J. Prajapathy, an ICICI Bank credit card holder, was shell-shocked when he received a bank inquiry for a Rs. 32,000 (around Can$720) transaction he had never made.
His credit card had been deceitfully used for booking airline tickets online.
Prajapathy isn’t an isolated case.
Unconfirmed reports suggest that credit card fraud in India went up by 28 percent in 2008.
In Canada last year, 6.5 per cent of adults, or nearly 1.7 million people, were victims of identity fraud in the last year, according to a 2008 survey of Canadian consumers conducted by the McMaster eBusiness Research Centre (MeRC) on behalf of the Ontario Research Network on Electronic Commerce (ORNEC).
More than half of these frauds had had to do with unauthorized purchases made with credit cards.
The MeRC survey was conducted using an Internet panel, with 3017 valid responses. It reports that victims collectively spent over 20 million hours and more than $150 million to resolve problems associated with these frauds.
Airline ticket purchases using someone else’s card is getting disconcertingly more common.
SpiceJet – India’s popular low-cost carrier – was a victim.
Like every other airline, SpiceJet had equipped itself to screen credit card transactions, but lacked a foolproof process to verify online transactions.
It’s solution came in the form of a four-member Fraud Control Unit responsible for manually screening transactions made on SpiceJet.com.
“We handle around 2,500 online credit card transactions everyday,” notes says Rahul Kumar, head of Fraud Control Unit, SpiceJet.
He said despite round-the-clock screening of these transactions, fraud rates increased every day and resulting in significant revenue loss to the company.
“We could feel the pressure mounting.”
Headquartered in New Delhi, India the carrier took to the skies in May 2005. It’s achieved remarkable success in a few years, and is now India’s second-largest low cost carrier, in terms of market share.
Getting there wasn’t easy given that the airline operates in an increasingly cluttered segment, and fierce price wars between competitors.
“We were losing around Rs 50 lakh ($112,525) per month. And when you operate in a fiercely competitive low-margin segment, such a significant revenue loss can make you bleed. We were looking at ways to reduce that loss,” says Virender Pal, CTO, SpiceJet.
Worse still, the increasing number of e-ticket scams, combined with media coverage began to affect people’s trust in the airline’s Web site, its chief source of revenue.
Low-cost operators survive on razor-thin margins, suddenly making losses from fraud significant enough to garner CXO attention.
The thrust was on making SpiceJet.com a secure place for credit card transactions.
IT was approached for help.
Pal formed a team of four to spearhead the operation. Because the solution they chose would drive 90 percent of their business, they had to be very careful in identifying a partner.
They wanted to deploy an application from a company with an established reputation and a credible database.
After three weeks of deliberation they finally opted for CyberSource’s
Decision Manager, an automated online risk management solution.
“Decision Manager was selected for its proven flexibility, reliability and scalability — in addition to CyberSource’s established reputation in the e-commerce payment Case File industry,” says Pal.
Ticket to Security
With Decision Manager on board, SpiceJet can now automatically evaluate credit card transactions in real time.
Based on a combination of rules framed by the airlineand a set of over 150 parameters, the system decides whether a transaction should be processed further or sent for a review.
SpiceJet formulated these rules after analyzing its experience of fraudulent credit card transactions.
It studied the various strategies employed by fraudsters and mapped out its own security requirements accordingly. One such rule was that they would review every transaction made for booking a ticket five hours before the departure of a flight.
“If there is a transaction for a Delhi-Mumbai flight which is to depart in the next five hours and customer’s IP address indicates that he or she is in China, we raise a red flag,” says Kumar.
“So we made a rule that we will check the difference in the booking time and flight time. If it is less than five hours then we do not accept the transaction.”
By running Decision Manager, SpiceJet.com is now able to almost singlehandedly estimate whether an online purchase should be accepted, rejected, or reviewed.
But, the application was not given veto power.
“We did not want to reject any transactions because this would impact customer experience. If a transaction seems suspicious, we review it. All this happens within two seconds ensuring that customer experience is not impacted,” says Ganesh Raje project manager-IT, SpiceJet.
The project went live in October 2007 and effectively handled the gravity of the situation.
But management had certain apprehensions about the implementation. “In case there is a five or 10-minute outage in the system, then during that period you can’t really do business. This was a critical concern for our management,” says Pal.
Another concern was that after implementation, business via SpiceJet.com would decrease because some valid transaction could be rejected.
That’s why, says Pal, “Initially, we implemented the system mildly, like an anti- virus. We started from a low level and worked our way up.”
Tight timelines were another tricky issue, especially because fraud rates and chargebacks were escalating with every passing day. And with the competition hounding SpiceJet, it was under tremendous pressure to get its online credit card system in place.
Once the system was up and running, SpiceJet did have some cases of false positives when even a valid credit card transaction was declined.
Customers called up the airline to enquire why their transactions were rejected. “Based on that information, we had to further tweak our rule set. Within the last year, and in over a million transactions, we have not had more than 50 to 60 false positives,” says Pal.
The solution brought with itself a whole set of benefits. The automatic screening of credit card transactions reduced the organizational burden of manual intervention. “Post-implementation we screen only those transactions that need to be reviewed. We don’t have to deal with accepted transactions.
So now we Case File handle only about 400 transactions in a day as opposed to about 2,500 prior to the implementation,” says Kumar, the head of the fraud control unit.
The solution has definitely impacted customer experience but only in a positive way. “Nothing has changed for the customer except that our website has become a more secure place to transact.
Now he knows that his credit card can never be misused at SpiceJet.com. The solution has not only enhanced the sales
effectiveness of our website but has also inspired confidence in our customers,” says Raje.
Within two months of the deployment, SpiceJet’s chargeback rate, according to Pal, “plummeted from 1.5 to 0.002 percent” – the lowest chargeback rate among lowcost carriers in Asia, claims the company.
Plus, it makes it easier for SpiceJet to go international. “Our system is now equipped to handle both international and domestic credit cards. We might have to look into our rules and modify them if we want to use it for international transactions,” says Pal.
This highly robust system is capable of handling immense traffic.
“When we launch low-fare schemes on SpiceJet.com, the number of transactions increases. By about 10-15 percent in a day. But even then we haven’t faced any performance issues with the system. We didn’t pay upfront for this solution. We pay on a transaction basis – about Rs 10 per transaction for each credit card screening,” says Pal.
As SpiceJet plans to expand its market reach in the international arena, it plans to leverage CyberSource’s global coverage, assessing their expertise and knowledge of fraud trends in the international market.
This solution would lend support to its expansion plans in future.
“I think we did it the way we wanted to. A different method could not have been better,” says Pal.
A robust and flexible system that ensures secure transactions and a step a few feet above competition – Pal couldn’t have asked for more.