>> continued from previous page
Products and Tools
A number of products let you perform more in-depth inspections of online transactions for fraudulent activity. These tools use some of the techniques we've discussed and add an additional layer of transaction risk assessment.
An AVS (address verification system) often is a key weapon in an online merchant's fraud-protection plan. This service is generally provided free by credit-card processors as part of the credit-card-verification process.
An AVS cross-checks the billing address submitted by the customer with the address on record with the card issuer and returns a code indicating the validity of the address. AVS is available in the United Kingdom, the United States, Germany, Austria, Switzerland and a few other countries.
However, though AVS systems can be beneficial in stopping some fraudulent activity, it won't catch them all: More often than not, the credit-card thief has both the credit-card number and the billing address.
Rules-based systems compare each credit-card transaction with a set of rules before the charge can be approved. Based on the rules, the system can send a response ranging from approving the charge to denying the charge to forcing a manual review of the transaction.
Rules can be as simple as "if the credit card number is in the 'bad' list, deny the transaction." Or they can be complicated business logic rules that determine the risk associated with the transaction based on the order, such as "if the order contains more than three of an item with a cost of more than $500, then review the transaction."
A rules-based system is, essentially, an expert system. This type of system can be coded manually, though updates and additions will grow increasingly difficult over time and possibly become cost prohibitive. Of course, the system is only as good as the rules it is programmed to use. The merchant must determine what constitutes fraud and configure the system to recognize those situations.
Neural networks are more sophisticated. A neural network can compare and search for patterns in a transaction against a database containing profiles and patterns of known fraudulent activity. These systems are also called predictive statistical modelers, fraud scorers or screeners, and are extremely accurate because they depend on historical, accurate data to provide a base against which to judge current transactions. The data available is dependent on the system you purchase. Some systems can access a central database containing millions of transactions; others depend entirely on the data you have on hand.
The limitations of such a system depend almost entirely on the data used. Data should be updated on a regular basis -- every six months or so -- and based on as large a sample of sales as possible.
Customization is also necessary to reduce the number of transactions that are flagged for manual review. An off-the-shelf neural network may flag up to 10 percent of all transactions as possible risks, even though only a few of those may be true attempts at fraudulent transactions.
ClearCommerce Corp. and HNC Software offer neural-network-based fraud-detection systems. CyberSource uses a hybrid model; it combines an expert system with a neural network to examine millions of transactions to increase its statistic modelling and reduce the number of "false" rejections.
Another option is to use a third-party service, such as Equifax Secure's eIDverifier, which can provide identity-verification services. This service is integrated into your system. During the checkout process, the user is redirected to a site where the provider attempts to verify the identity of the customer by requiring answers to both "wallet" questions (information that can typically be found in your wallet) and "private" questions (information not found in your wallet but easily answerable if you are who you say you are).
An assessment score and reason codes based on the answers provided by the customer and other industry data sources is returned to the merchant. The merchant can then decide whether to continue processing the transaction as valid, process the transaction as invalid but attempt to garner information from the perpetrator to assist in prosecution, or simply end the transaction.
Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at lmacvittie@nwc.com.
REPORTS
ANALYTICS
Follow 
