update on developments in online payments vol. 5 issue 8, 15 june 2012
TRANSCRIPT
1 | 8 www.thepaypers.com Copyright © The Paypers
Update on developments in online payments Vol. 5 Issue 8, 15 June 2012
MRC DUBLIN: Reducing online payment fraud, im-
proving risk management strategies
Exclusive interviews with CyberSource 1
Expert opinion—SecureKey 3
Exclusive interviews with ReD 5
Exclusive interviews with TeleSign 6
The MRC European Spring e-Commerce
Payments and Risk Congress in Dublin
brought together European and global
merchants, solution providers, payment processors, and other industry stakeholders for a
three-day event discussing the newest breakthroughs and innovations in reducing online
payment fraud and improving risk management strategies in today’s ever-changing world
of technological advancements.
Key sessions included:
▪ Keynote address by the Honorable Richard Bruton T.D., Minister for Jobs,
Enterprise and Innovation;
▪ Industry benchmarking data;
▪ Digital & card issuer fraud;
▪ Expanding e-commerce beyond the EU;
▪ Transforming mobile payments;
▪ Law enforcement collaboration.
Dr Akif Khan joined CyberSource in December 2004. As Director,
Products and Services, he has become an industry thought leader and
influential speaker within the eCommerce payment and fraud arenas.
Helping and advising online businesses all over the world, Dr Khan has
witnessed the latest challenges faced by organisations in multiple
geographies and market sectors. Educated as a research scientist, and
with recent experience in the IT and finance industries, Dr Khan is well placed to work with
CyberSource’s customers, analysing their requirements and providing guidance to optimise
and grow their businesses with particular focus on minimising risk, reducing fraud and
moving into new territories.
What are some of the key findings of the joint MRC-CyberSource European Fraud
Survey?
Akif Khan: This latest fraud survey is built around the principle of our fraud management
pipeline; covering metrics relating to automated screening, manual review, order
acceptance/rejection and chargeback management. We asked respondents a range of
questions about their fraud experiences across each of these four areas (over 60 European
enterprise level merchants participated).
MRC EUROPEAN SPRING E-COMMERCE PAYMENTS AND RISK CONGRESS 2012
“A single tool will never be able to stop fraud” - Exclusive interview with Dr Akif Khan, CyberSource -
EVENT HIGHLIGHTS
Update on developments in online payments
2 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
The survey revealed that, on average, European fraud loss rates are a little higher than
those reported in our equivalent survey in the US. However, there are a whole host of
dynamics at play and the markets are very different. For instance, when asked about
fraud tool usage, 37 percent of respondents reported that they had implemented 3D
Secure, almost twice as many as in the US. Any merchant processing Maestro cards
online must enable 3D Secure, and of course Maestro is well known in Europe.
There is a lot of talk about new anti-fraud techniques…
Akif Khan: Yes. Within Europe about 36 percent of merchants who responded to the
survey said they use device fingerprinting. Significantly, when asked to list the anti-
fraud tools that they were planning to implement in the coming year, merchants
ranked device fingerprinting number one (34% of respondents stated that they would
be implementing this tool).
Businesses are using a range of methods to tackle the fraud challenge, and it’s clear
that no single tool will be able to stop fraud. I like to think of this as a jigsaw puzzle; the
more pieces you have, the greater chance you’ll see the whole picture and be able to
more effectively combat fraud. A word of caution though; these pieces must fit
together and complement each other – a mismatch could do even greater damage.
When looking at manual review, the survey results indicated that, on average, just over
14 percent of transactions are being evaluated in this way. Given the high transaction
volumes that the survey respondents see and the costs associated with this review
stage, European merchants should certainly look to optimize their review processes.
It is worth noting that there are variations between different industry sectors: for
instance, in the travel sector the manual review rate is considerably higher than
average, whereas in the digital goods sector it is lower. These differences relate to
particular businesses models that have been adopted. For example, in the digital goods
space orders are often fulfilled immediately; manual review may cause a delay in that
fulfillment so attention is focused on automating as much of the fraud management
process as possible.
The survey revealed that, on average, European merchants were rejecting over 6
percent of orders due to suspicion of fraud. Undoubtedly, some of these orders will
have been fraudulent, however it is very possible that some good orders will have been
rejected too. It is important for merchants to minimize the risk of turning away good
customers. Currently, the average order reject rate stands at 3.3 percent for US
merchants.
