May 17, 2016

Combating Card Fraud

Payment card fraud results in billions of dollars in losses for financial institutions and cardholders every year and the tactics used to commit card fraud are ever evolving. As the number of payment cards used worldwide continues to grow, so do the overall fraud rates.

Every Information Security Officer knows that there is no way to avoid fraud completely, unless all transactions are blocked; of course, if there is no business, there can be no fraud. The correct strategy for dealing with fraud, however, involves finding ways to prevent fraudulent activities in the first place while letting the business run as usual. An appropriate balance has to be found between the amount invested in fraud prevention measures and the expected reduction in fraud-related losses.

Statistics reveal that most market players only begin investing resources in combating fraud after a significant case of fraud occurs. We, in contrast, aim to create a highly efficient and flexible environment that will enable us to take a proactive approach to threats and prevent most cases of fraud before they even occur.

So what does a competitive solution for combating card fraud entail?

In order to successfully combat card fraud, multiple measures must be implemented across various functional levels. This can be achieved with the following tools:

  • Card payment systems’ fraud control services

Card payment systems provide tools for combating fraud, including:

  • RIS (Risk Identification Service by Visa) – A merchant and member level fraud monitoring programme that identifies merchants and members with unusual levels of fraud activity and sends appropriate notifications with remediation information to participants.
  • SAFE (System to Avoid Fraud Effectively by MasterCard) – This is a central repository for fraud data at MasterCard. Based on data collected from members, SAFE generates reports for both issuers and acquirers.
  • CRB (Card Recovery Bulletin) – A register of stolen, lost, past due, over-limit or counterfeit payment cards, updated by Visa and MasterCard. This information is used by merchants to identify suspicious card transactions.

In addition to the tools listed above, card payment systems also offer other services that address different aspects of fraud prevention.

  • EMV technology

Smart cards (also known as IC or chip cards) are standard in card production today. They provide highly efficient safeguards against card counterfeit and theft of cardholder data. The Quipu Card Personalisation Centre is equipped with production facilities that fully comply with the highest level of security industry standards (PCI Card Production).

  • 3D Secure technology

Also known as Verified by Visa or MasterCard Secure Code, this technology targets online transactions and includes tools to ensure that purchases can be made securely. Quipu Processing Centre supports this technology both as an issuer and as an acquirer (e-commerce).

  • Cardholder and merchant education

Making sure that each party to a transaction (the cardholder and the merchant) is equipped with all the necessary information has proved to be an effective way of reducing levels of card fraud at financial institutions. Customers who know what to do if a card is lost or compromised and merchants who know how to identify a fraudster can make significant contributions to preventing fraud. This knowledge plays an important part in any anti-fraud strategy.

  • Authorisation management strategy

The figures associated with potential cases of fraud are directly affected by the strictness of the control mechanisms incorporated into the authorisation system. The system’s degree of restrictiveness can be defined by adjusting various transaction parameters, such as the type of terminal accepting the card, presence of CVV or CVV2 in the transaction, transaction amount, chip vs magnetic stripe vs fallback transactions, etc. One approach to setting up an authorisation system is to restrict high risk transaction types as far as possible. This will minimise losses related to cases of fraud, but also negatively affect the business model, as many legitimate transactions will also be blocked. The opposite approach would be to allow a wide range of transactions. While having a positive effect on the business model, this approach also entails more risk, as there are fewer restrictions incorporated into the authorisation system. This approach therefore requires more precise monitoring of transaction flow. The task of the person responsible for combating fraud (e.g. the fraud manager) is to establish the proper balance of control mechanisms in line with the financial institution’s risk appetite. Quipu Processing Centre provides flexible tools for doing just that: TranzWare Online is an online transaction processing tool and TranzWare Fraud Analyzer is a fraud monitoring platform.

  • Account activity monitoring (fraud monitoring)

As mentioned above, the transaction-monitoring process is vital for effectively combating fraud, especially in cases where the financial institution needs to maintain a certain degree of flexibility in its authorisation management strategy. The TranzWare Fraud Analyzer used by Quipu Processing Centre was initially configured based on card payment systems’ recommendations and is continuously updated with new rules and algorithms developed in response to new fraud tactics. Remember, continuous fraud monitoring is required by Visa and MasterCard; in fact, the companies monitor the efficiency of anti-fraud measures at financial institutions based on their own data and even impose penalties if such processes are not properly implemented.

The items listed above are significant components of the overall mechanism, but they do not represent the ultimate piece in the complex puzzle that is fraud prevention. We would now like to shift the focus to TranzWare Fraud Analyzer, which is specifically dedicated to combating card fraud and incorporates highly effective and comprehensive anti-fraud tools.

