Fraud is serious business. A recent report from PwC cited that hacking attacks overall are costing UK businesses at least £10bn a year. Fraud reduces customer confidence and brand integrity. Merchants however can fight back by taking measures to limit fraud exposure from the outset. How? By implementing comprehensive fraud and risk management programmes to prevent fraud before it occurs.

The first step is to fully understand the exposure to fraud across all payment and loyalty infrastructures within the business. Technology used to combat card fraud is varied and constantly evolves to deal with increasingly innovative attacks by fraudsters looking for new ways to exploit businesses and their customers alike.

While fraudsters may initially be selective in where they look to strike, fraud is a multichannel issue and can occur throughout the business - be that in store, online, call centre or internal. Fraudsters are opportunistic and will strike wherever there are vulnerabilities.

Typically, merchants need to protect themselves across three areas: card data fraud, identity fraud and internal fraud. This is where fraud screening and prevention suppliers come in as each business is different and requires different levels of fraud screening and protection. Manual security processes and procedures are also needed in some circumstances. Merchants should be compliant with industry best practice initiatives to detect and prevent fraud.

Card data fraud often occurs on eCommerce sites or via call centres where the cardholder is not present during a transaction. To identify and prevent fraudulent transactions, merchants can route transactions to specialist fraud service providers who can offer different types and levels of fraud screening across multichannel environments. These services will allow legitimate clients to transact seamlessly while fraudsters are identified and rejected prior to payment authorisation.

Fraud prevention services use a variety of methods to verify and authenticate cardholders. Fraud detection rules and pattern detection engines can be set up specific to an organisation’s business processes or industry, and advanced artificial intelligence models can be used to detect behaviours and patterns that can indicate fraud is likely to occur.

For example, using a process called Geolocation fraud specialists can automatically check if the same card is being used in different parts of the globe. This is done by identifying and comparing an Internet Protocol (IP) address, a numerical label which is assigned to different processes in a computer network, to the street address of the card transaction, so different transactions in close proximity carried out in diverse locations would be flagged to the merchant as a potential problem. Also a technique called Device Recognition, which is commonly referred to as device fingerprinting because of its similarity with the human equivalent, allows fraud specialists to uniquely identify and track a payment device, so a positive or negative history can be developed for its online activity.

Another area of prevention is identity fraud. An identity check can identify developed identities, impersonation or other high risk conditions pertaining to identity fraud. An obvious discrepancy would be if, for example, the date of birth specified in an online purchase does not match against the data which has been sent to an information services company such as Experian, in the case of an underage youth trying to use a parent’s credit card to transact online. Many people aren’t aware that these checks take place.

Special fraud detection technologies can also look at behavioural patterns to detect potential fraud. If a cardholder typically buys a month’s worth of shopping, such as groceries, then suddenly buys several high value items, like electrical goods, a car, and concert tickets – this too can be flagged as potentially fraudulent until these purchases have been verified with the card holder.

Information services companies have to physically match data for a transaction to be put through, for example just because someone has a ‘credit footprint ‘doesn’t necessarily mean that they are 18 years old. A 17 year old can register on the full electoral role, so it would be ineffective to assume that because they are registered they are over 18. This is a method which is used by many data resellers and is not 100 per cent accurate.

There are many other methods that are used to detect identity fraud which include accessing information in the Credit Application Previous Search (CAPS) file and the Mortality File, which contains up-to-date data on the recently deceased.

The third and perhaps most sensitive area that merchants should protect themselves against is internal fraud. Retrospective to each payment or loyalty transaction, data is screened using client and sector specific rules to distinguish if any unusual activity has occurred. This can highlight internal fraud including collusion between employees, sweetheart fraud and abuse of staff discount and loyalty cards.

These services look for behavioural patterns that could indicate internal fraud. This can include if the same loyalty card keeps being applied to multiple transactions which could indicate that an employee is collecting loyalty points for themselves rather than applying them to the legitimate customer. Specialist services can also identify stock shrinkage for loss prevention. Termed ‘sweetheart’ fraud, a customer for example whose husband works on a certain till every Thursday night can do their weekly shopping and the husband doesn’t put every purchase through the till. This service identifies and investigates reasons for stock shrinkage and is often linked to CCTV services.

People and processes

Merchants should also ensure their employees are aware of fraud prevention processes and these processes should be continually monitored, reviewed and checked that they are working in a positive way for the business, reducing false positives and ensuring good customers are able to get their goods and services without having their buying experience lengthened or tarnished.

Simple checks that are part of general security awareness training are crucial. This includes straightforward checks that the person standing at the till is the same gender as on the card. If the card says Mr Smith and a female is purchasing goods, the cardholder should be challenged.

Merchants should also be aware that some security processes can be made more efficient by automation, saving the merchant time and money. This could include ‘review’ queues in call centres that could instead be handled by specific automated fraud prevention rules implemented by fraud prevention specialists.Industry initiatives

Merchants should also be using industry initiatives such as 3 D Secure and CV2 checking. Some of these initiatives are mandated for certain transactions and therefore may offer both preferential merchant service charges and liability shift (shifting the liability and cost of the transaction/chargeback away from the merchant and onto the card issuer).

A merchant must also ensure they are using either a PCI compliant PSP and/or are PCI compliant themselves. The PCI standard is global and very well recognised; any merchant willing to take the risk of not adhering to PCI compliance and the associated best practice and guidelines is unlikely to retain customers if a security breach occurs.

And, while there are many solutions available that are designed to tackle fraud, many of these are point products and will only address certain areas of vulnerability. In order to fully assess exposure across a business, organisations should look to experts who can draw experience from a wide range of sources and have experience working within multichannel environments.

Preventing fraudulent activity before it happens is an organisation’s best first defence and there are many different technologies and solutions that can help. Unfortunately however, even when an organisation employs fraud screening services, follows best practice guidelines and complies with industry and payment card directives designed to protect organisations and cardholders against fraudulent activity, fraudsters still get through. Organisations therefore must also have processes and procedures in place to protect their infrastructure against attacks as they happen, should they happen.