One of the main messages arising from this survey is that merchants want to
understand where the risk is originating i.e. for which countries are the fraud rates
likely to be higher and therefore warrant special attention. The challenge is that
different merchants analyze this information in different ways. As an example, we
asked merchants to categorize how they define where fraud is coming from. In total,
42 percent of respondents said that they define this country of origin as the country
that the IP is associated with. At the same time, 15 percent of merchants classify the
fraud location using the delivery addresses, while 8 percent base their decision on the
country where the credit card was issued. It has become clear that there is a need to
create a common set of definitions and standards so that we can better appreciate this
entire area. At MRC Europe we are exploring how we can work with our membership
community to achieve just that.
What are the main reasons for this higher percentage of fraud in Europe?
Akif Khan: If we analyze data by country or industry sector, we see that those
merchants with more online experience are generally better at managing fraud. This
means that the fraud rate is in part related to the merchant’s maturity within their
market. Furthermore, larger and more experienced merchants often have access to
more resources, both internally and externally.
It’s worth noting that when we’ve previously conducted fraud surveys in North
America, the merchants that are members of the MRC do seem to experience better
overall fraud metrics. Through its benchmarking activities, the MRC looks to further
empower merchants to better understand the impact that fraud is having on their
business. And by connecting merchants, vendors and members of law enforcement the
industry can begin to truly work together to address the challenge.
Update on developments in online payments
3 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
Retail has always been perceived as one of the driving forces for the economic
development of each country. Consequently, the level of retail sales is an important
indicator of the health of the economy and a raising level shows that consumers have
more disposable income and confidence in making purchases. In the US, national and cross
-border transactions in this sector, both over the internet and offline, have considerably
increased over the years, as data frequently shows.
A survey released by research company Real Capital Analytics points out that in Q1 2012
retail sales in the US have grown 87 percent as compared to the same period in 2011.
During the same period, on the online front, retail spending has reached USD 44.3 billion,
up 17 percent y-o-y, according to a research by comScore, a source of digital business
analytics. But unfortunately, the retail industry has also become a main target for those
who are constantly committing illegal activities. Thus, fraud has turned into a constant
challenge for traditional and online retailers forced to deal with organized fraudsters, who
are in constant search for new channels to exploit.
According to a survey released by retail trade association National Retail Federation (NRF),
96 percent of retailers, have declared that their company has been the victim of organized
retail crime (ORC) in 2012, up from 94.5 percent in 2011.
The eighth annual Organized Retail Crime survey also indicates that 87.7 percent of
respondents believe that organized retail crime activity has increased since 2009. With
regard to factors which may have determined this increase, the survey mentions the
current economic conditions, lower staffing levels at stores and the ease of selling stolen
merchandise in pawn shops/flea markets, online and other fencing operations. The study
shows that experts in the industry and even law enforcement are convinced that
organized retail crime in recent years has become more of a “gateway crime” than ever
before. These organized retail crime activities are normally performed by groups, gangs
and sometimes individuals who are engaged in illegally obtaining retail merchandise
through both theft and fraud in substantial quantities as part of a criminal enterprise.
Finally, the report points out that 54.4 percent of retailers believe that their top
management understands the severity and complexity of the problem. More companies
are reporting that their company is allocating additional resources to address this crime
(52.8 percent in 2012 as compared to 46.5 percent in 2011).
NRF’s survey was conducted from 17 April to 11 May 2012 on a sample of 125 retail loss
prevention executives representing department stores, discount, drug, grocery, restaurant
and specialty retailers. NRF represents retailers of all types and sizes, including chain
restaurants and industry partners, from the United States and more than 45 countries
abroad.
The National Retail Federation has been educating retailers, law enforcement, media
outlets and policy makers on organized retail crime since early 2005. The association
mitigates for the importance of continue training and awareness programs for staff and
other industry partners as well as strong collaboration with law enforcement in order to
understand and fight organized retail crime.
Today’s Online Fraud Realities
By Greg Wolfond, CEO, SecureKey Technologies
Fact: Consumers are overwhelmed by a proliferation of credentials increasing security and
privacy risk
Fact: Banks, Merchants, Enterprises and Governments are all battling authentication,
identity and payment fraud
The security measures that institutions use to protect their customers continue to increase
in sophistication and still online fraud is on the rise. Phishing attacks alone are up over 37%
FOCUS ON:
ORGANIZED CRIME AMONG RETAILERS ON THE RISE
EXPERT OPINION
Update on developments in online payments
4 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
year over year in 2011, representing only one mechanism to collect unauthorized user and
payment information.
Historically, the more security that is added, the less convenient it becomes. 3D Secure is a
great example; it is supposed to limit online fraud but it reduced merchant conversion rate
so much that most merchants in North America don’t use it.
