An in-depth look at the roots of online credit card and debit card fraud.

1. Christopher Uriarte
Chief Technology Officer &
Head of International
Development
Retail Decisions
Understanding the DNA
of E-Commerce Fraud
The Tools, the Technologies
and the Techniques

2. Sample of ReD’s Clients and Focus Sectors
America Europe
Asia
Pacific
Other
Travel Telephony Retail Oil Banking

3. About Retail Decisions: A Market Leader
Retail Decisions (ReD) is a London-based specialty provider of transaction and card
issuing service to banks, retailers, oil companies and telcos worldwide
• One of the leading global providers of transactional card fraud
prevention and payment services
– Touched approx.16 billion card transactions per year for blue
chip clients around the globe; 160 billion card transactions per
annum worldwide (2007)
– 20+ years experience in card fraud prevention
• Fully-managed Fraud Prevention and Payment Services focused
only on large and blue-chip customers: Merchants, Issuers and
Acquirers
• Blue-chip client base of more than 300 companies
• Largest pre-paid gift card issuer in Australia
• Strong service offering throughout all pieces in the payment value
chain: merchants, processors and banking institutions

4. Where We Sit & Where the Data Comes From
Fraud
Prevention &
Gateway
Services
(CP&CNP)
ReDShieldTM
ReD1GatewayTM
CardExpressTM
Fraud Prevention
for Acquirers &
Processors
PRISMTM
Fraud Prevention
for Issuers
PRISMTM
Fraud Prevention for
Merchants
Fraud Prevention for
Banking Institutions

5. Complexity
Malicious individuals continue to evolve
schemes in an effort to obtain greater
anonymity and higher return on investment
with less risk
Time
C2C Networks
Online Ad Fraud
Higher net return $
Malware /Sniffers
Triangulation
Shipping fraud
Friendly Fraud
Good
Source: 2008 PCI SSC Community
Meeting
Bad
Re-Shipping fraud
Increased Complexity

6. Implanted chips
Criminals implant a chip directly into Point of Sale equipment
The chip holds up to 1,000 account numbers
Major occurrences in Taiwan, Malaysia and Brazil

7. Purpose Built Skimmers
• Small battery operated
skimmers can hold up to 1
million account numbers at
a time
• Devices are mainly produced
in Malaysia and China
• Manually manufactured from
standard POS equipment
• The skimmers were
introduced to US in 1998

8. Counterfeit Fraud
Increasing examples of large, sophisticated
counterfeit card manufacturing operations
170,000
cards seized in
Taipei, Taiwan

9. Arrests in card scam
Wednesday, February 28, 2007
By Paul Grimaldi
Journal Staff Writer
The men allegedly stole the information by
switching out checkout lane keypads with
one of their own machines and then
retrieving the units a few days later so
they could copy the account data. To
achieve this, they took shelf stocking
positions at the supermarket, which gave
them legitimate access to the facility
during late hours in the evening. They
recorded the stolen information on blank
bank cards that they used to get money from
ATMs in the area, the police said.
Organized & Social
Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000

10. Diversified Rings of Collusion
Organized Criminal to Criminal Networks
Financial Services
Credit application fraud, identity theft , account takeover
Online Retail
Credit card fraud, affiliate and click frauds, shipping fraud
Online Gaming
Credit card fraud, gold farming, account take-over, griefing
Internet Dating/Social Networks
Email spam, money solicitation (419 scam), predatory behavior
Online Gambling
Cheating & collusion, money laundering

11. CVV2s contain:
1: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
2: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
3: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2

13. Organized Crime

14. Malware & Botnets
• Easy to find & customizable by user
• Designed to monetize fraud not disrupt systems
• Utilizes phishing attack info
• Prevalent in online advertising & affiliate fraud
• Very low detection & apprehension rate
• Very high ROI rates
• High rate of mutation

15. Moving the Cash

16. Attacks on Specific Payment Instruments
• As electronic payments evolve, criminals evolve their targets and their
strategies
• Specific payment instruments have come under significant attack
– Alternative payment: PayPal, Bill Me Later, etc.
– Gift Card (Plastic and Virtual): Schemes used in, both, the acquisition and
redemption of gift cards
– Private Label cards
• Merchants are often “two steps behind” the criminal after launching or
adjusting payment strategies

17. This is what it’s come to…
Source: ShopRite stores, New York City area, December 2009

18. Gift Card Acquisition Fraud Rates: Three Top 10
Retailers
Virtual Gift Cards Plastic Gift Cards Overall Bankcard Fraud
Rates
Fraud Rate: % of
Transactions
% of Overall $
Value
% of
Transactions
% of Overall $
Value
% of
Transactions
% of Overall $
Value
Large Retailer “A”
(Apparel, Home Goods)
0.80%
[1.50%]
1.00%
[1.70%]
0.03%
[0.60%]
0.03%
[0.90%]
0.16% 0.34%
Large Retailer “B”
(Mixed Retail)
4.10% 10.6% 2.10% 3.05% 0.41% 1.30%
Large Retailer “C”
(Mixed Retail)
1.70%
[6.70%]
2.60%
[5.5%]
0.70%
[2.7%]
2.80%
[2.6%]
1.5% 3.2%
• Gift Card Fraud: Defined as the fraudulent purchase of a virtual or plastic gift card
• Retailers displayed above have significant, established gift card programs
Key:
June – December 2008
[January-February 2009]
• Retailers profiled represent major North American retailers with total combined annual revenues exceeding USD $476
billion (2008)

19. Private Label Card Fraud Examples: Three Top 10
Retailers
Private Label Cards Other Cards Types
Fraud Rate: % of
Transactions
% of Overall $
Value
% of Transactions % of Overall $
Value
Large Retailer “A”
(Apparel, Home Goods)
0.08% 0.23% 0.16% 0.34%
Large Retailer “B”
(Mixed Retail)
0.44% 1.56% 0.41% 1.30%
Large Retailer “C”
(Mixed Retail)
0.50% 0.98% 1.5% 3.2%
• Merchant sample includes 3 very large, established major retailers with significant transaction volumes and private
label portfolios
• Includes CNP Fraud rates for transactions taken place in 2008, with the exception of Retail “B”, whose statistics are
from July to December 2008
• Base on Retail Decisions merchant assessments, April 2009 (delay introduced to allow for confirmed
fraud/chargeback resolution window)
• “Fraud Rate” is defined as known-fraud, but not necessarily chargebacks. Some fraud is detected and denied before
a chargeback occurs. Actual chargeback rates for Other Card Types is significantly lower than reflected above

20. 2002 2010 ???
Are We Here
Now???
Time
Value of fraud
Solutions implemented
to reduce fraud
Time lag for solutions
to take affect
New solution is
implemented
to reduce fraud
Familiarity with
weaknesses in cards and
technology increases
fraud
Fraud begins to rise as
new technologies are
cracked and new
weaknesses are found
Implies
Innovation
???
The Fraud Lifecycle

21. What This Means In Regards to Fraud
• Credit card fraud continues to become more of an organized, professional crime
– the case studies prove it
• CNP fraud continues to aggressively increase. As more countries adapt Chip
and PIN solutions, fraud will continue to migrate from CP to CNP channels
• APACS 2007 Fraud Study: For the first time, more than 50% of fraud was CNP
fraud. Update with new state
• As other countries implement Chip and PIN solutions, both CP and CNP fraud
will increase in non-Chip and PIN geographies
• ID Theft continues to increase, replacing counterfeit schemes, which are no
longer valid in Chip and PIN geographies
• Since fraud is aggressively expanding, legacy fraud prevention techniques are
becoming less and less effective

22. Merchant Fraud Assessment
90%+ Of All Orders
Merchant Order
System, Storefront,
Website, etc.
ACCEPT
ORDER
DENY
ORDER
CHALLENGE
ORDER
(Manually Review)
Fraud Prevention System
and Tools
(Proprietary or
Outsourced)
~2% Of All Orders 2%-8% Of All Orders
(Where Applicable)
• Challenges or outright Deny categories may not work for all types of merchants
• Merchants must find the balance:
• Too many manual reviews = too much staffing cost
• Too many outright denies = too many false positives
• No Fraud Prevention system is perfect: You will have false positives. You will
require manual review. Today’s strategy is to let the Fraud Prevention system
identify ~95% of all good and bad orders and manually review the rest

