Brian Pennington

A blog about Cyber Security & Compliance



Cybersource’s 2012 UK Online Fraud Report

Cybersource have produced their eighth UK Online Fraud Report– 2012, a summary of the report is below.

The respondents to this year’s report came from a balanced group of merchant, classified as:

  • Medium business (annual online revenue of £500,000-£5m)
  • Large business (£5m-£25m)
  • Very large business (more than £25m)
  • Small business respondents (less than £500,000) accounted for 23% of the survey base

Respondent base

  • 20% Travel (excludes airlines, which are covered by a separate global fraud report)
  • 28% Physical goods
  • 28%. Services
  • 24% Digital goods

Looking forward to 2012, the largest proportion of merchants (42%) expects to see fraud rates unchanged. On average, 37% foresee higher rates though there is a noticeable difference between expectations of the digital goods market versus the other sectors covered by this report; a lower proportion of digital merchants (31%) expect rates to grow.

Cards Remain Prevalent with Small Merchants

Credit and debit cards remain the most popular form of payment acceptance by some margin (nearly double the next most prevalent payment method). Whilst PayPal is less popular amongst larger merchants it is accepted by 52% of the very smallest merchants; furthermore 65% of digital goods respondents stated that they offer this payment method. Bank transfers have also gained in popularity, now accepted by 61% of small merchants and particularly prevalent in the services sector (64%) where direct debit (42%) is also popular.

Cash on delivery or, more importantly, in-store payment/pick-up is now an option for 26% of merchants, and is more common amongst the middle tier than the very largest. The biggest merchants are more likely to offer gift cards and certificates, accepted by 43% versus 11% of the smallest businesses (larger organisations may have their own programmes or be part of wider industry initiatives).

Mobile operator billing now forms part of the income stream for 8% of merchants, and is focused on the top end (online revenues more than £25m) where 15% of companies now accept payments this way. Overall, 38% of companies have a mobile-optimised commerce site, with the travel sector leading the way (56%). 26% of respondents have their own mobile app, rising to 30% for the physical goods businesses. Given the potential development costs, it is the largest companies that are much more likely to have an app (43%) versus the smallest (7%).

 Over a third of businesses expect their total losses from fraud to grow in 2012

Percentage of orders rejected on the fear of fraud

  • merchants are rejecting on average 4.3% of incoming orders due to suspicion of fraud
  • 31% of merchants report that they are rejecting more than one in 20 orders on suspicion of fraud

Martin Pearce Head of Loss Prevention at was quoted in the report saying:

“The role of fraud prevention is an ever changing one; as the fraudster adapts so there is a need for the merchant to change in line with that behaviour. Key to this is the ability to detect fraudulent behaviour as close to real time as possible and then adapt, making changes quickly to counteract the latest threat. I liken fraud prevention to a game of chess; taking skill and strategic planning to get it right, especially when you are potentially playing a few moves behind the fraudster. Customer needs are ever changing too, with merchants looking to ensure that order and delivery/collection mechanisms are as easy and convenient as possible. Mobile devices have been playing an increasingly important role in transaction growth over the last few years, with a wide, and evolving, array of devices now on the market, all with internet access. Apps are also evolving; shifting from information stores to become purchasing and fulfilment instruments.

My view is that fraud hasn’t changed, but fraudsters have. They are more organised and being given new platforms through which to conduct activity. Any new purchasing process or platform is of real interest to the fraud community and will receive a lot of attention. You should ensure that your business is prepared, and able to manage such transactions (good and bad). Any success on behalf of the fraudster is likely to lead to further abuse at some stage.

Finally, whilst much focus is placed on identifying fraudulent behaviour, it is just as important to recognise the behaviour of good customers. Fraud identification is similar to looking for needles in haystacks; if you are adept at identifying good behaviour then you can substantially reduce the size of haystack at the start of the process; cutting your manual review workload and making the needles (or fraudsters) easier to spot and handle. In my experience, utilising tenure thresholds and monitoring on-going transaction behaviour can certainly help to identify genuine buyers. Furthermore, encouraging customers to manage their online activity via a dedicated user account area on your website not only provides you with valuable marketing data; you also gain much deeper insight into who your trusted customers are and how they behave.”

Find the full report here.

See CyberSource’s 2011 report on UK Online Fraud, summary here.

