PaymentsSource: One Merchant's Post-EMV Fraud Shock: 'We Had No Idea What We Were Doing'09-Jun-2016
CHICAGO — Kyle Largent offered himself up as "Exhibit A" for U.S. online merchants' greatest fear: that EMV chip card adoption at the point of sale would cause fraud to spike online.
After all, Largent, the fraud prevention supervisor for athletic shoes and accessories manufacturer New Balance, has spent the better part of the last four years trying to help his company recover from an onslaught of fraud on its e-commerce channel.
"When EMV hit in Europe, our chargebacks for fraud went through the roof, and no one was expecting it," Largent said in a presentation June 8 at the annual Internet Retailer Conference and Exhibition. "We had manual review rates of 25% of transactions, and no idea of what a good order was compared to a fraudulent order."
Companies without multi-layered fraud protection tools or analytics often rely on manual reviews to determine whether to accept or deny individual orders. It is a costly and time-consuming process for any merchant, and particularly cumbersome for e-commerce sellers who risk losing good orders if they make the wrong decisions.
Time is critical for e-commerce merchants, many of whom still balk at using 3D Secure to protect card-not-present transactions, even though recent upgrades to that system have reduced friction in what used to be largely a password-based authentication process.
At first, New Balance scrambled into a "Murder, She Wrote" mode, Largent said, because the company operated like the Angela Lansbury character in the 1980s TV show — essentially believing that every transaction was fraudulent until proven otherwise.
"Like the TV character, we would assume everyone was a suspect, and if you had a card from a different company than what we had seen, you were fraudulent," Largent said. "When we started to figure it out, we were cancelling good orders and allowing fraud orders."
Then Largent confessed: "We had no idea what we were doing."
New Balance fell into a fairly common trap, because the majority of merchants approach fraud with the mindset that they do not have a fraud problem, said co-presenter Don Bush, vice president of marketing for fraud prevention technology provider Kount Inc.
"It might be true that they don't have a problem, but there are symptoms of fraud that happen regularly whether you recognize them or not, and you need to act as if you do have a problem," Bush said.
If e-commerce merchants needed any extra incentive, many industry researchers and analysts predict card-not-present fraud in the U.S. will climb to $7.5 billion by 2020.
Fraudsters obtain personal and payment card information from so many places now, it has become easier for them to operate like a network in various parts of the world and share information about retailers or financial institutions with weak data security practices, Bush said.
"They have a tool called AntiDetect that allows them to change IP addresses, or the cards they are using, so they can keep changing things quickly to find e-commerce sites that will accept their cards," Bush added.
New Balance got back on track by researching the various fraud tools available and then becoming "laser focused" on setting up rules for them and monitoring transactions in a more efficient manner, Largent said.
"Some companies will make huge blanket rules, such as not taking any orders from Taiwan because they were getting some fraud orders from that country," Largent said. "A company that wants orders from Taiwan might set the rule of not taking any orders from Taiwan if the card was issued in Japan and the transaction is more than $150."
That's a more specific rule, and one that allows good orders to get in but can still stop most bad orders. "Something like that helps our customers in that region of the world and helps our image in that marketplace," Largent added.
Sometimes merchants are so busy taking and filling orders, they really don't have a good understanding of the makeup of the majority of their transactions.
"If you don't know what looks normal, you won't know what abnormal is," Bush said. "Are most of your orders at 1 p.m. or 1 a.m.? Do your customers always buy socks when they buy shoes? Are your transactions mostly $100 or less?"
Primarily, e-commerce merchants should implement strong tracking measures, device ID technology, proxy ID detection, and monitoring of order frequency from individual customers.
A good way to give your company its own wake-up call is to do the "fraud math," Bush added. "Many don't know the true cost of fraud for their company by looking at the manual review process and the cancellation rate and the chargebacks."
Boise, Idaho-based Kount recently received an $80 million funding round from CVC Capital Partners late last year.