CNP (Card Not Present) fraud is a serious threat to both Online Merchants and Payment Service Providers (PSPs). In itself this is proving to be a major problem. However, to make things worse there have been a number of spectacular and very high profile mass data breaches recently which have also grabbed the headlines. These breaches have led to large numbers of customers’ card details getting into the hands of sophisticated criminals. The card details are then used systematically for fraudulent online purchases.
The volume of Card Not Present transactions is increasing at a rapid and significant rate as people more frequently use the web and mobile channels to make purchases. It is the very anonymity of paying over the web that inherently makes CNP fraud so very attractive to fraudsters. Naturally, with such a rapid growth curve, CNP fraud has now become a major issue for payment service providers and online retailers alike. The likelihood of a CNP transaction being fraudulent is far higher than it is for card present transactions.
Let’s look behind the dramatic headlines at how those at risk can best address this pernicious flood of fraudulent card activity. To date most fraud prevention vendors have offered what are effectively very limited ‘single-aspect’ datasets such as geolocation, address verification or device information to validate transactions. Significantly, each vendor may offer the user the ability to write rules against their specific data but this leaves the user without the ability to write rules that combine these separate data items. It also leaves them without the ability to incorporate in their risk management strategies data that lies within their own internal systems such as chargeback history or business velocity. What PSPs and online merchants really need in the fight against CNP fraud is a professionally integrated solution which enables them to use best-of-breed commercially available external data feeds and relevant data from their own internal systems to be able to detect and block frauds in true real time, in-flight, before any loss is incurred.
Today’s buzzword is SaaS – Software as a Service – but from our discussions with PSPs and merchants it could be labelled Software as a Disservice because they cannot see the whole picture. What they are telling us is that they want to be able to select from available third party data sources and use this data together with data from internal systems when assessing risk. They want an ‘on-premises’ comprehensive solution rather than SaaS data silos. From what we were told, there did not seem to be any such commercially available ‘on premises’ systems that could meet this burgeoning demand. The only other option open to online merchants and PSPs, by which they could achieve this, would be to go down the extremely costly bespoke development route. In studying the problem closely, we saw that we could deliver very real and significant benefits to these markets by offering our own Fractals Fraud Integration Hub (FIH) as an ‘on premises’ solution. This highly scalable system combines multiple internal and external data sources and has been specifically designed to protect online merchants and payment service providers from CNP fraud in particular.
By having an ‘on-premises’ fraud prevention solution in place, online merchants and PSPs are now able to take a highly effective best-of-breed approach to detecting and preventing fraud. When used by an Online Merchant such a system protects the merchant against cardholder fraud. When used by a Payment Service Provider, the system protects both merchants and the PSP against cardholder fraud and the PSP itself against fraud perpetrated by merchants.
The system enables clients to write their own fraud detection rules and to use intelligent fraud detection models which integrate a broad range of data from both clients’ internal systems as well as from specialist third party SaaS data providers for key fraud indicators, including: device identification/reputation, IP geo-location, mobile location and address verification. This ‘on-premises’ approach also incorporates Alaric’s proprietary Message Mapper solution which greatly simplifies the process of integrating the Fraud Integration Hub with clients’ internal systems, thereby enabling it to be put into live use quickly and cost effectively. Users also have the added security of knowing that the system is PA-DSS (Payment Application–Data Security Standard) certified.