Embodiments of the invention are directed to systems, apparatuses and methods for reducing fraud in payment transactions, and more specifically, to a system and method that attempts to reduce fraud by identifying a possible point of compromise in the payment transaction processing system. Identification of such a possible point of compromise (POC) can lead to a reduction in fraud as a result of investigating the identified entity and taking enforcement actions where warranted, followed by remedial actions to prevent a similar type of compromise in the future. Where an investigation confirms that an entity was in fact a POC, a consumer or issuer can be notified of the possibility of the compromise of a payment account as a result of a transaction that was conducted with or processed by the POC. This can enable the notified party to cancel their payment account, place a watch on the account, or otherwise monitor their payment account(s) for an indication of fraudulent activity. Embodiments of the invention also provide a system, apparatuses and methods for determining the types of data or transaction characteristics that may be most effective for use in identifying a point of compromise or in confirming that a suspected point of compromise is in fact the source of a problem.
Embodiments of the invention may also be used to identify a payment account that may be susceptible to fraud as a result of a history of transactions with entities that pose an enhanced risk of being a point of compromise. In such a situation, the invention may be used to prospectively reduce possible future fraudulent transactions by notifying an account holder or issuer, or by placing a restriction on the account.
Portable consumer payment devices, such as debit cards or credit cards, are used by millions of people worldwide to facilitate various types of commercial transactions. In a typical transaction involving the purchase of a product or service at a merchant location, the portable consumer device is presented at a point of sale terminal (“POS terminal”) located at a merchant's place of business. The POS terminal may be a card reader or similar device that is capable of accessing data stored on the device, where this data may include a consumer's identification data, authentication data, or account data, for example. Some or all of the data read from the device is provided to the merchant's transaction or data processing system and then to the acquirer, which is typically a bank or other institution that manages the merchant's account. Transactions in which a consumer device is presented to a merchant or accessed by a point of sale terminal are termed “card present” transactions since the payment device is in the same physical location as the merchant or terminal.
In addition to card present transactions, a consumer may also initiate a transaction in a situation in which the payment device is not in the same physical location as the merchant or terminal, and instead the relevant data is provided over a communications network to the merchant (termed a “card not present” transaction). For example, a card not present transaction involving the purchase of a product or service may be initiated by a consumer by providing payment data from a remote location to a merchant over a network such as the Internet. Transactions of this type are typically initiated using a computing device such as a personal computer or laptop computer. Card not present transactions may also be initiated or performed using a mobile device such as a mobile phone, in which case communication with a merchant or data processing system may occur over a cellular or wireless network.
Given the large number of payment transactions, the multiple ways of conducting such transactions, and the amounts of money involved, the detection and prevention of fraud is an important consideration of any payment transaction processing system. This is both to reduce losses and to ensure that the integrity of the system is maintained so that consumers will continue to use it. In this respect, there are multiple entities involved in the processing of payment transaction data that may serve as a potential site of a compromise. These include merchants, card reading devices, point-of-sale terminals (whether for contact or contactless portable consumer devices), data processors, acquirers, issuers, etc. If such a compromise occurs, it may lead to later instances of fraud in transactions that are processed by that entity or are processed by other entities. For example, a compromise at one entity involved in processing payment transaction data may lead to a breach of security in which payment account numbers and other information that may be used to conduct a transaction are stolen. The stolen data may then be used to attempt to conduct fraudulent transactions at a merchant unrelated to the location from which the data was stolen. For example, if a security breach (such as the unauthorized release of data or another form of “identity theft”) occurs at a merchant or data processor, then multiple payment accounts may be exposed to the possibility of later fraudulent use.
Thus, an important component of any program designed to reduce fraud in payment transactions is the ability to identify actual or suspected points of compromise in the processing of the transactions. This may include identifying merchants or data processing organizations having characteristics that suggest that they were an actual point of compromise in the past, so that consumers who transacted with that merchant or organization may have an increased risk of later instances of fraud in their payment accounts.
Although there are conventional methods for identifying a point of compromise in a transaction processing system after fraud has occurred, the methods typically examine a very limited set of data or characteristics of the entities involved in processing payment transaction data. Further, conventional methods typically rely upon a single heuristic or algorithm to determine if the data being processed indicates the existence of a point of compromise. Thus, conventional methods do not provide a robust platform for examining multiple factors or potential indicia of a point of compromise and hence may not be as effective as desired. In addition, conventional methods do not provide a mechanism for monitoring the transactions being conducted by a payment account in order to identify accounts that are at-risk for fraudulent transactions in the future based on the risk of compromise of the entities involved in the transactions.
What is desired are a system, apparatus and method for identifying a possible point of compromise and thereby assisting in reducing fraud in payment transactions. Embodiments of the invention address the limitations of conventional approaches and other problems individually and collectively.