Data Sharing Without Sharing Data. Now That's Collaboration!

Facilitated collaboration, with formally structured protocols, makes legal and ethical data sharing possible. Doing it requires a system that makes sure all the participants can benefit from one another’s transaction experiences while not passing around the data itself.

Last week, I participated in a roundtable session on ‘data sharing’ at the Merchant Risk Council’s inaugural European e-Commerce Payments and Risk Conference in Amsterdam. It was a great opportunity to exchange insights with other industry leaders from many countries.

Data sharing is great!

Imagine if there were no restrictions on what we could share to stop fraud. Walmart and Amazon would tell each other when they caught a fraudster, what email was used, his IP location, what was attempted to be purchased, when it happened, dollar value, name, credit card number, etc. No fraudster would ever succeed at stealing more than once or twice, and we'd have good enough pattern recognition and linked data that in many cases, we'd stop them before they tried to use a compromised card, account or data the first time.

That's the real promise and power of data sharing.

But Sharing Data?  Yikes!

Unfortunately, we live in the real world, and companies don't just hand each other their customer and sales data. The reality is that sharing has its limits, and it's those limits that allow so much fraud to slip through our fingers. It's the fear of what the term 'data sharing' implies that often prevents us from doing anything at all.

In our discussions with merchants, card issuers, bank, payment processors, acquirers and the like we found that 'data sharing' implies informality and lack of structure, which immediately raises concerns about privacy, security, data integrity and trust. The term also raises legal concerns about what data, if any, can be shared. This is particularly true in Europe, which has stricter controls and regulations around privacy and varies by jurisdiction. Legal authorities and governments often assume that ‘data sharing’ means that account information is simply passed around between private parties with no regard for the individual's rights.

(For more on this see discussion in FinExtra about "unauthorized access" -- which is exactly the fear that sharing conjures up, and part of the reason that the Data Protection Act exists.)

When we collaborate, we can share experiences and knowledge without sharing the data

"What", you say?! That's some fancy verbal gymnastics. But, there is much truth that if we think about data sharing and the value it can provide differently, and expand the concept to one of collaboration where independent management, structure and governance are applied, we can escape the trap that everyone thinks data sharing is a great thing in theory, but few want to subscribe to it in practice.

Ethoca prefers the term 'facilitated collaboration', with a full set of formally structured protocols to make legal and ethical data pooling possible. It’s a system that makes sure all the participants can benefit from one another’s transaction experiences while not passing around the data itself. That means things like the strictest conformance to PCI across all PII, highly secured access, the management, auditing and certification of data integrity by independent authorities, access to information and anonymized experiences not the data itself.

Ethoca has already proved that facilitated collaboration can work on a large scale. Our strict protocols build trust among the participants. The merchants, issuers and other stakeholders know the data can't be mined for marketing purposes or accessed for any purpose other than fraud/risk management. The information is hashed and encrypted so that even Ethoca security experts can’t see personally identifying information. Participants also get large benefits, being able to leverage one another’s payment and fraud experiences and stop ecommerce fraud that they’d never catch otherwise.

So is the difference between ‘sharing’ and ‘collaboration’ only a matter of semantics? No. As my colleague Darryl Green wrote recently, collaborative fraud prevention is the future – and trust is the key.

We'd love to hear about your experiences with data sharing. Why has it worked or not worked for you? What value would you get from facilitated collaboration versus data sharing? Please share your feedback in the comments below.

3D Secure: Does it Make e-Commerce Any Safer?

In this 3-part series, I examine what 3D Secure is and why it was developed, discuss its successes and failures from the perspectives of merchants, consumers, banks and security experts and how it's been adopted in different geographies, and finally conclude with an evaluation of how well it addresses the problem it set out to solve and whether better approaches might exist. I invite your questions and comments regarding your personal 3D Secure experiences.

Introduction: Part 1 of 3

Our European readers are likely very familiar with 3D Secure in some form, but here on the other side of the Atlantic, not so much. So, first some background.

3D Secure is the generic name given to a protocol originally designed by Visa that is promoted as offering an added layer of security through user authentication to prevent payment card fraud. Visa offered the scheme to other card associations who have implemented it under their own branding. The 3 branded versions are Verified by Visa (VbV), MasterCard SecureCode, and JCB International's (Japan Credit Bureau) J/Secure.

Poorly implemented and marketed (there is lots of market confusion about what it is, even in Europe where it has high penetration and most online shoppers have encountered it at least a few times), you may hear any of these 4 terms bandied about. Know that they are all basically the same thing. If you want to dig in to more detail, this Wikipedia article covers the basics.

Why Use 3D Secure?

MasterCard offers this business case on their website:

• 70% of online shoppers are very concerned about security and fraud issues
• 26% would purchase more frequently online if there were more security protection from a card
• 44% of those likely to use SecureCode would be likely to buy more online
• 66% of online consumers who do not make purchases online cite security concerns as the main reason

As this series of articles will discuss, if security, consumer protection, and increased sales are the real issues, we'd all be better off not using 3D Secure technology, because it isn't secure, doesn't offer any additional protection to the consumer beyond the "zero liability" for fraud that is already guaranteed, and often causes sales to drop because consumers don't understand it, don't trust it and don't like the inconvenience.

The Sales Pitch Versus the Reality

Most merchants who chose to adopt 3D Secure do so because it shifts liability for card-not-present fraud to the card issuer on 3D Secure-authorized transactions. Without this economic incentive, it's unlikely 3D Secure would have gained significant market traction.

In some industries with high risk profiles and large dollar sales (e.g. airlines), and where there are limited choices and demand is relatively inelastic (if I want to travel from Toronto to Atlanta, for example, I have only 2 practical choices, unless I'm prepared to take the time to drive), this liability shift and reduced fraud cost outweighs lost sales and what consumers think about the inconvenience.

As a result, purchasing tickets is one of the most likely places consumers are likely to encounter 3D Secure in the US. In most other business categories, there is simply too much competition for retailers to risk offending, inconveniencing or confusing customers.

It's Different in Europe

Adoption in Europe has been much broader than in North America. We speculate that part of the reason for this is that the US e-commerce market was much more established when 3D Secure was introduced, with many more merchants and much more competition within categories. Thus merchants are less willing to do anything that might introduce a perceived inconvenience or a reason for consumers to go elsewhere.

In the UK, the MasterCard Maestro brand which is one of the most widely used cards, basically issued an ultimatum that if merchants wanted to accept their payment cards online, they would need to use 3D Secure. This single spur to adopt has dramatically changed the game there, making ability to accept online payments a critical factor in adoption, although it hasn't completely mitigated concerns about security, lost sales or consumer fear of fraud.

As a result of this enforced implementation,  adoption in the UK market for instance, has risen from below 20% to around 80% of UK merchants in just 3-4 years, although there are some notable holdouts. Amazon, the world's largest online retailer (by far), refuses to use 3D Secure, citing consumer inconvenience. Amazon also has very sophisticated fraud systems in place already, so stands to lose more in sales and customer goodwill than it would gain in fraud savings.

Summary

In summary, 3D Secure has had a spotty record since it was introduced by VISA nearly 10 years ago in 2001. In the last few years, it has become much more successful in Europe than in North America where it is still an oddity. It has helped lower fraud a little bit, particularly in the UK market (but not the Total Cost of Fraud - a concept which we'll touch on in future articles that helps explain lack of market traction), but at the expense of consumer angst and lower sales for many merchants.

In the next article, I'll detail the complaints about 3D Secure and why merchants and consumers generally don't like it, and the cost burden it imposes on card issuers.

Fear of Online Credit Card Fraud Shrinks Pool of Good Customers

The U.S. Federal Trade Commission estimates that six times as much revenue is lost to "fear of fraud" as to actual fraud

How making online shopping safer means a more profitable online environment for all

Beyond the total cost of fraud you may face today, there is an even bigger challenge: many potential customers are afraid to buy online. They don’t think it’s safe.

In fact, six times as much revenue is lost each year to fear of fraud than to actual fraud, according to the U.S. Federal Trade Commission.

That number is consistent with surveys and research by other organizations as well. VeriSign says half of Internet users avoid buying online, for fear of their financial information being stolen. And of those who have been victims of fraud:

• 12% don’t shop online any longer
• 25% shop less frequently
• 19% spend less when they do shop online

And according to figures from a CyberSource 2009 survey:

• 71% of consumers are concerned with the level of risk when shopping over the web, an increase of 5% over 2008
• 24% of consumers (the largest grouping of answers) say it is merchants’ responsibility to make online shopping safe

Making online shopping safer -- It's within your control

Trust seals can and do increase the perception of safe shopping for many. They, however, can only go so far, and with constant media attention paid to massive data security breaches such as those perpetrated against Heartland Payment Systems, TJ Maxx, Hannaford Supermarkets and many others, not to mention the myriad tales of unscrubbed and unprotected data on used hard drives, archival tapes full of social security numbers and other personally identifiable information falling off the back of trucks, consumers are rightly fearful that no matter what they or merchants do to protect their data, there are weak links in the security chain that put them at risk.

In fact, there are 3 elements to making Internet shopping not only as safe as it can be, but truly the safest form of shopping. First, merchants need to implement proper security precautions, especially PCI compliance. Second, compliance needs to be regulated and certified (and advertised by the accompanying trust marks). Finally, merchants need to ensure that in the event security is breached, that minimal harm comes to the consumer. The best way to do that is through collaboration with other merchants, as well as card issuers, fraud vendors, payment service providers - in fact, all the stakeholders in ecommerce.

The Global Fraud Alliance is that third and critical piece in making internet shopping safer. It provides a shield against misuse of breached and compromised data, by enabling merchants to gain insight into each other's payment experiences in real time, without compromising the privacy or security of their data.

Ethoca has recently made a very important contribution to safe shopping by making Ethoca360 Negative Signals freely available to any merchant that signs up for service during the introductory period. And, not just free to sign up, but free forever. Merchants need only apply and start actively using the service during the introductory period to ensure this lifetime benefit. This service is also being made available through partners such as 41^st Parameter's FraudNet technology, GB Group's URU identity service, and the IMRG ISIS (Internet Shopping Is Safe) program. This network is rapidly growing to include other payment service providers and fraud merchants, and in the very near future will include many other in the U.S., Canada, U.K., and throughout Europe. 

A safer online environment means a more profitable online environment

The more merchants collaborating against fraud, the safer the Internet will be, and the more customers will shop online.

Doing your part is simple, and most importantly, it will start saving you money right away, no matter what fraud tools or services you already use. That's because Ethoca360 Negative Signals is designed to be an additive service, compatible with all 3^rd party offerings. This is simply smart business for members of the Global Fraud Alliance. Increasing the consumers willingness to shop online means more business for everyone.

We invite you to join.

Tahoe Gearing Up to Recruit New Members!

It’s so great to see our newest member Tahoe Mountain Sports getting the word out about the Community.

Nice to see it get picked up by the Outdoor Industry Association.

Thanks David!

Also, David shared some great insights in a video on the Community channel on YouTube. Watch embedded clip below, or use the link above to see it.

 

Elements of E-Commerce 2.0 are already here and now

Sarah Lacy raises some interesting points, however, I’d like to add one more.  Retailers have been evolving their e-commerce sites in one critical area that is making it more friendly for good customers — and more difficult for the bad customers.  And that area is fraud management, where behind the scenes (of all places), the 2.0 idea of social networking is being incorporated — in particular as part of the Global Fraud Fighting Community.

Retailers, airlines, gaming companies, banks, payment processors and fraud solution providers and many more, are collaborating by pooling their good and bad transaction experiences,and using that to do a better job of weeding out the bad guys and treating the good customers better. That may mean expedited service, no secondary checking, no requests for additional proof that you are who you say you area, faster order processing, and it most certainly means not telling good customers you don't want their business, so please shop somewhere else.

They (the retailers, airlines etc.) are now actually working together to solve the biggest problem of shopping online -- that no one knows who you are, and good customers and bad customers look the same to order processing software. By combining their knowledge, retailers can recognize "familiar" customers, even when they are shopping at your store for the first time. In effect, customers carry their positive track record with them, enabling online merchants to treat them accordingly.

