Results of the seventh annual CyberSource Corporation (NASDAQ:CYBS) survey of eCommerce fraud, released today, show the burden of online fraud is falling squarely on the shoulders of the mid-to-large eCommerce merchant.
Key take-aways from this year's survey include:
- Dollar losses from eCommerce fraud continue to mount. Fraudsters will steal more than $2.8 billion from eCommerce in 2005, an 8% increase over the year before.
- Although the overall rate of fraud loss remains relatively constant at 1.6% of revenue, mid-to-large merchants are taking a pounding. Merchants selling $5-$25 million annually online saw fraud losses increase from 1.5% to 1.8% of revenue. Those selling over $25 million saw losses increase from 1.1% to 1.2% of revenue.
- International eCommerce continues to be a far higher risk, with order rejection and fraud rates about three times higher than the overall rate.
- Overall, smaller merchants, those with annual eCommerce revenues below $5 million, fared better this year, with lower fraud loss rates compared to 2004.
- All merchants are reviewing more orders manually. This increase is largely due to the growth of eCommerce, though over 75% say they are unable to add staff. Highest review rates remain in small business, where more than one of out four orders are manually examined. Mid-to-large merchants are forced to seek productivity gains - employing twice as many screening and automated decisioning tools as small businesses.
- Chargeback rates may understate actual fraud rates by as much as 50%.
Larger companies "in a challenging situation"
After several years of flat or declining fraud loss rates, mid-to-large merchants reported a reversal of that trend in 2005. For mid-sized merchants selling $5-$25 million online, average fraud losses increased from 1.5% of revenue in 2004 to 1.8% in 2005. Large online merchants selling over $25 million reported a slight increase from 1.1% to 1.2% of revenue.
The key problem facing larger merchants as they work to fight online fraud is the increasing volume of orders they must process each year combined with their reliance on time-consuming, labor intensive, manual review processes. Mid-sized merchants in the survey reported manually reviewing one-quarter of their orders this year, up from 21% in 2004. They did this with essentially the same staff levels as the year before. Forcing more orders through an already cumbersome manual review process is having a predictable impact - the percentage of orders accepted that ultimately turned out to be fraudulent went up in 2005, from 1.3% to 1.7% for mid-sized merchants.
"Merchants used to be able to just throw people at this problem," said Doug Schwegman, director of market and customer intelligence for CyberSource.
"But there's an inherent limitation to that solution. What merchants need today is greater efficiency, greater intelligence, even technology breakthroughs. The bad guys have put the larger merchants in a challenging situation."
The rate of manual review for the largest merchants did not grow from 2004 to 2005, holding at 15% both years, while their fraudulent order rate drifted up from 0.9% to 1.1%. "That does not translate to success for this class of merchants," said Schwegman. "The larger merchant needs to see this review rate drop every year, while driving fraudulent orders significantly below 1%. Reviewing 15% of orders is far too high when you consider the exploding volumes of the largest online merchants. With eCommerce growing more than 20%, merchants need to increase efficiency each year to keep pace."
Fraud tools used in 2005/2006
The different fraud challenges of small vs. larger-sized merchants are reflected in their demand for fraud screening tools and technologies. On average, mid-to-large sized merchants employ about two times as many tools as smaller merchants (averaging 6 tools vs. 3.5 tools respectively). Larger merchants are also twice as likely to install automated decisioning systems.
Two basic tools have gained majority adoption by merchants: Address Verification System (used by 75% of merchants), a check built-in to the payment authorization request that compares the address on file at the card issuer to the billing address provided by the cardholder; and, Card Verification Number (used by 66% of merchants), a check of additional digits printed on the card. Over half the merchants said they are currently using or intend to implement MasterCard's SecureCode or Visa's Verified by Visa payer authentication systems before year-end 2006.
International fraud still a problem
In keeping with earlier surveys, orders originating outside the U.S. or Canada tend to carry a far higher risk of fraud. Merchants that accept international orders say they decline 12.4% of them on suspicion of fraud, over three times the overall rejection rate of 3.9%. The portion of those international orders accepted that later turn out to be fraudulent is 2.4%, nearly two and a half times the overall rate of 1.0%.
The good news: smaller merchants see improvement
Smaller merchants, those with eCommerce revenues below $5 million, made progress in the 2005 survey. Their total estimate of fraud loss came down from 2.1% to 1.6% of revenue and from 1.4% to 0.9% of orders.
"Chargebacks" may understate actual fraud loss
Traditionally, fraud losses are reported based on fraud-coded "chargebacks" - the value of charges reversed by the issuing banks based on disputes initiated by cardholders claiming unauthorized charges against their accounts. This metric may only be capturing a portion of actual fraud losses.
The seventh annual fraud survey asked merchants to count not only orders that were identified by the banks as fraudulent, but also to specify any charges merchants reversed as a result of calls directly from the cardholders to the merchants claiming fraudulent use of their cards.
According to the survey, bank-identified fraud chargebacks accounted for less than half (37%) of total fraudulent orders.