publish a list of merchants who have been known for being involved in fraudulent transactions in the past. These lists (NMAS - from Visa and MATCH- from MasterCard) could provide useful information to acquirers right at the time of merchant recruitment preventing potential fraudulent transaction.
0 Comments:
Post a Comment
<< Home