Credit card fraud monitoring creates 'false positives'
Imperfect detection programs can strand travelers
By Craig Guillot
A $79 plate of stone crabs in Miami. A $103 bus ticket in Mexico. A $213 hotel bill in Rio de Janeiro, Brazil. Brooklyn Dodgers apparel from a store near the Ebbets Field site.
Unless you're a frequent traveler or you called your credit card issuer beforehand to let them know where you were going, you could find your credit card declined when attempting those transactions.
It's the unfortunate side effect of credit card issuers' fraud monitoring programs. Credit card issuers regularly track their cardholders' purchasing habits and anything out of the ordinary can spark a temporary suspension of transactions. While no one disputes the good that comes from preventing fraudulent transactions, false positives do occur, preventing cardholders' legitimate transactions.
Stranded in China
Jordan Clay, a journalist from Southern California, was shocked when she went to get money out of an ATM on Hai Nan Island, China. Her credit card and ATM card had been suspended. Despite the fact that she had already been in China for two months, something within the system triggered red flags and the suspension of her cards. She cleared up the matter after a few international phone calls and appreciates the vigilance but was confused by the matter.
"I was just kind of bewildered. My first reaction was a little bit of panic because I didn't know how I was going to get money," said Clay. She now travels with three credit cards as a backup and notifies her card issuers before she leaves the country.
What will trigger a suspension of credit? That's a secret. Visa, MasterCard, American Express and Discover all use formulas and rules to rate the risk of a transaction being fraudulent, but will discuss them only in generalities to prevent countermeasures by fraudsters.
Visa's Continuous Monitoring system, for example, involves multiple layers of security and aims to prevent fraud by looking for unusual card transactions and things that are outside of a cardholder's usual purchasing patterns. Whereas most identity fraud is self-detected, monitoring programs aim to stop fraud before it happens. Visa works with financial institutions and merchants to look for red flags which can include: a shipping address that does not match the card billing address, an abnormally large purchase or a change in name, birth date or Social Security number on the account.
Cory Siddens, senior risk product manager for CyberSource Corp. of Mountain View, Calif., says the fraud-scoring model used by his firm is similar to the one employed by credit card companies. CyberSource's similar risk management services for merchants use models that perform up to 200 tests on a transaction to determine the risk and likelihood that a particular transaction is fraudulent. The tests compare to results of transactions that have proven to be fraudulent in the past and the models return a score from 0 to 99 to allow retailers to make an informed decision on whether to accept or decline the charge.
"All the companies have different models in place and they look to see what your typical buying patterns are. Some of them are statistically derived, others are rules-based. Anything that is outside of those patterns might cause them to take a closer look," he says.
Looking askance at Miami, Detroit, Brooklyn
Siddens said that travel to particular countries that are known for fraud may also raise some red flags. The West African nation of Nigeria is often at the top of the list, along with Russia and parts of Eastern Europe. Within the United States, cities including Miami, Detroit and Brooklyn are known to have higher propensities for fraudulent credit card use. Credit card use within these places doesn't automatically trigger an alarm -- rest easy, patrons of Joe's Stone Crab in Miami Beach -- but could when combined with the nature of the transaction, the amount and the timing of the purchase.
As fraud increases and becomes more complex, so too are the systems designed to prevent it. MasterCard uses a multilevel monitoring system that also continuously monitors accounts for atypical patterns of activity that are consistent with fraud. In 2005, Visa implemented its Advanced Authorization, a system that gives an instantaneous rating of a transaction's potential for fraud.
In addition to the monitoring systems from Visa, MasterCard and other payment processors, issuers have their own fraud programs. It is often up to the issuing bank to contact a cardholder and decide whether to suspend charges on an account.
What consumers should do
A number of card issuers, including Capital One and Bank of America recommend, but say that it is not necessary, for cardholders to notify them of their plans to leave the country. Citi Cards, which monitors its accounts for fraud, suspicious activity and unusual spending patterns, utilizes its Fraud Early Warning System and Citi Identity Theft Solutions group.
"Although it is not always necessary to contact Citi with your travel plans, we encourage our customers to use their best judgment to determine if purchases abroad are unusual for them," said Citi spokeswoman Allie Reilly.
As some travelers discover every year, a sudden transaction in a faraway place can lead to a card's temporary suspension. Issuers will usually contact the cardholder before suspending an account but a traveling cardholder is unlikely to receive that notice. Chris Elliot, who writes the nationally-syndicated Travel Troubleshooter column, says that as fraud detection and monitoring systems become more complex and less tolerant, they are occasionally stopping legitimate purchases.
"It's a huge issue that many people just don't know about. I've talked to many people it has happened to, and they often don't know they're supposed to call their card company ahead of time," said Elliot.
Have you had a legitimate credit card purchase turned down because of fraud monitoring? Write to firstname.lastname@example.org.
Published: November 8, 2007
Three most recent Legal, regulatory, privacy issues stories: