Fraud rates for payment card transactions are at historic lows: seven basis points (0.07 percent) globally and five basis points (0.05 percent) in the US, according to a CEB TowerGroup blog. The fraud rate for riskier online transactions is down from 90 basis points (0.9 percent) in 2010 to 60 (0.6 percent) in 2011, according to an article citing the Visa subsidiary CyberSource.
But let's not start patting ourselves on the back just yet. Not only are online transactions 12 times more likely to be fraudulent than card-present transactions, but CyberSource puts the damage from online theft at $3.4 billion in 2011 (up from $2.7 billion in 2010), reflecting the tendency for thieves to go after higher-value merchandise through fewer transactions.
US cardholders spent about $3.5 trillion last year. A back-of-the-envelope calculation shows online fraud represents almost 0.1 percent of card transaction volume across all major card types -- credit and debit. By way of comparison, the payment card industry, including issuing banks, merchant banks, payment processors, and card associations, collects and splits among them approximately 2 percent of total transaction volume as interchange revenue.
From these figures, we might infer that the entire card payment industry earns about 20 times the revenue as the online fraud industry. I have no information about the relative profitability of the two industries, but I have to imagine that the online theft racket involves fewer fixed costs, fewer employees, and fewer regulations, leading to high profit margins. If online theft increases this year at the same rate as it did last year (i.e., to $4.4 billion of annual revenue), then Online Theft Inc. would earn itself a spot on the Fortune 500.
The good news is that federal law states consumers are not responsible for charges incurred using a stolen credit card number. The bad news is that everyone still pays for theft indirectly, through higher prices charged by merchants who need to cover unreimbursed fraud losses, along with higher fees charged by banks.
Online fraud is a systemic problem driven by factors ranging from the absence of robust card-not-present authentication methods, the ease of spoofing IP addresses, and the perils of the packet-switched Internet to the demonstrated security vulnerabilities of major companies in the payment ecosystem (e.g., Global Payments). Accordingly, we shouldn't expect a silver-bullet fix.
Even the much-touted move to chip-based cards won't solve the problem of card-not-present transactions, the CEB TowerGroup analyst Brian Riley said in a Webcast. Though chip cards will have some impact on fraud involving counterfeit or stolen cards, the technology won't substantively change the incidence of online fraud, he said, citing parallels in the Canadian, UK, and Australian markets.
Instead, the suggested approach includes a range of logical controls, rather than physical ones, set up throughout the phases of cardholder authentication, card processing, and transaction authorization. One example would be for multi-line financial services firms take an enterprise view of a cardholder's activities across all accounts. Then, using adaptive analytics and knowledge-based neural networks powering rule induction, the risk of a given transaction can be assessed based on that cardholder's previous activity, as well as consumer behavior in aggregate.
I'm all for logical controls where they make sense, but the problem with relying upon this approach is that it greatly favors the larger card issuers. In the absence of stronger physical controls for card-not-present transactions, it has become the responsibility of card-issuing banks and merchant banks to invest in expensive technology as a workaround. As with other areas of banking, scale and scope in technology and information will confer competitive advantage.
If the best line of defense against fraud is a knowledge-based neural network, the largest institutions having the biggest repositories of customer knowledge will be best equipped to repel fraud. Conversely, smaller financial institutions that don't know enough about customers' purchase behaviors will face higher risks and higher fraud rates until they acquire the needed information and algorithms at a premium price.
Once again, the costs of fraud mitigation are not costless to consumers, who will pay for the deployment of this technology through higher costs for basic banking services, within an industry further pressured by scale effects to consolidate into larger institutions. Meanwhile, the scope of information collected about consumers in the name of fighting fraud will itself become a tempting target for thieves and an epic privacy breach in the making.
I'd like to think that there can be a more secure Internet, through which two parties could exchange payments safely and securely without having to support the expense of an all-knowing financial network having data rivaling that of a nosy intelligence agency. Furthermore, it would be wonderful to select a bank based on prices, products, and services, rather than being limited to just those banks large enough to erect a credible defense against the criminal element.
That's probably not in the cards -- or is it?
In the comments, let's hear what you think should be the appropriate mix between logical and physical controls.