Security, for either physical and financial matters, has always been a difficult balance in a free society. While security requires information, freedom requires the ability to keep personal information private. In the past, Americans chose privacy above security. The tragedy perpetrated on Sep. 11, 2001, has forever changed America's view of security matters. This approach to Identity Theft Prevention is meant to achieve both goals, preserving privacy while creating a more secure environment for both “in person” transactions and actions and “remote commerce” transactions to privacy standards acceptable prior to September 11. In the past, the two questions asked at airports seemed an unnecessary delay to us all, now they take on the appearance of an inadequate attempt to provide a safe environment for the air traveler. Of the 19 terrorists directly involved in the attacks on the Pentagon and the World Trade Center, 14 were known to have used identity theft to board, and seven had their tickets bought on one credit card rumored to have been the result of an identity theft. Use of a reasonably comprehensive identity checking system at the ticket counter would have likely stopped those terrorists from boarding. Since they would have been unable to answer questions about their stolen addresses, they would have been subject to additional security measures. El Al, the Israeli airline, has been using similar approaches through human intervention for many years with great success. While this does not eliminate the need for other security measures, it does help assure that the person boarding a flight is who he/she claims to be. It also limits the need for closer investigation of each of the approximately 700,000 passengers on flights daily.
Fraud and identity theft are also prevalent in other fields of commerce. Today, electronic commerce encompasses a broad range of order and delivery channels such as the Internet, telephone, catalogue, and fax, to name the most visible. In addition to being homogeneous due to their electronic order, entry, and delivery means, these channels share a characteristic of non-personal payment or payee-not-present. That is, the electronic merchants and direct marketeers must accept electronic payments without being able to personally verify the purchaser's identity. As a consequence, one of the most serious problems facing electronic commerce today is the risk of transaction fraud when the consumer and merchant do not meet face-to-face.
Fraud can be divided both into merchant fraud (where a merchant defrauds a consumer) and consumer fraud, whereby a transaction is conducted by a consumer using a fraudulent credit card account or by a consumer misrepresenting himself in a transaction. Consumer fraud costs electronic merchants and direct marketeers today between 5% and 7% of their sales.
Presently, there are a number of companies who are in the business of limiting credit card fraud. Each of these companies utilizes a method of exposing the fraudulent transaction by determining that it does not follow a predictable experience in the usage of a particular credit card (i.e., within a geographic location, from one of a group of vendors, for a particular type of merchandise or service, etc.). Using these existing methods, the merchant is typically only notified when there is a deviation from a predictable credit card pattern.
It is fundamental to understand that for non-personal transactions, such as on-line or direct marketing transactions, since there can be no signature confirmation, the merchant accepts all of the risk that the transaction is fraudulent in the event that the credit card holder denies the charge. A transaction can be voided simply by the denial of a cardholder, and the merchant will have funds deducted by the transaction processor (netted from future payments), and the merchant will incur a charge-back cost.
For example, for an electronic transaction processed over the Internet, merchants have to contract with a transaction processor. Transactions can either be processed via a direct interface with the merchant, whereby the merchant directly captures information on the customer, the card numbers, the “ship-to” address, etc. or via a “gateway” company which outsources key features of the transaction processing and data capture.
The electronic merchant receives an order from the person who gives a name, credit card number, and expiration date to the retailer in connection with a purchase. The purchaser directs that the merchandise be delivered to an address which is different than the credit card billing address. Using traditional methods, the merchant receives a credit card approval number from its gateway and ships the merchandise to the shipping address.
If, in fact, the credit card number has been stolen and the transaction is fraudulent, the true cardholder will likely reject the invoice when he is billed for it, claiming fraud. Since the credit card company had confirmed the validity of the card (which remains in the owner's possession), and because the transaction is “card not present,” i.e., was not involved with a signature verification, the credit card company has no liability. Assuming the cardholder refuses to pay the credit card company, the credit company will issue a charge back against the retailer, which has no recourse. As a result, the merchant loses the value of the merchandise, the shipping charge, the original transaction costs, and the transaction cost on the charge back with its payment processor. Such losses could be significant if the rate of fraudulent activity for these non-personal transactions is high.
Thus, there exists a need for a system and method for detecting fraudulent transactions in non-personal commerce transactions and reducing the risk and loss associated therewith.