Moving Target

If you sell online, you are a high-profile target for credit card fraud. Catalogers and retailers have a fraudulent credit card rate of 1% or less, compared to 1.5% – and climbing – for online merchants. Since all illegitimate charges are the full responsibility of the merchant, this can take a substantial bite out of the bottom line.

Saturday night numbers Fraudulent charges can come from a variety of sources. Lost or stolen cards are the least of them. Suffice it to say, if a thief wants to get hold of a credit card number against which to make charges, he or she will have no trouble doing so. They’re easier to come by than Saturday night specials.

Catalog companies have been coping with fraud for many years now. Many companies have a rigorous and systematic program to identify potential fraud, and either reject a suspicious order or flag it for special treatment. Most catalog order processing systems incorporate a Modulus-10 check-digit verification to verify that the credit card number is legitimate.

Understandably, e-commerce companies are reluctant to admit their fraud rates, but credit card processors and card issuing agencies certainly know what the numbers are. So alarmed are Visa and MasterCard that this past June they both imposed a requirement that Web orders be specifically identified in the credit card authorization and settlement process. Fines for failing to identify Web orders start at $1,000 per month. Relatively few multi-channel merchants had complied with the mandate by late September, but MasterCard drew a line in the sand for October 1, after which severe crackdowns could be expected.

Online protection Online merchants or catalog Web sites don’t have the benefit of TSRs who can put every order to the “smell test.” But now they have something far better: an Internet-based electronic sniffer that uses data mining and neural network techniques to perform near-perfect fraud screening for every e-commerce credit card order.

HNC Software, located in San Diego, CA, offers a consortium-based “risk profiling” service called “eFalcon” through its eHNC division. HNC itself has been doing predictive risk modeling for nearly a decade, but only recently adapted its technology to e-commerce. Its eFalcon service is used by nine of the top ten Visa and MasterCard credit card issuers, and by 16 of the 25 largest credit card issuers worldwide.

Merchants who use eFalcon become part of the HNC consortium. All members of the consortium pool their transaction histories in the eFalcon database to create a vast data warehouse of consumer credit card and purchasing behavior. Just as savvy catalogers look at size of order, day of week, product type, and time of day, so the eFalcon risk profiling tool examines up to 150 different parameters for each purchase in real time. In less than half a second the system returns a score for each transaction ranging from 1 to 999. The higher the score, the greater the likelihood that the transaction is fraudulent. Scores are determined by the merchant’s SIC code, the profile associated with the credit card number from the consortium of merchants, and other factors.

The advantage that eFalcon offers is that it can also look at the historical data for that same card number in multiple environments, giving it the ability to judge “velocity” of charges (how many per hour or day) and geographical distribution of charges. If a credit card is being used to charge some multiple of its typical daily or hourly charge rate (number of charges and dollar total), or the same card is being used in distant states or multiple countries on the same day, this is a good sign something may be wrong.

eFalcon, which can process up to 300 transactions per second per merchant on geographically dispersed redundant servers supported by secure socket layer encryption, charges a flat fee (ranging from 10 to 20 cents) for each transaction, based on volume and level of service. The basic service simply returns a score. You are responsible for programming the application programming interface (API) to integrate the score into your order management system and for determining what to do with it – that is., at what level to send the order to a CSR for follow-up, and at what level to kill the order.

The “Standard” level of service includes an eFalcon Policy Management Workstation that supports the writing of complex business rules for interpreting the eFalcon score that may incorporate parameters that the scoring algorithm does not have access to online or data from other third-party sources.

The “Premium” level of service adds an Order Management Workstation that supports CSR follow-up. If you already have a contact center solution, you probably don’t need this service.

Other options Depending on your credit card transaction processor, you may have other options. Paymentech, for instance, offers eFalcon scoring, but instead of returning the eFalcon score will attach a high-, medium-, or low-risk flag to each transaction. Paymentech decided to use eFalcon, incidentally, after testing it with Paymentech’s own fraud files and getting a 96% accuracy rating.

There are two related services also available. HNC has partnered with Digital Island to include that company’s TraceWare as part of the eFalcon screening process. Adding another five to ten cents to the processing charge, TraceWare identifies the country in which the customer’s Internet service provider is located. With 96% accuracy (ironically the same as the level Paymentech confirmed for eFalcon), TraceWare can help in fraud prevention (orders from some countries have a notoriously high likelihood of fraud) and also in personalizing the customer’s online shopping experience.

In a partnership with Equifax, HNC is also offering a service that checks the customer’s shipping address against the Equifax address database to identify potential fraud. A common ploy of fraudulent buyers is to impersonate the card holder, including the credit card billing address, but to have the order shipped to the criminal’s choice of location.

eHNC has a rigorous implementation procedure that takes 30-60 days from start to finish. While the Account Manager does a very thorough job technically and administratively, fraud management consultants can help you establish effective business rules for dealing with your particular fraud-exposure profile. Along those same lines, eHNC has partnered with Retail Decisions (ReD), a British company with U. S. offices, to work with merchants to develop effective fraud management programs. One of ReD’s assets is the world’s most comprehensive historical database of lost and stolen credit card numbers. The banks themselves post the numbers only for a month. ReD maintains them forever. The company also markets ebitGuard, a complex risk management system for retail and direct commerce credit card processing environments.

Two HCN/ReD competitors are CyberSource and ClearCommerce. Like eFalcon, CyberSource is based on a neural network and data modeling platform. ClearCommerce offers FraudShield (a module of the ClearCommerce credit card processing solution); provides online, real-time fraud checking; and allows merchants to specify customized fields or data to check for known fraud profiles for their businesses.

Resources ReD and HNC joined with ECDirect, CyberCash, Signio, and ShopNow.Com late last year to form the Internet Fraud Prevention Advisory Council ( to increase awareness among direct merchants and retailers regarding the risks of credit card fraud. You might also consult,, and, which have extensive overview and background information on the types of credit card fraud and on screening and researching the e-mail addresses and credit card data of e-customers as a first line of defense in e-commerce fraud screening. Check out,, and, as well.