Consumers are managing dozens, sometimes hundreds, of increasingly complex online
login IDs, and using them interchangeably with many online services, actually increasing
their risk and exposure to damaging online attacks. The security protocols that exist in the
physical world where driver’s licenses and payment cards are used don’t exist in the online
world.
Cards in the physical world were susceptible to fraud; it was quite easy to copy a magnetic
stripe payment card. But most of the world has moved to Chip and PIN cards. These new
EMV cards have small computer chips in them, they generate dynamic numbers on each
transaction, and they can’t be copied.
The combination of a chip card ‘something I have’ together with a PIN ‘something I know’
makes security strong and reduces fraud. Today’s online shopping is much like the old
cards; it uses static numbers and is easy to copy, so fraud is high.
In the UK, when chip cards were introduced, card-present fraud in physical locations
reduced dramatically. However ‘card not present’, or online fraud, went from 10% in 1998
to 54% of fraud in 2008 because the fraud migrated online where it was easier to commit.
The same is happening in Canada and will happen in the United States.
On the bright side, changes in consumer technologies are beginning to happen that will
allow the same principles that led to massive reduction in point-of-sale fraud with the use
of EMV cards to be applied online. What’s required is the same ‘what I have’ and ‘what I
know’ factors, or strong two factor authentication, and a secure issuance or registration
process. To truly curtail online fraud it must be affordable, work across all payment
methods, and be commonly available and convenient. A bonus is if it can also be used for
non-payment identity applications as well. New technologies, like Intel’s new identity
protection technology in the new ultrabooks for example, allow secure tokens to be stored
in a secure place much like a chip card.
SIM chips in phones have a similar capability, and many devices are coming with NFC
capability that will allow reading of PayWave, PayPass, ZIP or other in-wallet credentials.
Whether the security token is stored in the device or on a card tapped from my wallet, the
combination of that token, the ‘what I have’ with a ‘what I know’ factor of authentication
like a password, will make the security of online transactions much safer than they are
today.
What’s going to make all this work for consumers is simplicity. It’s not new regulations
and it shouldn’t be a burden on the consumer. The companies that solve the security
challenges have to create an enchanting customer experience. The same solutions that
apply to online shopping fraud will then solve many of the authentication and identity
challenges of the anonymous internet.
Tap my driver’s license on my tablet as part of the process to open a new bank account, or
my health card on my laptop to see my health records online. Register my BlackBerry,
Android or iPhone through a secure registration process to be my personal authentication
terminal and confirm all my high-risk transactions, purchases, transfers, even logins with
the push of a button on my phone.
Consumer technologies are evolving to make all this possible. It’s now up to the creative
folks to make it easy and usable by everybody.
Update on developments in online payments
5 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
About Mr. Greg Wolfond
Greg has a successful track record bringing innovative solutions to the
financial industry. His expertise and entrepreneurial skills are
evidenced by his founding of Footprint Software Inc., a financial
software company which he started in 1983 and later sold to IBM in
1995. Additionally, Greg founded and was CEO of 724 Solutions Inc.
from 1997 to 2001, a wireless software infrastructure provider which
he took public in 2000.
Mr. Manish Patel, President EMEA, ReD, is a business professional
with over 20 years experience within the banking, payments and fraud
prevention industry.
Starting his career at NatWest Bank Plc, Manish spent ten years within
retail banking and international card acquiring before joining ReD in
2000. Since joining ReD, Manish has established himself as an
accomplished expert within the field of payments and fraud prevention
and has played a key role in the development of ReD’s business in
Europe. As President of EMEA, Manish is responsible for managing and leading the Sales,
Account Management, Risk & Customer Support teams for ReD in Europe, the Middle East
and Africa.
What kind of approach does ReD offer to online fraud mitigation?
Manish Patel: ReD offers a flexible, multi-layered approach to our merchant customers in
mitigating online fraud. We understand that each merchant’s business is unique and
therefore our solutions are tailored to meet the specific business objectives of the
merchants we work with. ReD has expert risk analysts located around the world who act
as consultants, offering guidance to our merchants on a daily basis.
The analysts` role is to ensure the fraud models we deploy for our merchants continually
deliver optimal performance in reducing fraud whilst ensuring that genuine consumers are
able to successfully make purchases. The analysts also advise our merchants on how and
when to change their strategies as soon as new fraud types are identified or fraud
migrates to a different channel to ensure they are protected immediately, reducing the
window of exposure. We also work with issuers, acquirers, processors, PSPs and switches.