We often forget that no matter how good a shopping site is, if the checkout experience is bad, that's the only thing a customer remembers. Making that process transparent, simple, convenient and fast is the flipside of a fraud detection service that employs social networking concepts to deliver a better overall result, as well as the lowest Total Cost of Fraud.

tekgems…there is a way!

tekgems commented on the heels of 2checkout.com joining the Community. I know there are probably a lot of merchants wondering if there is a way to leverage other merchants’ experiences through a central database.  Simple answer…there is.

Here’s the link to his post.

Watch a video of Kristin Dach, CFO of 2Checkout.com, discussing why she believes it takes a community of online merchants to work together to defeat fraud.

 

Click this link if you can't see the embedded video above.

Growth. Boom. Halt. Bust. What does it all mean?

Sales growth slowing…

Fresh data show that U.S. retail ecommerce grew 1% year-over-year in October, representing the sixth consecutive month this year of slowing growth rates.

The picture in the UK is not all that better as IMRG/Capgemini reported the latest figures for October show that month-on-month growth was 3.8% and year-on-year growth was 12.7% representing the lowest year-on-year growth since December 2004 – reflecting the suffering economy.

With more and more people hunkering down and less and less credit available, a turnaround to previous growth levels looks far off, and perhaps an overall decrease is in the cards.

Fraud activity on the rise…

As Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. “There’s been a marked increase in the number of attacks and the number of successful fraud attempts,” says Litan, due to publish a report in December.  “This is the busiest my practice has ever been.”

We’ve also heard something very disturbing last week from one online businesses in that they are starting to see a rise in fraud from their good customers - commonly referred to as 1st party fraud.  Good customers who are now turning to fraudulent activity in tough times by making false claims e.g., orders not being shipped or making up customer service complaints.

Shift in spend…

Jonathan Penn, an analyst at Forrester Research, in September reported that the bulk of IT spend during the banking meltdown will go toward systems designed to keep former employees or disgruntled workers out of proprietary systems and to prevent business-killing data breaches.  Often resulting in less for other areas of security.

This all adds up to…

Tough times ahead for online retailers as good customers spend less, fraud increases (now even the good customers getting in on the act!) and fraud managers being asked to do more with less.  All attention shifts to the Fraud Manager.  He or she is looked upon as the ultimate fighter in the battle to strike balance between revenue and fraud.  He or she plays a big role in the profitability of your online business so you’d be wise to give him or her the your undivided attention.

Have a conversation…

Start by asking your Fraud Manager: “Are we doing everything possible with our available resources?”

Then ask: “What more could we do with the resources of others?”

If you get a confused look back try asking it this way: “I know they’re our competitors but what if we had Bob over at ACME, and Sue over at Bit Co. working for us on this? Would it help?”

I’m sure you’ve heard the saying “It takes a village.”

Fraudsters realized some time ago that working in a village with other villagers made their own lives better.  Going it alone isn’t enough.  Why not share the pain?  Why not share the cost of fraud with others for your benefit and the benefit of everyone…all at the demise of the fraudster?

Let me know what he or she says.

Dear Mr. Seth Godin – You’re right. A lot can happen when ‘we’ organize.

The problem is that the ‘we’ is often the bad guys.

For example - criminals around the world are benefiting from being better organized and using the Internet to work together. In the UK, banking losses due to fraud soared to £301.7m in the first half of 2008 compared to £263.6m in the same period last year, according to the latest figures from UK banking association APACS. Card-not-present fraud (a category that includes e-commerce fraud as well as phone and mail order scams) rose 18% to reach £161.9m in that same period.

So with the good guys losing the battle of the organized to the bad guys, you and I as consumers and businessmen pay a price…literally as the APACS numbers show.

But all good things must come to an end. Banks and businesses have had enough. The power shift, in favor of the good guys, has begun, as in the same way the criminals have leveraged the power of organizing and the Internet, businesses and banks around the world are now working together to fight fraud head-on.

Watch the following video clip of Gilbert Fiorentino, CEO of TigerDirect, to see just how mad online retailers are getting, and what they're prepared to do about it.

 

Click this link if you can't see the embedded video above.

Watch what happens when hundreds organize…boom…new rules indeed.

Click here to read Seth Godin’s post on this.