This white paper shows how RSA’s solutions for fraud detection and prevention increase confidence in online shopping by addressing critical needs across the payment card ecosystem.

1. E-COMMERCE FRAUD
Protecting Data, Transactions and Consumers
White Paper
EXECUTIVE SUMMARY
Global e-commerce sales are growing at a steady clip and are expected to total almost $1
trillion worldwide in 2013. To no one’s surprise, e-commerce fraud is growing too, with
fraudulent transactions rising approximately 26 percent, from $2.7 billion in 2010 to
$3.4 billion in 20111
.
Unfortunately, that total understates the true cost of fraud because it doesn’t take into
account significant hidden costs. Most notably, these include revenue lost throughout
the payment card ecosystem due to consumers’ fears about buying online, and
stakeholders’ investments in fraud-detection technology, services and expertise.
E-commerce fraud affects all parties in the payment card value chain, from the major card
brands that sit at the top of the industry, to the billions of credit and debit cardholders
worldwide who shop online. However, the risks and costs do not fall equally on all
groups. This paper explores three major points of vulnerability that exist across the value
chain and what solutions industry leaders are deploying to prevent, detect and block
fraudulent activity in the e-commerce channel. The focus is on three use cases:
–– Protecting the integrity of transactions through risk-based authentication
–– Protecting consumers from payment card theft and related identity crimes by
tokenizing cardholder data
–– Protecting reputable brands and their customers by shutting down phishing and
Trojan attacks that facilitate e-commerce fraud.
Within this context, the paper shows how RSA’s solutions for fraud detection and
prevention increase confidence in online shopping by addressing critical needs across
the payment card ecosystem:
–– Reducing fraud rates by evaluating transaction risk and blocking or challenging
high-risk activities
–– Reducing the high transaction abandonment rates and lost revenue that result from
a poor user experience
–– Reducing compliance costs by dramatically shrinking the footprint of sensitive
payment card data in e-commerce environments
1 “2012 Online Fraud Report: Online Payment Fraud Trends, Merchant Practices and Benchmarks.”
CyberSource. http://cybersource.com (accessed June 26, 2012). Page 1.

2. PAGE 2
–– Protecting consumers by thwarting phishing and Trojan attacks that facilitate
theft of payment card data and users’ ecommerce credentials
–– Containing operational costs for fraud prevention, detection and mitigation
AN OVERVIEW OF THE E-COMMERCE LANDSCAPE
Powerful trends are driving e-commerce growth all across the globe. These include a
surging middle class in China, India and other emerging economies, the wide availability
of broadband services and mobile devices, and increasing user confidence with shopping
online.
Goldman Sachs predicts that worldwide e-commerce sales will reach $963.0 billion by
2013, growing at an annual rate of 19.4 percent3
, and some industry watchers predict
that web sales, which were 6.6 percent of all retail sales in 2011, will account for 20
percent within the next 10 years4
.
Regional statistics reinforce the growth story. EMarketer—which publishes analysis and
insight on digital marketing and commerce—projects that U.S. online shoppers will spend
$224.2 billion in 2012, up 15.4 percent from $194.3 billion in 20115
. Latin America saw a
24 percent increase in online sales in 20106
. Africa and the Middle East are seeing rapid
growth in Internet users, projected to rise from 150 million in 2009 to 297 million in 20157
.
Annual e-commerce revenues in Australia are on track to nearly double, from $16.9 billion in
2009 to $33.9 billion in 20158
. In Asia-Pacific, online retail markets are growing faster than
in the U.S. and Europe9
, driven in part by consumers’ adoption of mobile shopping.
E-Commerce Fraud is a Growth Industry Too
Where there’s smoke, there’s fire. And where there’s money being made, you can be sure
that online predators will swarm. Therefore, it is not surprising that revenue losses from
fraudulent e-commerce transactions have risen in parallel with e-commerce sales, more than
doubling in the last decade. In its 2012 Online Fraud Report, CyberSource noted that fraud
losses in North America rose from $1.7 billion in 2001 to a peak of $4 billion in 2009,
experienced a two-year decline, and then resumed an upward trend. In 2011, e-commerce
fraud losses totaled approximately $3.4 billion, a $700 million increase over 2010.
These direct financial losses are largely borne by the merchant or card issuer and take
two forms:
–– Credits or reversals issued by the e-commerce merchant to consumers who claim
fraudulent use of their accounts.
–– Chargebacks by card issuers who (depending on the circumstances) return fraudulent
transactions to the merchant bank or the ecommerce merchant as a financial liability.
(Because fraudulent charges are almost always reversed, consumers are insulated from
direct financial losses.)
2 Internet Retailer. “Online shoppers will boost Internet spending 15% this year.” www.internetretailer.com
(accessed May 10, 2012).
3 Ibid
4 Moses, Lucia. “People are getting more comfortable shopping online, but they’re also demanding more of
retailers.” AdWeek, April 18, 2012. http://www.adweek.com/news/advertising-branding/data-points-
spending-it-139582 (accessed June 10, 2012).
5 Internet Retailer. “Online shoppers will boost Internet spending 15% this year.”
6 “Going Global Info Chart: Statistics on Global e-Commerce.” Brokers Worldwide. www.brokersworldwide.com/
http/infographic.htm (accessed June 26, 2012). Attributed to Euromonitor International.
7 “Going Global Info Chart.” Brokers Worldwide. Attributed to Cisco Systems Economics and Research Practice.
8 “Going Global Info Chart.”
9 “Going Global Info Chart.” Attributed to Forrester.
Goldman Sachs
predicts that worldwide
e-commerce sales will
reach $963.0 billion
by 2013, growing at
an annual rate of
19.4 percent2
.