Working across the entire payments value chain gives ReD a unique perspective which all
our customers benefit from.
Fraud will always be an issue. Where is the problem now? Is there not enough consumer
awareness, does the industry still lack the necessary technology to mitigate it?
Manish Patel: In my opinion, you need to take a holistic approach in the battle against
payment fraud. It is a global, multi-sector, multi-channel problem which does not
discriminate. Whilst continual advances in technology are fundamental to the fight,
technology alone is not enough.
Fraudsters too are using smart technology to perpetrate fraud. Industry initiatives such as
CV2/AVS and 3D Secure have been introduced to protect online merchants and these
initiatives have forced fraudsters to think differently and become even more creative.
Technology will always have a key role to play, but the human element is also crucial.
This is why experienced risk and fraud analysts who have a multi-sector, multi-
geographical, multi-channel and multi-payment perspective across the entire payments
value chain are critical to the fight. Perpetrators of fraud are highly sophisticated
individuals and we have to try and think the way fraudsters do.
“In 2011, we protected in excess of 17 billion transactions”
- Exclusive interview with Manish Patel, ReD -
Update on developments in online payments
6 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
Do you also help merchants educate their customers because there is still much
ignorance?
Manish Patel: Yes, ReD works very closely with our merchants to provide guidance and
support on how to best protect and educate their customers on payment fraud
prevention. Through our experience in dealing with some of the world’s largest merchants,
we are able to share best practice and provide tips to ensure our merchants are able to
communicate knowledgably and deliver a first class service to their customers.
In many cases merchants do keep themselves well informed, but despite best efforts, it
can be an arduous task due to the pace at which fraud patterns and techniques change
and migrate.
ReD helps merchants keep up to date with these changes and developments. How would
you describe the overall awareness of cyber-crime in the US and Europe vs. other
regions?
Manish Patel: Cyber-crime is a significant and well reported issue in the US. Over the past
decade, Europe has also experienced a significant uplift in cyber-crime with the popularity
of online shopping and banking. In recent years we have also seen cyber-crime increase
significantly in emerging markets such as Asia and Latin America. Analyst forecasters are
predicting Asia to out-perform the US for e-commerce by 2015; concerns are that cyber-
crime will also increase proportionately.
In your opinion, what are the main fraud indicators for consumers?
Manish Patel: The most common is when a consumer checks their bank and/or credit card
account online or receives a bank statement in the post, and sees entries which they do
not recognise. This is typically the first indication that fraud has been perpetrated.
Some voices are concerned that tracking technologies jeopardize online privacy. What is
your own opinion regarding this aspect?
Manish Patel: There are a number of new technologies entering the market which focus
on tracking consumer behavior. With these new technologies comes the ever increasing
risk of personal data being exposed and compromised. To combat this, we have seen and
are continuing to see, a tightening around regulation and compliance notably ‘Data
Protection’ and ‘P.C.I’ to ensure that companies who provide these ‘tracking technologies’
have the right security protocols and processes in place to securely deliver the services
they offer.
Ryan Disraeli brings an entrepreneurial savvy to his role of directing the
fraud services organization. Disraeli draws on his experience in
technical business management, professional services program
deployment, as well as launching new products in the Internet security
and telephony industries. Ryan was part of the original TeleSign team
and is currently responsible for working with clients on their fraud
strategy, while contributing to the product vision. Ryan consults with
many of TeleSign's enterprise customers, enabling them to leverage the
most out of TeleSign's technology. He can often be found contributing false information on
fraudster message boards.
First of all, it would be interesting to know what prompted your company to get into this
business. Why a phone-based verification approach?
Ryan Disraeli: Phone-based verification achieves an excellent balance between mobility
and security. The phone is one of the most widely used technologies, yet it presents an
“If I were to describe fraudsters using one word, it would
be entrepreneur” - Exclusive interview with Ryan Disraeli, TeleSign -
Update on developments in online payments
7 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
added complexity for fraudsters. Our customers think that phone-based verification is the
simplest, yet most effective way to authenticate their users.
During the MRC Dublin event you held a presentation about fraudsters. Could you please
give us a summary? What is the organizational structure of online fraudsters?
Ryan Disraeli: I began my presentation by profiling fraudsters and talked about how these
individuals are motivated to commit fraud. My presentation focused on the similarities
between online and offline fraudsters. There is an element of specialization that is
involved in both online and offline fraud and it is important to understand how these
groups are formed and communicate. Fraudsters are great at networking, examples of this
can be found across several online forums. A part of my presentation analyzes these
forums and illustrates the communication between fraudsters.
