Cardholder security is very clearly at the front and center of the payments ecosystem “to-do” list. And with that comes the search for a solution that keeps cardholder data secure and curbs bank fraud. 3-D Secure, a protocol designed to help online merchants reduce the incidences of fraud online was designed to do just that. But 3-D Secure has often been criticized for creating too much friction into the process – putting the 95 percent of people who aren’t the bad guys through the wringer instead of focusing on the 5 percent who might, in fact, be sketchy. CA Technologies, who is the co-creator of the 3-D Secure protocol, has addressed this by leveraging behavior-based authentication models to take on the important authentication work in the background, positioning 3-D Secure as a robust tool for reducing fraud losses in eCommerce transactions without subjecting consumers who just want to buy legitimately online with one big friction point.
In a recent digital discussion, PYMNTS.com’s Karen Webster chatted live with CA Technologies’ Revathi Subramanian, Senior Vice President, Data Science, to gain insight on current fraud challenges, the use of important data as it relates to the 3-D Secure process, and the “Ten Commandments” for tackling fraud.
Ten to fifteen years ago, ecommerce payments were rapidly multiplying. CA Technologies therefore co-created, with the payments networks, the 3-D Secure process, which provided a way for issuers to intervene and better understand card-not-present transactions. It started as an authentication solution, however, the 3-D Secure process has been criticized in the past with respect to the consumer experience.
"As banks used it more and more, the idea of intervening every transaction was not very palatable because the customer experience was suffering,” said Subramanian. “There was money left on the table, which resulted from abandonment.” There are three things that therefore must be balanced: the customer experience, the operational costs of customer abandonment, and the prevention of fraud.
"If you focus more on the few transactions that must be questioned and do not intervene on the remaining 95 percent of regular transactions, there’s tremendous value for issuers,” said Subramanian. But if every transaction is intervened, she added, issuers may end up losing 15 to 20 percent of transactions as customers abandon them. Significant revenue would therefore be lost. Achieving balance is the only way to increase card revenue.
Here’s what you need to know:
1. Data: Garbage In, Garbage Out
If you look at the general data banks collects, said Subramanian, the quality is suffering – it is not collected uniformly. With respect to 3-D Secure, the way the data is collected is uniform. It’s not data being dictated by the issuer, but rather directly from the merchant by request.
2. No Documentation, No Change
When dealing with data, one of the biggest issues that organizations have is that information is not documented the same way. With 3-D Secure, there’s significant portion of the data created by a single entity. It’s uniform and provides tremendous opportunity for issuers to bring data together. Device IDs called by the same name have a lot of value.
3. Key Employees Are Not a Substitute for Good Documentation
"What ends up happening with banks is they’ll change something or request something new in the fraud detection process, and it doesn’t get documented properly,” said Subramanian. “That piece of data, even though important, cannot really be used for awhile."
In 3-D Secure, she noted, you have a well-documented protocol. The pieces of information that come through for the merchant are fixed and well understood – there’s opportunity to keep it uniform.
4. More Doesn’t Mean Better
Rules are usually a requirement for any system, yet having too many rules can be counter-protective. A rules engine is a must-have to give flexibility to the issuer, and data driven rules are best. As 3-D Secure evolved, rules were applied based on unique data variables so that issuers no longer need to intervene in every transaction.
5. Never Rest on Your Laurels
Because devices are growing and evolving, we need to constantly understand how they work. As fraud management systems get sophisticated, fraudsters also get sophisticated. Scoring processes have to keep on improving to tackle fraud effectively – and advanced analytical scoring is a huge value.
6. Score + Rules = Winning Strategy
A sophisticated scoring system along with a limited set of rules to take into account operational considerations is the winning combination, said Subramanian. Scores tell you who might not be legitimate, and rules are what you decide to do with that knowledge.
7. Fraud: It’s Everyone’s Problem
"Every little bit of information we drop on the floor, every transaction that doesn’t get recorded, every rule that doesn’t get used right, every score that doesn’t get used optimally, every fraud analyst that doesn’t get trained well has an impact on the overall fraud management picture,” said Subramanian in her book “Bank Fraud: Using Technology to Combat Losses.” 3-D Secure is a gold mine of information, and any bank that doesn’t use an advanced scoring system using 3-D secure data is leaving a lot of cash on the table.
8. Continual Assessment is the Key
It’s important to assess the overall fraud management strategy in the context of the new information available through 3-D Secure. Data is power, especially when used to control risk. When more data becomes available, issuers should make use of it. They should continuously assess their whole fraud landscape and ask themselves what tools are available to them.
9. Fraud Control Systems: If They Rest, They Rust
3-D Secure has shown that it can have positive impact on fraud losses. According to Subramanian, strong models using the length and breadth of 3-D Secure’s data (with a flexible rules system) can make it a key fraud control tool now and in the future.
10. Continual Improvement: The Cycle Never Ends
Every time there is a leap forward in the digital world, there is a leap forward in what fraudsters can do. This means that there must be a continual process of improvement among issuers – planning, doing, checking, and acting. It’s important for them to use every bit of data that is available in complete fraud management strategy.
Today, 3-D Secure is dynamic and personalized. It targets high-risk transactions only, there is no up-front registration, and dynamic passwords provide enhanced protection. Equally as important, the cardholders and devices each have unique experiences that help issuers differentiate who is good and who is bad, arming themselves against fraud.
If you missed out on this live Digital Discussion and want to know more about Subramanian’s “10 Commandments,” stream a free copy of the discussion here.
About the Presenter
Senior Vice President, Data Science at CA Technologies
Revathi Subramanian is Senior Vice President, Data Science at CA Technologies. She is the founding member of a team of high caliber data scientists that are uncovering business value and operational intelligence from the chaos of Big Data in areas like eCommerce, application performance management, infrastructure management, service virtualization and project management. Her team is at the forefront of using analytics to combat card not present fraud and has developed patent-pending technology in this area. She is the author of the book “Bank Fraud: Using Technology to Combat Losses” which describes fraud detection and prevention strategies from a technological perspective, helping users define their data and analysis environments correctly from the beginning, so that the best possible results can be achieved by their fraud management systems.
Before joining CA, Revathi was the co-founder of the SAS Advanced Analytics Solutions Division in 2002. She led the development of a new enterprise real-time fraud decisioning platform utilizing advanced analytics. Over the next ten years, she and her team added the name of SAS Institute to the world of real-time analytics solutions. Revathi is credited with multiple patents and some groundbreaking and innovative real-time scoring technology in fraud and risk management. Prior to joining SAS, Revathi held various leadership roles in HNC Software, acquired by FICO in 2002, and built highly innovative transaction-based credit risk, attrition risk, and revenue/profit forecasting systems.
Revathi has a Master’s degree in Statistics from the Ohio State University and a Bachelor’s degree in Mathematics from Ethiraj College, Chennai, India.