Feature Articles
Every month, visit Card Not Present.com for a new full-length feature article produced by our staff examining issues of interest to our readers. If you think there is a subject of importance to your business, let us know at info@cardnotpresent.com.
Articles:
Moving Beyond the Device: Three-part Executive Summary
Part III
Optional Language Choice: Spanish 
| French 
Device Identification—an online fraud prevention tool that only recently has begun to gain mainstream acceptance—establishes a unique ID for a device attempting to access a Website. Devices are assigned tokens that can be tracked across multiple user transactions, providing a unique identifier that makes it possible to differentiate one entity from all the other entities accessing the site. A new white paper from Sarasota, Fla.-based e-commerce payments consultancy The Fraud Practice describes methods required to integrate Device Identification into an overall fraud solution. CardNotPresent.com will offer an executive summary of the detailed document in three parts. Today: Part III.
Three Logical Areas for Device ID Integration
Because device identification is just one tool within your overall solution, it’s important to understand the methods you can employ to move beyond the device. There are three logical areas to employ Device Identification within your overall fraud solution: authentication, profiling and blocking.
Read the full article...
Moving Beyond the Device: Three-part Executive Summary
Optional Language Choice: Spanish | French
Part II
Device Identification—an online fraud prevention tool that only recently has begun to gain mainstream acceptance—establishes a unique ID for a device attempting to access a Website. Devices are assigned tokens that can be tracked across multiple user transactions, providing a unique identifier that makes it possible to differentiate one entity from all the other entities accessing the site. A new white paper from Sarasota, Fla.-based e-commerce payments consultancy The Fraud Practice describes methods required to integrate Device Identification into an overall fraud solution. CardNotPresent.com will offer an executive summary of the detailed document in three parts. Today: Part II.
The Limitations of Device Identification
The technology behind Device Identification is by no means fool-proof. No fraud prevention technology is.
Device Identification’s strength lies in detecting patterns after repeat visits. It provides limited-to-no-value when it comes to fraud prevention for true first-time consumers. The method simply provides a unique token ID for that user. There will be no way of knowing whether or not the user is trustworthy.
Read the full article here...
Moving Beyond the Device: Three-part Executive Summary
Optional Language Choice: Spanish | French
Part I
Device Identification—an online fraud prevention tool that only recently has begun to gain mainstream acceptance—establishes a unique ID for a device attempting to access a Website. Devices are assigned tokens that can be tracked across multiple user transactions, providing a unique identifier that makes it possible to differentiate one entity from all the other entities accessing the site. A new white paper from Sarasota, Fla.-based e-commerce payments consultancy The Fraud Practice describes methods required to integrate Device Identification into an overall fraud solution. CardNotPresent.com will offer an executive summary of the detailed document in three parts. Today: Part I.
Overview of Device Identification
Device Identification—also known as device authentication, device fingerprinting and device ID—is a technique used to establish a “fingerprint” of a user’s computer or other web access device in order to track their activity and determine linkages between other devices. Device Identification has grown into a very sophisticated science, with active and passive versions, both of which have the ability to be deployed so that they are completely transparent to the end user.
Read the full article...
ThreatMetrix: Fighting Fraud with Device Identification
Optional Language Choice: Spanish | French
The roots of Los Altos, Calif.-based fraud prevention company ThreatMetrix were planted nearly 7,500 miles across the Pacific Ocean from Silicon Valley. The company’s story began in 2005 not with e-commerce, but with a project for the Australian government to stop and prosecute email spammers.
"We were tracking botnets, so we built aggregated intelligence to essentially have a credit score for an IP address," says Alisdair Faulkner, chief products officer for ThreatMetrix.
When the ThreatMetrix team concluded its public service and was looking to translate its aggregated intelligence technology to the private sector, still the founders did not consider fraud prevention at the top of their list.
"We were exploring different markets and the original intention was to look at security and integrate that intelligence in firewalls and appliances," says Faulkner.
How Fighting Spam Informs Fraud Prevention
What Faulkner, who previously had founded a networking technology company that prioritized packets in applications over networks providing real time response, and co-founder David Jones, whose experience was in email filtering, realized was the current methods being used to screen for anything—new account origination, money transfer or online credit card transactions—were not taking basic security intelligence into account.
Read the full article...
