Fraudulent use of payment cards (i.e. credit cards and debit cards) cost the U.S. payment card industry billions of dollars in financial losses annually. Given the size of this expense, there are numerous technologies and techniques that have evolved or been developed to help reduce fraudulent transactions. The present invention relates to the field of real-time fraud prevention and identification technologies.
Evolution of Fraud Prevention in the Payment Card Industry: Fraudulent charges in the U.S. payment card industry are approximately 7 bp, or 0.07%, of the $1.5 trillion in purchases made annually using payment cards such as credit cards and debit cards. Costing roughly $1 billion annually, combating the fraudulent use of payment cards has been a significant priority for the industry since its inception in the 1950's. Additionally, the cost to customers is also not included in this figure as identify theft is a particularly insidious form of fraud that can literally cause financial hardship, relationship issues, and/or emotional problems for people who are victims of identity theft.
Outside of the United States, fraudulent transactions are a much larger problem for the payment card industry as few countries in the world have developed the sophisticated real-time card processing and fraud screening capabilities that the US market utilizes. As a result, many countries have yet to evolve a significant payment card industry as the significant costs of fraud have prevented widespread penetration of card purchasing products.
Early industry fraud prevention relied on checking each payment card number against a known list of corrupted card numbers contained in an ever growing booklet distributed weekly to every merchant who accepted payment cards. The 1980's ushered in a major break-through in fraud prevention with the advent of real-time authorization, whereby merchants could dial-up their payment card processor and electronically compare a payment card with card numbers on the corrupted list in seconds, thereby eliminating the need to manually check industry booklets while including up-to-the-minute identified corrupted cards in real-time.
The current state-of-the-art in payment card fraud prevention evolved during the 1990's as sophisticated neural networks began to be utilized to screen transactions for more than just corrupted account numbers.
Current State-Of-The-Art Payment Card Industry Fraud Prevention: Neural networks are the backbone of both merchant and industry fraud defenses today. These are highly sophisticated computer programs that continuously scan the transaction data of known fraudulent transactions, in search of patterns that can be used to screen new transactions in real-time, with the hopes of identifying and declining fraudulent transactions at the point of sale.
An example of a neural network pattern that has a high probability of stopping a fraudulent transaction is an unusually small purchase at an automated gas station kiosk pump followed by a large dollar purchase at a nearby store. In this scenario, neural network pattern recognition has discovered that criminals intent on using stolen payment cards frequently use them at gas station automated pumps first, where they do not have to physically swipe the card in front of another human being. Once the criminal sees that the transaction is approved, they typically pump little or no gas into the car and head off to a local store to make a large purchase while the card is still in good standing. Another example is a sequence of purchases that are unusually high relative to a customers normal spending pattern, or a large purchase at a very high end retailer by a customer who has previously only shopped at discount retailers. By rigorously and continuously scanning prior known fraud case transaction histories, the industry has built up a large number of patterns that have been empirically shown to have a high correlation with fraudulent transactions.
Issuer neural networks score every purchase authorization request in real-time for the probability of being fraudulent based on a set of pre-determined rules applied to known fraud transaction patterns. If the fraud score is below a low threshold, the transaction is automatically approved provided the customer is in good standing and has sufficient funds available for the purchase. If the fraud score is above a high threshold, the transaction is automatically declined as almost definitely fraudulent. If the fraud score is between the high and low thresholds, the transaction is escalated to a fraud specialist who makes a judgment call on whether or not to approve the transaction based on the transaction patterns and the customers history.
The present inventors believe that this is where the present invention can be applied to dramatically reduce industry fraud costs. By adding signature feature extraction analysis to the fraud screening process, the inventors believe that more fraudulent transactions can be identified and automatically declined, and that more legitimate transactions can be automatically approved, thereby reducing both the incidence of fraud as well as reducing the costs of escalating to a human fraud specialist.
Fraud Investigators: Payment card issuing banks have a well trained staff of fraud specialist investigators. While some of these investigators focus on supporting the real-time authorization process in an effort to decline suspected fraudulent transactions at the point-of-sale, others investigate cases of suspected fraud after transactions have been approved and the funds have been deployed to the merchant A typical fraud investigation would be initiated when a customer receives a credit card bill and notices several transactions that they did not authorize. They call or write to their payment card issuer and report these transactions as fraudulent. A fraud specialist investigates the transaction with the goal of identifying the fraud perpetrator in order to recover the stolen money.
An investigator may suspect, based on the nature of the fraudulent transaction, that the customer may know who or how the unauthorized transactions occurred. In this situation, they may request that the customer file a police report, and then fax a copy of the report to the investigator before credit for the unauthorized transactions are issued to the account. In this scenario, the fraud specialist may be suspecting that a relative or friend of the customer “borrowed” the card and made the unauthorized purchases. Teenage and adult children living with their parents have frequently been shown to borrow a parent's card and make unauthorized purchases. When the bill comes, the parent notices the charges and notifies their card issuing bank about the unauthorized charges, with a goal of not wanting to pay for their child's purchases. However, when a fraud investigator requests a police report, a parent often decides to simply pay for the charges rather than risk a police investigation concluding that their child committed fraud. An example of a transaction pattern that would lead a fraud specialist to request a police report would be a few purchases on a single day at a local store near the customer's home address, followed by no additional disputed charges. A truly stolen card typically continues to incur fraudulent transactions until the card account was dosed, while a borrowed card typically incurs unauthorized charges for a brief period of time. It is the belief of the inventors that the present invention would reduce the incidence of this form of fraud by potentially declining all purchases on borrowed cards as it is much more difficult for a person to accurately forge a signature that would pass a feature set comparison including a time dimension, than it would be to visually forge a signature
Verification of additional customer data: Other fraud defenses used by the industry include capturing additional information from the customer during the transaction with the intent of trying to authenticate that the person making the transaction is indeed the customer, and/or that the purchaser in fact is in physical possession of the customer's card. The most prevalent example of data currently being used to authenticate a customer during a transaction is the Personal Identification Number, or PIN, associated with a debit card. This is typically a 4 digit code that is either selected by the customer or created by the card issuing bank and given to the customer. By swiping a card through a merchant POS terminal, and then by the customer entering a unique PIN code, the amount of fraud incurred in PIN debit transactions is substantially lower than that incurred in all other card transactions.
The other significant data verification technique currently being used by the payment card industry is the three digit code on the back of Visa or MasterCard branded cards, or the 4 digit code on the front of an American Express branded card, which are known in the industry as “Card Verification Value 2” or “CVV2” codes. CVV1 codes are security codes that are stored on the magnetic strip of payment cards and are used to verify card present transaction treatment. CVV2 codes are the 3 or 4 digit codes printed on the surface of the physical cards. Neither PINs nor CVV2 codes are contained on the magnetic strips, and they are not allowed to be retained in a merchant's system, whereas CVV1 codes are allowed to be stored in a merchant's system for ease of issuing refunds. The fact that card account number and CVV1 data is regularly stored in merchant systems has led to a number of security breaches whereby people intent on committing fraud will “hack” into a merchants systems and steal hundreds of thousands, or even millions of card numbers in one attack. These stolen card numbers are then sold or used quickly before the theft is discovered. The knowledge that a card number may have been stolen in a merchant hacking incident is another example of information used by the neural networks in detecting possible fraud.
The primary goal of any additional customer information captured is to use data that is isolated from the magnetic strip and any data stored in merchant systems. This has led the industry to be fairly effective in limiting fraud costs when approving PIN and CVV2 transactions. It is the opinion of the inventors that by using the present invention instead of these codes, or perhaps in addition to these codes, that fraud costs can be further reduced since codes can be stolen and utilized in transactions much more easily than signature biometrics, which are extremely difficult to replicate during a card present real world transaction.
Current State-Of-The-Art Payment Card Industry Online Fraud Prevention: In online transactions, a physical swipe of a payment card and a signature verification check have not hitherto been possible. These transactions are known in the industry as “Card Not Present”, and represent a much higher incidence of fraud (although a smaller value) than transactions that occur in real-world POS merchant locations. There have been numerous technologies and techniques experimented with by the industry. An example of one such technology is known as “Verified by Visa” or “VBV”. This was an optional checkout screen created by Visa for online merchants who wished to lower their fraud costs by allowing customers to log into their credit card accounts during the checkout process to authorize their transactions. By using VBV during checkout, merchants were granted the equivalent treatment of a card present transaction by the payment card industry, thereby shifting any fraud losses associated with an approved transaction from the merchant to the card issuing bank. While many online merchants attempted to use VBV, the ultimate penetration of the technology has been hampered by it being optional for consumers to use it at the checkout It also required additional checkout screens and time for the customer, which resulted in higher rates of shopping cart abandonment, causing merchants who adopted VBV to lose sales that they otherwise would have completed. To the consumer, VBV was an optional process that required more time to use and didn't provide tangible additional benefits, and so adoption of this technology has been slow.
Smart cards have also effectively reduced fraud in countries that lack a real-time authorization infrastructure. In these countries, PIN input is required by the customer in order for the chip on the smart card to release the card owner's name and card number to the POS terminal. Thus smart card enabled merchants render any stolen smart card worthless to the person intent on committing fraud, unless they are able to steal the associated PIN along with the stolen smart card. Several attempts have been made to market smart cards in the USA, most notably the launch of the American Express “Blue” card in the early 2000's. This card was marketed as providing more security for the customer due to the need for a PIN to make a transaction via a smart card terminal.
While in theory smart cards might be able to be used to reduce fraud, the fact that the Blue card can also be swiped in a standard POS terminal without using the smart card chip or PIN, renders the technology worthless as a fraud defense since the more secure process is “optional” as is the case with VBV. For this reason, the industry has struggled to modify transaction authorization processes that would reduce fraud further, instead opting to make the primary defense for fighting fraud the neural networks coupled with highly trained fraud specialists.
Very recently a system of associating mobile phones (using the phone number) with a specific credit card and using the phone instead of the card as the identifying credential has been proposed. The authenticating device is a chip inside the phone which communicates contactlessly with a reader at the POS location. The inventors believe that this system will remain susceptible to fraudulent use because the customer is not being authenticated, only the customer's phone is authenticated, thus stolen or lost phones could be easily used to make purchases without the need for the purchaser to sign any receipts. The present invention could be used in conjunction with these types of mobile payment systems to capture the purchaser's signature using a finger or stylus on the mobile phone to generate feature extraction data to be associated with the transaction and checked against the remote template by the payment card issuer.
The inventors believe that by capturing computer pointing device-generated purchaser signatures, and combining signature verification with existing state of the art fraud screening techniques, that online payment card fraud can be dramatically reduced. The unique advantages of the present invention over other systems that have attempted to reduce online fraud are multiple: (1) the present invention mirrors real world checkout processes in that presenting payment card information and signing a receipt are required to complete a purchase; (2) No additional screens are required during on-line checkout, minimizing any adverse impact to merchants of higher levels of shopping cart abandonment and (3) consumers do not need any additional computer hardware nor do they need to remember any additional passwords to complete a purchase.