Merchants, acquirers, processors, anti-fraud providers and others serving the card-not-present payments market met in Orlando, Fla. recently at the first annual CNP Expo. For our readers who were unable to attend the groundbreaking event, CardNotPresent.com will be offering glimpses of the important information covered in two-and-a-half days of panel discussions on a host of issues relevant to merchants that take card-not-present payments and the technology providers that serve them.
By D.J. Murphy, Editor-in-Chief
On Day 1 of the CNP Expo, the very first panel convened looked at the one issue that received the most attention throughout the week: fraud. During the session—titled “Common Sense Solutions to Your Fraud Problems”—the panel discussed some of the roadblocks frequently encountered by both new and existing businesses and offered simple ways to avoid making the same mistakes.
The group covered the benefits and limitations of behavioral monitoring, device fingerprinting, wholesale blocking of IP addresses, CVV and AVS, velocity checks and manual review of chargebacks. While each of the techniques can be effective as part of a comprehensive anti-fraud system, none are sufficient to protect a business on their own, the panel agreed.
“Fraud is a threat to anybody in the card-not-present space,” said Rey Pasinli, executive director of Total Apps Inc. and moderator of the panel. “But fraud screening is not an end-all, be-all. It is an evolving technology, an evolving process. There is no single layer of defense that is effective by itself. You have to use a combination of tactics in order to provide yourself the maximum protection available.”
An example of a tactic that used to provide merchants with a good indication of whether a transaction was fraudulent, but now would not be sufficient as a lone fraud fighting tool, is use of AVS (a service supported by Visa, MasterCard, Discover and American Express that verifies the cardholder's billing address against the one on file with the issuer) and CVV (the three digit code printed next to the card number in the signature panel).
The information was used as part of fraud-fighting efforts because it was generally thought that data obtained by hackers cracking a network would not include this number. According to Ed Lin, co-founder of Subuno—a New York City company whose platform aggregates many anti-fraud solutions, that is no longer true.
“When the fraudsters are getting credit-card information they’re able to access that data,” said Lin, whose data show almost all fraud attempts, or attempts to test the validity of hacked data, have good AVS and CVV information behind them (according to Pasinli, stolen credit-card accounts with full AVS-matched data are available for sale on the Internet for 8 cents per record). And, Lin said, relying on AVS alone could result in rejecting a significant number of good orders. “You really do need to use alternative tools,” Lin said, “to detect the fraud.”
Another tactic for global merchants has been to block every IP address (the unique number that identifies the device from which a transaction is made) emanating from certain countries. The assumption that any transaction originating in a country that has proven to be a haven for hackers is fraudulent has served merchants well. But, like the fraudsters themselves, fraud tools have become increasingly sophisticated and blocking entire countries could now be doing more harm than good, said David McDonnell, the co-founder of compliance consultancy ComplyPay and Don Bush, director of marketing for Boise, Idaho-based anti-fraud solutions provider Kount.
“If you’ve got a proper fraud-screening system up front and you can do good detection at that point, we tell our merchants, ‘don’t block anything.’ It’s dynamic, it changes all the time,” said Bush. “Even Nigeria—if it has 50 percent fraud that means 50 percent of the orders are good. There are only a few reasons we recommend [blocking entire countries]: one…it’s illegal to do business with them. Two…logistically you just can’t do business in the country. Outside of that, blocking countries or IP addresses because of fraud, we look at as a way of reducing overall revenues.”
Stay tuned to CardNotPresent.com in the coming weeks as we present summaries and audio clips from the most exciting and relevant sessions at the 2012 CNP Expo. If you’re interested in being involved in next year’s event as a sponsor, exhibitor or attendee, contact Steve Casco at firstname.lastname@example.org.