Special Feature: Post-Durbin Winners and Losers
Optional Language Choice: Spanish | French
With the Durbin Amendment to the Dodd-Frank Act slated to go into effect on Oct. 1, how the interchange caps and transaction routing rules will affect all the players is still an open question. Wells Fargo has announced it will begin testing a $3 monthly fee for customers that use debit cards to make purchases in an effort to recoup some of the revenue it expects to lose starting in October. That move and Visa’s recent announcement that it will modify its fee structure are clear signs of the scramble taking place in a post-Durbin world.
In an effort to sort out the winners and losers, Boston-based Aite Group looked at the payments landscape and what all the players can expect after D-Day. In short, says Madeline Aufseeser, senior analyst at Aite Group, merchants will gain the upper hand at the expense of the big banks and the card networks.
Read the full article...
Think Locally, Act Globally
Optional Language Choice: Spanish | French
Peter Caparso, president of the North American unit of Dutch e-commerce payments processor Adyen, has some advice for merchants when dealing with their processor: don’t put yourself in a multi-year deal and always be dealing with more than one processor. It may be counterproductive for Caparso if his clients take his suggestions to heart, but, from a merchant’s perspective, he says, it’s the right thing to do.
“All your readers should give me their business,” he laughs, “but always be in contact with a second payments provider. As a business owner that’s how you give yourself the best chance to succeed.”
Adyen grew out of Bibit, another Dutch payments company formed in the late 1990s that had been acquired by RBS WorldPay in 2004. In 2006, Caparso, who had been with RBS WorldPay as the head of its CNP division in the U.S., ran into some of the former Bibit founders who had left the merged company.
The chance meeting lasted much longer than expected and Adyen was born. Having had access to high-level merchants in his position with RBS, Caparso was privy to their pain points and to what they wanted to see. Going with Adyen, he saw, was the right thing to do.
Read the full article...
Fraud Management Solutions, Buy Versus Build, a Case Study
Optional Language Choice: Spanish | French
"Building a fraud solution in-house is not for the faint of heart, it requires a lot of time, resources, money and experience in fraud management."
There has been a lot of change in CNP fraud management over the past 15 years but today, just as with the early pioneers in e-commerce, whether to buy or build a fraud management solution is still a question we are asked to consider by some of our clients. While the types and volume of fraud attacks have grown over the years, so have the number of fraud solution providers and techniques for combating fraud. Today merchants have a plethora of choices--end-to–end solutions as well as strong niche fraud tools--so why would anyone still want to consider building their own fraud solution?
To be clear, when I talk about building a fraud solution I am not simply referring to hard coding some rules into the back end of an e-commerce system. I am talking about building out the infrastructure for a fraud mitigation program, which, for starters, means being able to write rules dynamically, manage rules, maintain lists, run velocities, scorecards, perform manual reviews, manage data, perform reconciliation and connect to third-party data sources. Building a fraud solution in house is not for the faint of heart. It requires a lot of time, resources, money and experience in fraud management. It is very rare when the business environment, business case and available resources to accomplish the task are aligned to make this a viable option. The fact is, I have seen some very large and technologically sophisticated organizations struggle, and in some cases abandon, their efforts to build in house.
Read the full article...
Digital River Puts Wealth of E-Commerce Experience to Work
Optional Language Choice: Spanish | French
Between operating thousands of e-commerce sites globally—many for top brands including Microsoft, Adobe, Electronic Arts and Kodak—and as a pioneer in selling digital software products online, Minnesota-based Digital River, Inc. has access to a wealth of data and knowledge. As the company has expanded organically, via acquisitions and by adding clients, it is leveraging that trove of data to extend its payment and fraud prevention services through its new World Payments solution, and has made them available to online merchants on a standalone basis.
According to Paul Bridgewater, vice president of World Payments, the payments experience of managing tens of thousands Web stores around the world has enabled Digital River to understand, “based upon the demographic of the consumer and the types of products being sold by merchants, what payment options matter and how those payment options should be formatted and presented to consumers in the checkout experience.”
Bridgewater notes the knowledge accrued operating e-commerce sites since its launch in 1994 has provided the company the basis to develop template payment pages that merchants can experiment with to find the ones that are most effective. The templates, which are deployed by the merchants themselves in the World Payments command console, represent Digital River’s own “best practices” for payments pages on their e-commerce sites.
Bridgewater says Digital River’s payment programs are all designed to grow revenue.
Read the full article...
Accertify Leverages American Express’s Global Reach
Optional Language Choice: Spanish | French
Accertify’s anti-fraud solution is relied on by some of the largest U.S.-based and global brands to manage card-not-present and other types of risk. Last fall, following several years of growth, the company was acquired by American Express. Accertify co-founder and CEO Jeff Liesendahl says in 2011 the company will concentrate on global expansion of its fraud prevention platform and promoting its new chargeback management service.
Origins
A decade ago, Liesendahl and the rest of the management team of the online travel startup Orbitz were struggling with how to address fraud in an industry where individual transaction value is high and margins are miniscule.
Liesendahl and other Accertify founders were dissatisfied with commercially available fraud solutions at the time, which they believed failed to address many parts of the screening, review and other processes that were necessary for stopping fraudsters.
The Orbitz team looked at all the data they had as merchants—generated internally and externally—and built an end-to-end system from scratch that was more comprehensive, data-driven, automated and capable of evolving as fraud scams did. The system successfully solved Orbitz’s fraud problem and provided a springboard for the platform Liesendahl and his team later created at Accertify.
Read the full article...
Kount 'Quietly Doing the Laundry'
Optional Language Choice: Spanish | French
Steve Rouse, chief operating officer of Kount, bills the Boise, Idaho anti-fraud software provider for e-commerce merchants as a four-year-old company “with about 13 years of experience.” The company that evolved into Kount actually began as one of the merchants it now serves, Rouse explains. In the late 1990s, Rouse and the team at Kount operated an online business that sold e-books and software called ClickBank. It got into fraud prevention simply as a way to address its own needs as a merchant.
“We quickly figured out as an online business that you have to have fraud protection, so we invented some technologies that really underpin the fraud protection business today like device fingerprinting and proxy piercing,” Rouse says. “Those are technologies we invented and patented to protect our own merchant business.”
Rouse says it became quickly apparent that the anti-fraud technologies patented by ClickBank could sustain a separate business. But, the company instead decided to sell some of its technology. It reacquired the patents and rode out a seven-year non-compete before launching Kount four years ago.
Read the full article...
CNP Meets Brick-and-Mortar with AisleBuyer
Optional Language Choice: Spanish | French
Standing in an aisle at Best Buy two years ago, Andrew Paradise was stumped. The self-described “techno dork,” who had built and recently sold a business in the image recognition and online advertising space, couldn’t decide between two nearly identical memory cards he had been shopping for. So, he fell back on a trusted piece of technology: he whipped out his iPhone and Googled the cards to compare their features as he stood in front of them at the store.
Paradise, whose background in addition to deep programming experience includes time in venture capital, was struck by an idea. As smartphones gain a toehold with consumers (30 percent penetration right now, estimated to increase to 50 percent by yearend, he says) is there a way to incorporate the online and offline shopping experiences so that a retailer doesn’t lose engagement with consumers even while they’re in the store?
Read the full article...
The CNP Spotlight – Retail Decisions
Optional Language Choice: Spanish | French
Long before the Internet existed as the e-commerce behemoth it has become, Retail Decisions (ReD) and its forebears were screening card-not-present transactions for fraud. The international fraud prevention group, which has grown to include payment processing in addition to providing custom CNP anti-fraud software for clients around the globe, grew out of two separate firms on either side of the Atlantic Ocean.
Nearly a quarter century ago, a U.S. company called Transaction Billing Services was one of the first to focus on screening CNP transactions for fraud when it began serving telecommunications companies that had introduced calling card services for travelers.
"If you were going to make a phone call from a hotel you probably didn't want to use the hotel phone directly because the rack rate was so expensive, so you used an international calling card service such as 1-800-CALL-ATT, which gave you lower rates," said Carl Clump, CEO of Retail Decisions.
Users of these services called the 800-number and were prompted to give credit card details, which Transaction Billing Services grabbed and screened against the data available at the time. "That was, of course, a CNP transaction all those years ago before people were ever thinking about online," Clump remembers.
Read the full article...
