Transcription
UPDATED FEBRUARY 2011BinBase.com REPORT: credit card fraudWhether you are a security specialist, an e-commerce web developer, or an onlinemerchant, a knowledge of how credit card fraud works and what you can do to prevent itcan reduce your risk and your fraud-related expenses. A number of systems andprocedures will help prevent credit card fraud and reduce your financial riskCredit card fraud often includes receiving products or services without paying, and it'sfrequently related to identity theft. In the U.S., the Federal Trade Commission monitorsidentity theft and reported a 21 percent increase in 2008. Credit card fraud, however,decreased for several years in a row -- as a percentage of transactions. The AmericanBankers Association reports that more than 10,000 card transactions are made everysecond around the world.THE COSTS OF FRAUDAccording to LexisNexis, credit card fraud costs bank credit card issuers about 1 billionannually. LexisNexis conducted a study in 2010 on the true cost of fraud in the U.S.,researching more than 1,000 merchants, financial executives, and 5,000 consumers. Thestudy found that merchants pay more than three times the dollar value on fraudulenttransactions.In the UK, fraud in 2006 was estimated at 535 million, or about 750–830 million inU.S. dollars. Most of the credit card fraud in theU.S. hits the card issuers hardest, as they absorbmost of the fraud losses. A Boston-based researchCredit card fraud costs creditfirm analyzed fraud prevention systems and foundcard issuers about 1 billionthat two main types of credit card fraud includeannuallycard not present (CNP) transactions andcounterfeit or lost/stolen cards. If a stolen creditcard is used to purchase from your company, you can be liable when the legal cardholderchallenges the transaction.Illegitimate transactions are far too common; in 2005 MasterCard revealed thatsomeone had compromised the network of CardSystems Solutions, a transactionprocessor for more than 40 million cards, including Visa and MasterCard. Users'CREDIT CARD FRAUD REPORT 2011 BinBase.com sales@binbase.com Page 1 of 6
UPDATED FEBRUARY 2011information was compromised, including names, account numbers, and verificationcodes. In 2009 Bloomberg Business Week reported that online banking fraud hadincreased by 55 percent during the first two quarters of the year.Despite a decrease in the overall amount of credit card fraud in the UK, annual lossesfrom online banking fraud run close to 80m. Financial Fraud Action UK has warnedthat online fraud is increasingly sophisticated with the use of malware and phishingscams.Online security measures, though, are effectiveU.S. merchants reject 1 of 9in reducing fraud. Security systems (fororders for suspected fraud.example, those that require the cardholder touse a password for online purchases) havecontributed to an 18 percent reduction in fraud.Yet fraud is big business, with huge losses -- UK card fraud losses totaled 232.8m in thefirst half of 2009.Internet sales have risen about 20 percent each year since 2000, according toCyberSource, a credit card payment gateway.Though there has been a reduction in the percentage of fraud, reported losses fromNorth American e-merchants increased from 1.5 billion in 2000 to 3.6 billion in 2007.And the fraud rates outside the U.S. are higher -- CyberSource's annual report estimatedthat U. S. merchants reject for "suspected fraud" one of every nine international orders.Why? Just in the year 2007, nearly 4 percent of the orders U.S. merchants shipped toother countries were later categorized as fraud.WHO LOSES?Losses are divided among merchants, cardissuers, and acquirers but the majority oflosses affect card issuers. This is primarilybecause when a merchant accepts a creditcard on site, as long as the charge isauthorized, the merchant gets paid. If themerchant complies with regulations and takesthe proper steps to verify the card, the cardissuer pays, even if the card was stolen.An authorization for a credit cardpurchase does not alwaysguarantee that the merchant willbe paid. It means only that thecard is good at that moment.CARD AUTHORIZATION:Authorization approval, though, doesn't always guarantee payment for the merchant -- itjust means that the card hasn't been reported as lost or stolen, and at the time ofauthorization, the transaction funds were covered. If the card is indeed stolen (or even ifit's not), the cardholder can later dispute the charge.CREDIT CARD FRAUD REPORT 2011 BinBase.com sales@binbase.com Page 2 of 6
UPDATED FEBRUARY 2011THE COST OF CHARGEBACKS:When cardholders dispute transactions, online retailers are hit with chargebacks. Thecard issuer will reverse the amount of the purchase, and assess an additional merchantbank fee of 5 to 35 per transaction. If the cardholder reports it to your bank,regardless of the reason for the chargeback, you are assessed a fee for the chargeback.HOW IT STARTSCredit card fraud can start with the theft of a card or the compromise of the accountdata. Data compromise often occurs without the knowledge of the cardholder -- or theissuing bank or the merchant. Cardholders usually report stolen cards quickly, but acompromised account may take weeks or even months for evidence of fraud to becomeapparent. A stolen card is only usable till the cardholder notifies the bank of its theft, butunauthorized purchases can be made till the card is canceled.VERIFICATIONThough many merchants require some form of I.D. or verification with a card purchase,self-serve systems such as kiosks or gas stations are easy targets for stolen cards -verification of the cardholder's identity is limited or non-existent.Many merchant systems require that the cardholder keys in a ZIP code or PIN numberfor authorization. Some card issuers