Also, CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants  post here.


PCI Security Standards Council announces winners of Special Interest Group elections

The PCI PCI SSC today announced the results of the PCI Council election for Special Interest Groups (SIGS).

Special Interest Groups (SIG) leverage the expertise of more than 600 PCI SSC Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council.

Almost 500 votes were cast by merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012.

The three elected groups will focus on:

  • Cloud
  • eCommerce Security
  • Risk Assessment

Participating Organizations were allowed three votes on a shortlist of seven topics that were the result of 13 proposals by the community.

Successful project proposals represent a cross section of the PCI SSC community from around the globe and include active participants from CyberSource, HyTrust, Sense of Security Pty Ltd., SISA Information Security, The UK Cards Association, Trend Micro and TSYS.

This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor,” said Jeremy King, European director, PCI Security Standards Council.

I’m looking forward to close collaboration between the Council and SIG membership.”

Special Interest Groups are a critical forum for industry participation in Council initiatives to increase payment card security. SIGs focus on providing recommendations to the Council which often results in guidance for interpreting and implementing the PCI Standards. To date SIG participants have made significant contributions to Council resources on topics such as wireless security, EMV chip, point-to-point encryption and virtualized environments.

The Council invites any members of the PCI SSC community interested in participating in one of these SIG projects to indicate their interest by emailing before November 30th. Following this, Council SIG leads will convene each group to formalize the group charter and precise scope of work project. This will be shared with the Community by the end of the year, with SIGs anticipated to start work in the beginning of 2012.

We’re delighted that risk assessment has been selected by our peers to move forward as a 2012 SIG project. I’d like to encourage anyone with expertise or interest in this topic area or the other final selections to get involved,” said Dharshan Shanthamurthy, chief consultant at SISA Information Security.

 “Council SIGs are a great opportunity for professional development, networking, and contributing to something that will benefit the entire industry.”


Merchants are more concerned about their brand than PCI fines

Image representing Cybersource as depicted in ...
Image via CrunchBase

A joint CyberSource and Trustwave survey has shown that nearly 70% of Merchants cited the need to “protect the brand” as the primary driver for tightening controls against hackers and other payment security risks.

Only 26 percent said avoiding fines resulting from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) were the key motivator.

A few highlights from the report include:

  • Brand Protection is Key Driver of Investment: The need to protect the organization’s brand and its revenues was given as the primary driver for investment in payment security.
  • Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal.
  • Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security.
  • Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.

A breach has serious consequences for nearly every division of an eCommerce merchant’s organization,” said Dayna Ford, Senior Director, Product Management at CyberSource. “But by far the most damaging impact is to the company’s brand, affecting revenue, customer loyalty, and even stock valuation. Knowledge of this phenomenon is now widespread, so we’re not surprised at the survey finding that puts brand integrity as the most important rationale for payment security investment.”

In the face of increasing numbers of security breaches and data theft, there’s a real urgency for organizations to deploy powerful and effective security strategies,” said James Paul, Senior Vice President of Global Compliance Services at Trustwave.  “Studies like ‘The Payment Security Practices and Trends Report,’ published today, should help organizations learn best practices and likely costs to attain appropriate levels of security.”

Selected survey findings

  • Data moving out:  Over the next 24 months, an increasing proportion of organizations expect to remove payment data from their environment as a way of reducing security risks.
  • Efficiency improving: Organizations that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management.
  • “Data out” merchants spend less on infrastructure: 75 percent of PCI DSS Level 1 merchants  that have removed payment data from their environments spend less than $500,000  on their payment security infrastructure.  Only 60 percent of those that keep data in-house can make that claim.
  • Risk not confined to outsiders:  In one counter-intuitive finding, respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.

Read the full report here, registration is required.

Learn more about the Payment Card Industry Data Security Standard (PCI DSS) by visiting my PCI DS Resources page here.


Fraudsters steal $1.4 Billion from Airlines

Image representing Cybersource as depicted in ...
Image via CrunchBase

CyberSource Corporation’s survey found that while airlines are gaining in their war against fraud, much work remains to be done. Airlines reported a loss of about $1.4 billion USD to online payment fraud in 2010.