Secure Remote Payment Council Finishes Year One
Optional Language Choice: Spanish | French
In August 2009—just a few months after Visa announced that its total U.S. debit volume had surpassed credit for the first time—a small group of payments professionals began discussing the problems inherent in accepting debit payments for card-not-present purchases made via the Internet and mobile device. Would security concerns derail the apparent match made in heaven between the most popular payment method and the fastest growing retail environment in the United States? The small group, which would become the Secure Remote Payments Council (SRPc), aimed to make sure that didn’t happen.
First, however, the group would have to be inclusive in a way that other associations dealing with e-commerce and m-commerce payments hadn’t, according to payments consultant Paul Turgeon, one of the SRPc’s founding members.
Read the full article...
PCI and Tokenization: Are Either the Answer for E-Commerce Merchants?
Optional Language Choice: Spanish | French
E-commerce merchants spend an ever-increasing amount of time and resources trying to protect the payment card data of their customers. Compliance with the Payment Card Industry Data Security Standards (PCI-DSS) and tokenization are two arrows in the quiver of just about every merchant when it comes to ensuring their customers can pay for goods or services without fear of having their personal information stolen. According to one consultant’s estimate, nearly a third of consumers affected by the breach of a merchant’s systems will terminate their relationship with that merchant.
So are PCI compliance and tokenization serving the purpose for which they are designed? Are they worth the resources being expended on them? Increasingly, in the case of PCI compliance, the answer seems to be no. For tokenization, the benefits are clearer, but the process comes with its own set of challenges. Regardless of the strategies they choose to employ to secure data, merchants must remember why it’s vital in the first place: to preserve their brand.
Read the full article...
Protecting Customer Data from Internal and External Threats
Optional Language Choice: Spanish | French
Data breaches affecting merchants and financial institutions can have damaging and far reaching implications if not handled properly. And, it is becoming a growing certainty that nearly every business will face the problem. According to the 2009 Ponemon Institute U.S. Cost of a Data Breach study, approximately 85 percent of businesses have experienced a data breach, up from 60 percent in the 2008 study. In other words, the chance your business’ data security will be compromised is overwhelming, and it’s getting even more likely as time passes.
Read the full article...
Does Durbin’s Debit Deal Really Help CNP Merchants?
Optional Language Choice: Spanish | French
In the past three months, retailers have won significant victories in the area of interchange legislation, but forgive card-not-present merchants if they still feel a bit left out in the cold.
While the Durbin Amendment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 promises some relief to the seemingly endless escalation of the fees paid by merchants on payment card transactions, for now the savings will be restricted to when shoppers pull out their debit cards. Legislative efforts abroad have concentrated on debit as well, but consumers continue to choose credit cards to purchase goods and services in CNP environments, especially online, due to the perception that protections are weaker for debit cards in the event the account information is compromised.
But, while the Durbin Amendment clearly benefits card-present merchants to a greater degree, there are certainly ways CNP merchants can leverage the new law’s provisions to decrease their interchange burden. Also, a recent settlement between MasterCard and Visa and the Department of Justice will give retailers additional ways to take advantage of payment methods that cost less per transaction. Most importantly, lobbying efforts continue on behalf of legislation that will go beyond debit and address interchange rates applied to credit card transactions.
Read the full article...
Reducing Chargebacks through Effective Billing Descriptors
Optional Language Choice: Spanish | French
For Card Not Present merchants, the descriptor they use to identify the charge is vital because a consumer can’t always connect in his mind a product he received in the mail (from a merchant he may not remember) with the words on the page in front of him. Often, this confusion leads to the initiation of a chargeback dispute. In most of those cases, the consumer actually did make the purchase but sincerely does not recognize the charge on the bill. The confusion is frequently genuine and completely unnecessary.
Read the full article...
Is My Business Generating Enough Chargebacks?
Optional Language Choice: Spanish | French
For CNP merchants, chargebacks are generally seen as an unfortunate cost of doing business. Whether a dispute is fraudulent or sincere, if a consumer initiates a chargeback it costs businesses time and money. The energy and expense devoted to avoiding and reducing chargebacks is evident and necessary. But a question businesses operating in the CNP space also must consider is: Are my chargebacks high enough?
Growing businesses that are under the limits set by the card networks may want to take more chances to increase their orders lest they leave money on the table.
Read the full article...