Could you make a profile of fraudsters?
Ryan Disraeli: If I were to describe fraudsters using one word, it would be entrepreneur.
It is difficult to create one profile of fraudsters since they come from a wide variety of
backgrounds. Fraudsters are distributed across the globe and can come from a mix of
economic backgrounds and age ranges.
In your opinion, what kind of techniques do fraudsters use to exchange information?
Ryan Disraeli: Fraudsters exchange information similar to other industries. Networks exist
where fraudsters communicate their strategies and also buy and sell commodities like
credit card numbers and bank accounts. Online forums are often used for this purpose and
look similar to forums about any topic. Instead of talking about sports or movies, the
topics range from hacked servers to the best place to buy credit card numbers.
How do online fraudsters leverage common offline fraud techniques?
Ryan Disraeli: Online fraud is actually quite similar to offline fraud and more fraudsters are
participating in both. The same strategies around agility, specialization, and networking
are applied to both online and offline fraud.
What solutions does the market provide for merchants, in order to stay ahead of the
growing fraud climate?
Ryan Disraeli: There are a variety of vendors that have developed excellent solutions to
fight fraud. The best fraud strategy implements a variety of these tools along with your
own custom rules. One thing that merchants need to embrace is that they need to stay as
agile as the fraudsters. The fraud climate changes extremely fast and it is important to
constantly evaluate your strategy to ensure it is up to speed to fight against the growing
threats.
What kind of industry segments does your company serve?
Ryan Disraeli: We work with some of the largest companies in eCommerce, Cloud services,
social networking, payments, gaming, and financial services. Our team has the expertise to
meet the complex regulations and requirements that are specific to these industries.
Sending a one-time password or authentication code by SMS can be regarded as not
being very secure. If a mobile device is lost or stolen and if another person takes
possession of a user's phone, they could use it to authenticate fraudulently. In this
context, do you agree that some industries might recognize the need for stronger online
authentication?
Ryan Disraeli: The phone is such an integral part of our lives that when it is lost or stolen,
we usually replace it immediately. Having said that, a good fraud strategy encompasses
multiple solutions and should never rely on one technology.
What is your perspective on mobile phone fraud? As mobile phones increase in
popularity and functionality, are security issues affecting online payments likely to be
“Fraudsters and entrepreneurs share some common characteristics, both can be
incredibly disciplined, resourceful, and scrappy. “
Update on developments in online payments
8 | 8 www.thepaypers.com Copyright © The Paypers
Vol. 5 Issue 8, 15 June 2012
transferred to the mobile channel?
Ryan Disraeli: There is no doubt that security issues are already being transferred to the
mobile channel. While a lot of vendors are working on solutions to combat this type of
fraud, we ultimately need to see better cooperation with the mobile operators to continue
to stay ahead of the growing threats.
Imperva, ThreatMetrix to add device identification, fraud malware detection to ThreatRadar Global data security services provider Imperva has entered a partnership with
ThreatMetrix, a US-based provider of integrated cyber security services, to add
ThreatMetrix device identification and fraud malware detection to ThreatRadar Fraud
Prevention. Read more
North America: Gemalto, nAppliance roll out new authentication service Dutch digital security company Gemalto has joined forces with nAppliance Networks, a
provider of Microsoft based networking and security appliances, to roll out a new
authentication service for the North American market. Read more
Socure, ValidSoft team up to deliver cyber security, identity theft protection to social networks Socure, a US-based identity and reputation applications developer, has inked a contract
with Irish-based authentication technology provider ValidSoft. Read more
In the next editions of the Online Paypers newsletter, we will continue to focus on some of
the most important developments and initiatives in the online payments and e-commerce
space, structured per regions, in parallel with a series of exclusive interviews with
representatives of payment services providers whose role on the online payments market
is not difficult to define: Alipay, Ogone, WorldPay and Chase Paymentech.
If you would like to contribute with an expert opinion on any of the topics above or make
any other suggestions, do not hesitate to contact us at [email protected].
YOUR OPINION IS IMPORTANT TO US!
About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal for
payment professionals.
Editors: Adriana Screpnic, Mihaela Mihaila, Ionela Barbuta and Melisande Mual.
Website: For more information, please visit our websites: www.thepaypers.com
Contact: For more information, you can contact us at: [email protected]
Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year
subscription price: €495
Copyright: 2011 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit
prior written permission of The Paypers is prohibited.
Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept
any responsibility for any possible inaccuracies.
NEWS