encourage verification processes; Visa, for example,offers lower transaction rates to merchants ifthey require a customer's ZIP code at purchase.Card issuers also use software that estimatesThe Federal Trade Commissionthe fraud probability. Too many purchases onestimates that as many as 10one day, or large purchases a long distancemillion Americans suffer somefrom the cardholder's residence, may trigger atype of identity theft each year.hold on the card, rendering it unusable until thelegitimate cardholder has authorized its use onthe phone with the issuer. These software systems can instruct the merchant to declinethe transaction -- or even instruct the merchant to retain the card or call the card issuerfor verification.CNP TRANSACTIONSOnline transactions are a major source of fraud against merchants, and online salescomprise the largest bloc of "card not present" or CNP sales. Though safeguards canreduce the risk of fraud associated with CNP transactions, the risk is still considerableenough that many card issuers charge a larger transaction rate for these sales.CREDIT CARD FRAUD REPORT 2011 BinBase.com sales@binbase.com Page 3 of 6
UPDATED FEBRUARY 2011The liability for fraud is shifted from the card issuer to the merchant for thesetransactions, and the merchant is liable for chargebacks even if the bank has authorizedthe sale. After this type of fraud, the cardprocessors often increase their rates, citingincreased risk, so the merchant pays not only theToo many records of credit cardchargeback, but also a chargeback fee and then anrisks your account with yourincreased rate for future transactions. After a setcredit card processor.number of such fraudulent transactions, themerchant can even lose the account with thecredit card processor.With on-site credit card transactions, the issuing bank is responsible for losses fromfraudulently acquired goods or services. But CNP sales move that liability to themerchant for the cost of the fraud -- and all online transactions are CNP sales. Onlinemerchants, therefore, need extra protection in place, with precautions to reduce fraudexposure and related financial losses.Fraud prevention systems, though, are a balancing act for online merchants. Customersexpect to use credit cards in a simple process without too many additional steps forverifying the cards. Online merchants risk losing sales when customers find thetransaction process tedious or burdensome.Because of laws limiting cardholder liability,and because of banks' policies limitingcustomers' liability, consumers have littleBoth federal laws and bankreason to advocate for or accept increasedpolicies limit cardholders’security measures. Online merchantsliability for stolen cards or forsometimes use additional services offered bypurchases later deemedthe credit card companies offer, such asfraudulent.MasterCard SecureCode or Verified by Visa -but such protections can sometimes risk losingsales with customers who want the "quick and easy" online sale.AVOIDING CREDIT CARD FRAUDCredit card fraud costs issuers and cardholders and issuers hundreds of millions eachyear. Reducing or eliminating fraud is best addressed by pro-active measures includingcard verification, transaction authorization, and identity confirmation.An approval code for a purchase does not mean a transaction is legitimate, and it doesn'tmean you won't be hit with a chargeback. The approval code means the card is active andfunds are available at the time. Far more important for verifying a card is the AddressVerification Service (AVS) response code. You can get an AVS code for all onlinetransactions from your payment gateway.There are three characters in the AVS code. The first is generated from the cardholder'saddress, and the second number is related to the ZIP code of the cardholder. The thirdnumber is used to verify the first two. An AVS code of YYY indicates that the addressmatches, the ZIP code is correct, and both the address and ZIP code match. If you receiveCREDIT CARD FRAUD REPORT 2011 BinBase.com sales@binbase.com Page 4 of 6
UPDATED FEBRUARY 2011an AVS response of NYZ, that means "no" on the address match, "yes" on the ZIP codematch, and "Z" because only the ZIP code is correct.If your company uses an online system for authorization such as authorize.net, you canconfigure your account to get the AVS response codes. Though most payment gatewayswill accept non-U.S. cards and can provide approvals for these, many of them can'tprovide the AVS response codes for cards from other countries.USING THE BIN DATABASE:A number of systems and programs will help prevent credit card fraud, but a BINdatabase is one of the most effective tools to reduce your financial risk. The Binbase.comdatabase allows you to cross-reference details on individual cards, and to verify that thecardholder is legitimate. Each of our detailed records includes 11 different semicolondelimited fields, including information to identify credit cards, debit cards, prepaidcards, and others. We have records in the database. There is no larger or more up-to-dateBIN database available on the internet, and all of our 111,707 records are complete –none of our records are missing data fields. The database is regularly updated, and yourlicense includes free updates.BinBase.com REPORT: credit card fraudThis report is 2011 BinBase.com and may not be reproduced or distributed withoutpermission of the publisher. For more information, contact sales@binbase.comCREDIT CARD FRAUD REPORT 2011 BinBase.com sales@binbase.com Page 5 of 6
an AVS response of NYZ, that means "no" on the address match, "yes" on the ZIP code match, and "Z" because only the ZIP code is correct. If your company uses an online system for authorization such as authorize.net, you can configure your account to get