Different technical approaches to fraud monitoring

There are two different approaches on the market used in fraud monitoring systems. They are usually referred to as the “pre-authorisation” and “post-authorisation” methods.

Pre-authorisation systems perform an analysis of transactions in real time during the transaction authorisation process. The obvious advantage of this method is that the fraud check is performed before the transaction is authorised, which means that the decision of whether to allow the transaction is taken immediately, i.e. before any potential fraud actions can occur. There are, of course, certain limitations involved, the most significant being that the time allotted for authorisation does not allow for a highly complex online analysis of each transaction.

Post-authorisation systems perform checks on the transaction after it has already been authorised. This model devotes significantly more time and resources to more intelligent and extensive analyses of particular transactions. The analysis checks the parameters of the parties involved in the transaction and evaluates the history of all transactions performed, going back as far as is considered necessary. In comparison to pre-authorisation systems, the obvious disadvantage with this method is that the initial transaction has to take place before it can be subjected to fraud analysis. Systems using post-authorisation do, however, perform certain automated actions, like blocking cards or terminals, and in this way prevent further attempts at fraudulent activity.

Quipu combines the best aspects of both methods: the online transaction processing software (TranzWare Online) with its “algorithmix” module for pre-authorisation security checks of transactions as well as the powerful fraud monitoring tool (TranzWare Fraud Analyzer), which performs in-depth analysis in post-authorisation mode (the quasi-online mode, where the checks are performed within several minutes of the transactions). With this dual approach, the check performed by the algorithmix module in the online system blocks specific suspicious transactions before they take place, while TranzWare Fraud Analyzer performs more advanced analysis and executes automated actions after transactions are uploaded into its database.

How does the Fraud Analyzer system work?

The TranzWare Fraud Analyzer database contains data received from authorisation and back-office systems. As a result, it provides all the information necessary for analysing every aspect of the transactions under review. As described above, data are uploaded into the database in quasi-online mode and according to predefined schedules, meaning that authorisation system information can be uploaded within a few minutes at the most. After this process is completed, transactions are analysed according to the rules defined in the TranzWare Fraud Analyzer.

TranzWare Fraud Analyzer employs two methods of analysis: object activity analysis (cards, merchants, etc.) and transaction flow analysis.

Object activity analysis compares retrieved transaction data with pre-defined limit values. Based on the results of these checks, the system generates security alerts. During limit checks, the system also collects statistical data, which in turn enables the identification of unusual/suspicious behaviour compared with the statistical norm.

Transaction flow analysis allows for the configuration of specific transaction flow patterns with attributes that are indicative of potential fraud scenarios. This is achieved with the algorithm designer module, a visual tool within the TranzWare Fraud Analyzer that incorporates a block and schematic diagram approach together with object-oriented programming language. Any transaction parameter can serve as an example of these attributes, such as the amount, period between transactions, country of origin, merchant category code, response from issuer, type of terminal, card present/absent and many others. A sequence of preceding transactions can be restored and all parameters can be checked and compared within the algorithm scenario. The algorithm designer also provides the option of configuring specific automatic actions based on the results of the transaction flow check, such as executing a command to block a card in the authorisation system.

In addition to transaction analysis, TranzWare Fraud Analyzer provides bank employees with powerful tools and a work environment for managing fraud investigations. As mentioned above, TranzWare Fraud Analyzer combines data from all systems in one centralised database, allowing for comprehensive analysis of the interconnection between different parties to a transaction. The workspace offers planning tools for subsequent activities, such as chargebacks, and serves as the centralised storage area for the accompanying documentation.

Every contribution makes a difference

Achieving the best results in combating fraud requires a well-thought-out, multipronged approach and the involvement of various parties. When discussing fraud monitoring systems, like the TranzWare Fraud Analyzer, it should be remembered that fraud prevention staff play a crucial role in the analytical process. While the fraud monitoring system detects potentially fraudulent operations, it is the Information Security Officer’s job as the operator of the system to use this data to make informed decisions about specific fraud cases. In this context, staff charged with fraud prevention duties must continuously monitor activities. Moreover, fraud monitoring system rules can be adjusted and new fraud patterns programmed for the transaction flow check based on feedback provided by staff.

By applying the right approach, fraud monitoring systems and the other methods described above can provide a real opportunity to stay one step ahead of the fraudsters by continuously enhancing functionality in line with market trends and best practices.

If you want to stay updated with our developments, follow us on social media and subscribe to Quipu Newsletter!