With a computer-security breach involving 40 million credit cards grabbing headlines, it would be easy to assume that this kind of fraud is on the rise. But while such a volume of compromised data is alarming, the fact remains that credit-card fraud has actually been falling, industry experts say.
Improved systems to detect bogus transactions have produced a decade-long decline in fraud as a percentage of overall dollar transactions. In 2004, illegal credit-card purchases totaled $788 million in the U.S., down from $882 million in 2003, according to Nilson Report, a trade publication. That represents just 4.7 cents for $100 worth of purchases, well down from a high of 15.7 cents in 1992.
WEALTH OF DATA. “The truth is the industry has never been better at catching fraud as the fraudsters try to commit it,” says David Robertson, Nilson’s publisher.
The decline, however, hasn’t stopped the squabbling over who foots the bill when fraud does occur — the merchant or the bank that issued the card. Retailers increasingly complain of being charged by the issuing banks for fraud they believe is the bank’s liability.
The specter of such fraud was raised on June 17 when MasterCard disclosed that someone had penetrated the computer network of Atlanta-based CardSystems Solutions, which processes transactions for more than 40 million cards of all brands, including MasterCard and Visa. The hacker gained access to names, account numbers, and verification codes.
DIFFERENT THREATS. CardSystems acts as an electronic pipeline between merchants and issuing banks, and it has since admitted, according to press reports, that it shouldn’t have been keeping the records accessed by the infiltrators. The breach underscores the need for tighter monitoring of credit-processing outfits, says Edward Lawrence, managing associate at Auriemma Consulting Group, a Westbury (N.Y.) company that advises processors and banks.
But the decline in overall ripoff rates indicates that the industry has done better at policing fraud. This runs counter to a popular impression that credit-card fraud is on the rise, says Avivah Litan, an industry analyst at research firm Gartner. That perception has been fueled, she says, by identity theft, which is increasing but at a slow pace, according to a 2005 study by Javelin Strategy & Research.
Identity theft’s impact is greater in other financial areas, such as check fraud, which Litan says has also gone up. Indeed, in cases such as the CardSystems breach where account data is compromised, only 2% of the accounts involved experience fraudulent activity, Visa’s research on past incidents shows.
CONSTANT VIGILANCE. That’s because card issuers — banks and credit-card outfits like MasterCard and Visa — have become more aggressive about fighting fraud, spending millions of dollars to prevent and identify illegal transactions. Security features on the card itself, like the three-digit number often found on the back, are one weapon in this war.
The industry also is looking to sophisticated software solutions from companies like Fair Isaac (FIC) and ID Analytics, which use high-powered data-mining techniques to alert issuers to potential instances of fraud. Often, issuers can now detect illegal transactions before the cardholder even knows a problem exists. “People are clever, and we have to be vigilant to protect our systems,” says Linda Locke, MasterCard’s vice-president for global communications. “Fighting fraud is a full-time job.”
Who pays the bill when credit-card fraud occurs depends on how the transaction was made. If it happened “face-to-face” with the cardholder signing in the presence of the merchant, the issuing bank is generally liable. But if it’s a “card-not-present” transaction, such as on the Internet, over the phone, or via mail, the merchant is liable. The majority of transactions are still face-to-face. Visa says such transactions accounted for 77% of its business in 2004, vs. 23% that were card-not-present.
WHERE THE BUCK STOPS. But the National Retail Federation (NRF), the nation’s biggest retail association, says its members are increasingly complaining that issuing banks are shifting the expense of fraudulent face-to-face transactions to retailers. One reason: complaints that the buyer’s signature didn’t match the one on the card. These “charge-backs” drive up retailers’ costs, which are ultimately passed along to the consumer, says Mallory Duncan, the NRF’s general counsel.
Gartner’s Litan says her talks with large retailers indicate that charge-backs on face-to-face transactions have risen to 50% of such transactions. On top of that, she adds, retailers must pay fees of $25 to $35 for each charge-back. “The issuing banks want to beef up their bottom lines,” Litan says. Either way, it’s the consumer who’s likely to pay in the end.