Dr. Akif Khan, CyberSource’s Director, Products and Services said: “The good news is that in terms of fraud loss rates, 2010 results showed a 31 percent improvement over 2008. Clearly, airlines have not only recognized the challenge but have made timely adjustments to it.” According to the survey, changes made by airlines in the last two years include higher use of fraud detection tools in automated screening (7.3 on average, compared to 5.8 in 2008), along with rejecting more bookings due to suspicion of payment fraud.

 Selected survey findings

  • Experience counts: airlines with less than three years of online selling experience have higher fraud loss rates, manual review rates, and higher reject rates than their more experienced competitors. For example, airlines with more than ten years of online selling experience manually review 15 percent of their bookings; those with fewer than three years review 53 percent 
  • Airlines may be ignoring a powerful anti-fraud tool: Only three percent of airlines surveyed used public record searches to validate bookings. But those that used the tool felt it was one of their most effective anti-fraud measures. (Public record searches are not universally available). Device fingerprinting and third-party fraud scoring models were among the top tools merchants cited as considerations for future use 
  • Automated review requirements will accelerate: According to the International Air Transport Association, passenger revenue will increase by 7.3 percent in 2011, but nearly 90 percent of airlines surveyed say their manual review staff levels will remain the same. Automation will have to make up the difference.

“Fraudsters will move to the weakest link in the chain,” said Christopher Staab, Managing Partner of Airline Information. “And that weak link is most likely going to be the airlines unfamiliar with how sophisticated fraud can be perpetrated with online ticketing sales. That’s why this type of data is so critical for the airline industry worldwide. There are solutions out there–airlines need to implement them.”

CyberSource report that a typical fraud scenario in the airline industry plays out as follows:

  1. Fraudster illegally obtains credit card data;
  2. Fraudster obtains name, address, and other appropriate information for a genuine customer interested in buying “discount” tickets;
  3. Fraudster buys the ticket in the innocent person’s name, using the stolen credit card number;
  4. Fraudster delivers ticket to the customer and receives payment in cash

CyberSource’s website can be found here


CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants

CyberSource, a Visa company (NYSE: V), today announced availability of the world’s largest real-time fraud detection radar, empowering online merchants to pinpoint fraud faster, more accurately, and with less manual intervention.

This advance enables merchants to conduct more accurate analyses of their inbound orders, including comparison of those orders to the over 60 billion transactions Visa and CyberSource process annually, including orders that were confirmed to be fraudulent.

Data insight derives from transactions across multiple payment types and from merchants worldwide, spanning online, call center, mobile and POS sales channels. The transaction data is supplemented by 200 validation and correlation tests. This solution effectively expands the depth and breadth of transaction pattern visibility.

The new development comes at an opportune time.  

  • eCommerce merchants say fraud became more sophisticated and harder to detect in 2010, and this challenge is likely to grow. Download the CyberSource 2011 Fraud Report here 
  • 90% of online thieves are now associated with organized crime. Details of Fraud patterns can be found here
  • botnet” infections are growing at a rate of approximately 200,000 per day.  Download “10 Botnet Questions” White Paper here

The ability to accurately detect fraud in such a sophisticated criminal environment requires correlating vast amounts of information to detect subtle anomalies.

Data is the lifeblood of fraud detection,” said Michael Walsh, CyberSource President and CEO. “When Visa acquired CyberSource, one of the stated goals was to deliver a new level of fraud prevention to online merchants, enabled by our end-to-end view of electronic transactions, worldwide. We are now delivering exactly that.”

Read the full PRnewswire press release here

Downloadable: CyberSource’s report on UK Online Fraud 2011

The report is based on an industry wide survey, and addresses the detection, prevention and management of online fraud.

The Cost of Fraud

On average, the percentage of annual online revenue that businesses expect to lose to payment fraud in 2010 has dropped from 1.8% to 1.6%.

The survey revealed that this does vary dramatically by merchant size:

  • very large businesses expected to lose £365,500 to online payment fraud, equating to an average of 1.5%
  • Large businesses expect to lose £173,500 (1.2%)
  • Medium businesses £66,000 (2.4%)
  • Small businesses £3,500 (1.5%)

The report delivers:

  • Key fraud metrics, including review and order reject rates
  • Most widely used fraud detection tools
  • Chargeback practices; re-presentment and win rates
  • Merchants’ fraud management priorities for 2011

Download the report here, required registration.

Create a free website or blog at

Up ↑

%d bloggers like this: