It might be time to think about the future of human intervention for e-commerce transactions, especially as criminal sophistication increases exponentially.
The lifeblood of any retailer is ensuring that as many valid transactions are completed as possible. E-commerce merchants, in particular, will go to great trouble to validate as many transactions as they can. Increasingly, that great trouble includes inspection by an actual human being—something called a manual review.
This happens when a doubtful or borderline transaction pops up on the automated scoring routines. Rather than reflexively deny what could be a legitimate sale, the e-retailer asks one its employees to examine the transaction and make a reasonable effort to determine if it should be approved.
It’s a common practice with 79% of North American businesses that use manual reviews, according to the CyberSource 2017 Online Fraud Benchmark report. On average, approximately 25% of orders are subjected to manual review at these businesses.
CyberSource’s report also found that 89% of transactions subjected to a manual review ultimately are approved, “… an indicator that more orders are being reviewed than might be necessary,” the report noted.
A rethink of manual reviews might be in order for many merchants, especially those that can take advantage of new data sources. The reason: Criminals now have access to billions of pieces of information about consumers.
Formidable Task
Another reason for a rethink is that manual reviews are expensive for the merchant and can be frustrating for consumers.
“In many cases, we still see a role for manual reviews,” Julie Conroy, research director at Aite Group LLC, a Boston-based financial-services advisory firm. “But, certainly as I talk to merchants, their goal is to leverage technology to reduce the number of transactions they have to work through the manual review from a customer-experience perspective and an operational-cost perspective as well.”
Dual advances in the amounts of digital data about consumers and in machine-learning technologies to crunch that data point to “some good progress,” in the ability to better authenticate legitimate shoppers, Conroy says.
The problem is that there are vast amounts of genuine data already in the hands of criminals, thanks to multiple breaches in which not only payment data, but also such distinctive datasets as addresses, maiden names, telephone numbers, and Social Security numbers, have been stolen.
With all this data easily available to criminals, merchants and their fraud-mitigation vendors face the formidable task of verifying legitimate consumers with the clock running on wages and on other projects they could be working on.
Basic steps in a manual review might include placing a call to the customer or the issuing bank to verify shipping and billing information, along with a search of the shopper’s transaction history with the merchant, or checking the shopper’s Internet protocol address against the shopper’s prior purchase history.
The Luxury of Time
The impulse to conduct manual reviews becomes especially strong in the face of increasing chargeback rates, says Don Bush, vice president of marketing at Kount Inc., a specialist in anti-fraud services for e-commerce merchants.
This response isn’t without merit. Generally, if a merchant does manual reviews, it employs one to three individuals to handle the task. “It’s easier to increase the number they do than put in a new system,” Bush says. But this reaction has a big drawback. “It’s the most costly, most time-consuming [tactic],” says Bush.
The risk, Bush adds, is that a merchant could provoke the problem with a simple change to its Web site, say on its checkout page, that might increase the number of suspect transactions.
All in all, the manual review is “not a very scalable method, especially if the merchant is in a hyper-growth area at 20% to 40% a year,” says Bush.
Today, however, the measures merchants and their vendors can use in the review process have multiplied by the score. Data from a shopper’s smart phone can be incorporated into the review process, for example, yielding more insight into the shopper’s identity.
Multiple vendors are working to get this type of data into merchants’ systems. At ThreatMetrix Inc., a San Jose, Calif.-based fraud-prevention company, the mantra is automation. “Next-generation fraud-prevention technologies enable companies to dramatically cut the number of manual reviews that are required in the first place, and then automated workflows, if a case does require manual review, are critical to be able to perform this at speed and scale,” Vanita Pandey, ThreatMetrix vice president of product and marketing, says in an email message.
Automation is essential especially because so many e-commerce merchants now offer speedier delivery options, putting pressure on the authorization process.
The move toward instant or next-day delivery means that fraud teams no longer have the luxury of time to review transactions, Pandey says. “On top of this, high manual-review rates are very taxing on organizations, as they require expensive human resources. Therefore, keeping manual-review rates down and having automated processes in place are critical to both cutting operational costs and meeting rising customer expectations.”
Manual Reviews, False Declines
As Conroy notes, an abundance of new data could have a positive impact on merchants’ ability to ferret out suspect transactions, especially because so many more consumers are using mobile devices for everyday activities.
“As you look at increasing the percentage of transactions initiated from mobile devices, [and] as you analyze these mobile devices, with device fingerprints for example, it has a ton of value,” Conroy says. “Also, as we look at the increasing denominator on mobile commerce, the mobile device in and of itself has a ton of valuable data to those willing to pay the price.”
ThreatMetrix, Pandey says, can analyze a transaction based on hundreds of attributes and cross-correlate that data against anonymized information related to that digital identity and historical behavior it has seen for that user on its global network.
“Deep behavioral assessments are able to recognize activity that deviates from what is normal for that particular individual and can dramatically cut down the number of manual reviews,” she says.
Even processors like First Data Corp., which processes more than 2,500 transactions per second for more than 6 million merchants globally, have entered the fray. One of its chief products in this area is Fraud Detect, a service it launched in 2017 that uses artificial intelligence, machine learning, fraud scoring, cybersecurity intelligence, and intelligence gleaned from the dark Web, to identify potentially fraudulent transactions.
“What we see today as challenging in the industry is bad guys get the card information, then within minutes they are testing these cards,” says Ajay Guru, First Data head of merchant fraud solutions. “They are able to take mobile phones they bought using stolen cards, load them, and use them in omnicommerce.”
After that, criminals look to monetize their ill-gotten gains across larger industries, larger retailers, theme parks, and the like, Guru says. Typically, a small-to-mid-size merchant might review 10% to 15% of their transactions, Guru says. “These are merchants that could be retail, digital, or services,” he says.
Kount’s Bush says, in general, the typical merchant sends between 12% and 25% of its transactions to manual review. The cost of manual review could amount to $300 to $500 per day, in one example.
Assume a merchant processes $10,000 daily and has a 50% gross margin. If 15% of these transactions are manually reviewed and the approval rate is in the 75% to 80% range, the merchant has only added cost and time to her transactions, Bush says. “She could be losing $300 to $500 a day in manual reviews,” he says. “That’s [up to] 10% of the gross margin.”
This speaks to the issue of false declines, which is when a legitimate transaction is declined because it is thought to be fraudulent. “As I talk to the more sophisticated merchants, they are more concerned with false-decline problems than manual-review problems,” says Aite’s Conroy. The reason is simple. In 2017, false declines accounted for $300 billion in the United States, compared with $4 billion in card-present fraud, she says.
‘Behind the Scenes’
With the proliferation of stolen, yet valid, static consumer data inundating the Internet, the ability to process this data along with the unique dynamic data generated by individuals when they use devices to interact online is becoming paramount as consumer expectations change.
As online commerce—both via desktops, mobile devices, and the Internet of Things—grows, fraudsters are moving to the next level, says Michael Reitblat, chief executive at Forter, a New York City-based fraud-prevention company.
“Now, fraudsters are moving to account-level fraud,” Reitblat tells Digital Transactions. This fraud is when a criminal takes over an account. It’s especially bad because the account appears legitimate despite the criminal takeover. Therefore, a criminal could load stolen card data or use credentials stored in the account by the legitimate owner for his own purposes.
Security is compromised, Reitblat says, because many consumers use the same usernames and passwords for multiple accounts.
With a consumer grown accustomed to two-day or overnight shipping, the push to validate transactions automatically and reduce the number sent to manual review becomes more important, he says. “They want to click once and get it at the door the next day or pick up in the store,” Reitblat says. “Everything is frictionless. People don’t want merchants calling them or limiting them in terms of what they can do or pay with.”
Indeed, merchants are challenged to bolster their behind-the-scenes payments technology, Aite’s Conroy says, because the old standbys for identifying legitimate consumers have been outstripped by criminals.
For example, in the breach of credit-reporting agency Equifax Inc., which exposed 145 million consumer accounts, criminals gained access to a lot of data that was already available to them, Conroy says.
“You can’t be just reliant on usernames and passwords to get to the card on file,” she adds. “They’ve compromised all of our data. If you can, bolster that behind the scenes.”