In Forrester’s recent report The State of Retail Payments 2016, it was found that “Security and fraud risks drive merchant payment decisions in 2016.”
It’s ironic but it’s true: risk management can cause extra risk
Despite the increased merchant focus on security, in almost all companies there’s one aspect of a business which represents a potential vulnerability that goes unnoticed from the security perspective. It’s a part of the fraud management team.
One reason that this weakness is usually undiscussed is precisely that it is a part of the fraud team’s structure and method, and in general the fraud department is not a usual subject of infosecurity concern.
Since their purpose is to protect the company and prevent loss, their goals seem to fit in naturally with the wider security concerns of the company.
The potential vulnerability is a function of a method typically used by fraud departments rather than anything integral to the nature of the fraud prevention effort itself.
The weakness is not necessary, but contingent. The reason it has gone unnoticed for so long is that for a number of years it did appear to be necessary. It’s only recently that new technology has made alternative arrangements possible – and many companies are still not aware that that’s the case.
Manual reviews: the risky kind of human input
So what’s the hidden source of risk? They’re called manual reviews. You may not have heard of them – most people in the company won’t have done.
But 83% of US online businesses perform manual reviews, and they impact a number of the orders received by a website, influencing the customer experience on a site – and not for the better.
It’s the job of the fraud department to make sure that, as far as possible, fraudulent orders don’t get through and good orders are identified as such and do get through to fulfilment as smoothly and quickly as possible.
But that’s not always an easy distinction to draw. Fraudsters excel at hiding their true identity and pretending to be something they’re not.
So, some orders are obvious enough to be dealt with by a machine, usually acting according to rules put in by the fraud team. They’ll be automatically declined or approved.
But, in many cases, it’s not so clear cut. For around 29% of orders, the machine won’t know whether it’s fraud or not, and will send it to manual review.
That means an employee will look at the details of the order, and use those combined with their experience and any personal research they have time for to decide whether the transaction should be approved or declined.
Given that each review takes an average of five minutes, you can how this builds up and can cause delays – sometimes days of delays – for customers.
The information security catch
In order to investigate the orders thoroughly and make accurate decisions, manual reviewers need access to a lot of information.
They can’t make good decisions otherwise – and it’s important that they do, because if they get it wrong, the company either loses money to a chargeback from fraud, or loses money from rejecting an order that was genuine.
>See also: A history of online payment security
Unfortunately from the information security standpoint, what that means is that a team of employees have deep access to customer data. Internal employees account for 43% of data loss – and that’s without considering the other opportunities for collusion or other kinds of fraud that are open to an employee with this level of access and control over which orders are approved.
The circumstances under which manual review teams work also make them vulnerable to social engineering tactics performed by malicious outsiders. Because of the need to move orders along quickly, manual reviewers are continually under pressure.
This only increases during the holidays – even when temporary employees are added to the team to handle the rush they lack experience and in themselves represent an added risk, since they know less about the system and company norms and have the same broad access to customer data.
This risk is unnecessary
For a long time, retailers had no choice but to accept the risk that came along with manual reviews. The risk of not examining orders for fraud was greater, and there was no way to avoid including manual review in that process. That’s no longer the case.
New technology which leverages machine learning has made the full automation of fraud protection possible.
Guided by human research, analysis and data science, artificial intelligence is able to provide highly accurate fraud decisions in less than a second. Manual reviews are simply no longer necessary for effective fraud prevention.
The information security advantage is obvious, reducing at a stroke the number of employees with access to valuable customer data. The company becomes less vulnerable to data loss, and customers’ personal information is protected.
There’s a benefit for the customer and for sales as well. The removal of the delays caused by manual reviews makes checkout smoother and speeds up fulfilment, and reduces the number of sales lost to manual reviews.
Sourced by Michael Reitblat, CEO of Forter