23. Key Metrics Merchants Must Track:
• Manual Review Rate (“Outsort Rate”) - % of orders reviewed by a person before shipped or cancelled
• Outright Deny Rate - % of orders rejected by the fraud system without performing a manual review
• Fraud Rate – Overall percentage of fraud, usually measured in % of overall transactions and % of $ value
• Customer Insult Rate – Falsely identifying good customers as fraudulent OR degrading service to good
customers as a result of slow/cumbersome fraud processes (e.g. manual reviews take so much time to
complete that shipping windows are missed)
• Revenue at Risk – How a particular fraud strategy could affect revenue
When This Happens: This Could Happen:
Manual Review Rates Increase   Fraud Rates - Decrease
 Staffing Costs - Increase
 Revenue at Risk - Decrease
 Customer Insult Rate – Potential to increase (slower order turnaround)
 Scalability – becomes challenging (Double my orders = Double my staff??)
Manual Review Rates Decrease   Fraud Rates - Increase
 Staffing Costs - Decrease
 Revenue at Risk – Potential to increase
 Customer Insult Rate – Potential to increase (due to higher deny rates)
Hard Deny Rates Increase   Fraud Rates - Decrease
 Staffing Costs - Decrease
 Revenue at Risk – Increases (Much more false positives)
 Customer Insult Rate – Increase
Highlighted in red : The most typical and critical results in each respective category
Balancing Metrics

24. The "More Tools Create Greater
Complexity" Challenge
Transaction Data
Negative
Data
Device
ID Check
Address
Validation
Proxy
Detection
Neural
Score
Business
Rules
No
Matches
Everything’ s
OK; First
time buyer
No
History
Address is
Good; No
match of
Name to
Address
Could be
behind a
University
proxy
Score:
362
Should you accept it? Should you outright deny it? Should you manually review it?

25. New Tools and Techniques: The Challenge
Some technologies don’t fit our existing
paradigms
Some technologies are expensive
Some address very specific fraud
scenarios
More tools and technologies can actually
make decision making more difficult
Some may require additional
customer data, such as
SSN/last 4 or ask personal
validation questions
Cost per transaction increases
when more techniques and
technologies are added to the
suite of fraud tools
Fraud Evolves. Will these be
valid in 2 years? 1 year? 6
Months?
Could lead to increased manual
review costs, false positives
and customer dissatisfaction

26. Merchant vs. Issuer Fraud Prevention
Merchant Fraud Prevention
• Screening is transaction-centric
• Primary goal is to protect loss of goods
while staying out of compliance programs
(e.g. Visa RIS)
• Primary focus on CNP channels
• Historical perspective on cardholder is
relatively limited
• Transaction Data set is very robust –
Who? What? When? How?
• More focus on real-time screening
• Many more detection tools exist due to
robust CNP data set
Issuer Fraud Prevention
• Screening is more account- centric
• Primary goal is to protect losses within
issuing portfolio
• Not primarily focused on CNP – in fact,
CNP is often removed from some
screening models
• Historical perspective on cardholder is
comprehensive
• Transaction Data set is limited: Basic
account and transaction details
• Less focus on real-time screening
(although this is changing)
• Certain tools can be deployed much more
effective (e.g. neural networks)
Consolidated Merchant / Issuing fraud prevention systems do not exist today!

27. Identify Your Vulnerabilities
• System and IT
• Business model weaknesses
• Defined payment strategy
• Product Delivery
• Customer service and business policies
• Systems designed for the future
• Manage to Total Cost of Payment

28. Thank You!
Please feel free to contact me
with any questions!
Christopher Uriarte
Chief Technology Officer, Retail Decisions
curiarte@retaildecisions.com
US: +1 (732) 452 2440
UK: +44 (0) 1483 728700