3. PAGE 3
The Good Guys Keep Battling Back
Not all news on the fraud scene is discouraging. The fraud rate by revenue—which
measures fraud losses as a percentage of total revenue—has been declining for 10-plus
years. In the 2001 CyberSource survey, merchants reported losing 3.2 percent of online
revenue to fraud; that figure decreased to a low of .9 percent in 2010, followed by a
slight uptick to 1% in 201110
. The largest merchants reported significantly lower loss
rates (.4 percent). This discrepancy likely reflects their ability to make larger investments
in tools, staff and training compared to smaller companies.
A second key metric is also declining. Fraud rate by order is the number of accepted
orders that later turn out to be fraudulent, expressed as a percent of total accepted
orders. Between 2008 and 2011, the U.S. domestic fraud rate by order was almost cut in
half, declining from 1.1 percent to .6 percent. The international rate fell from 4 percent to
2 percent11
.
Any optimism inspired by these improvements should be tempered. In its third annual
True Cost of Fraud Study LexisNexis reports that while the incidence of fraudulent
transactions decreased in 2011, the average dollar value of a fraudulent transaction was
higher than the previous year. Furthermore, the most lucrative areas of growth for retail
merchants—international, mobile, and e-commerce—tend also to be the most
susceptible to fraud.
The following table represents the roles and challenges of all the players in the
ecommerce ecosystem:
The Card Payment Ecosystem: Roles and Challenges
Major card brands Promote electronic payment solutions and operate transaction
networks that link all players in the payment value chain. Visa
and MasterCard lead the industry in developing standards,
tools and best practices for fraud prevention. Major challenge:
Strengthen overall trust in online commerce.
Card issuers Financial institutions that issue payment cards and “own” the
cardholder relationship. They evaluate transaction risk, verify
cardholder identities and make authorization decisions. Major
challenges: Detect and block fraudulent transactions.
Acquirers/Merchant banks Act as intermediaries between card issuers and merchants. They
process transactions for multiple merchants, handling payment
and settlement services directly or with third parties. Major
challenge: Ensure that merchant accounts hold fraud-related
chargebacks to acceptable levels.
eCommerce merchants Accept card-based electronic payments for goods and services.
Major challenges: Reduce exposure to fraud-related charge-
backs without inconveniencing shoppers. Protect consumers’
payment card data.
The Hidden Costs of Fraud
The costs of e-Commerce fraud go far beyond the $3.4 billion in goods and services that
were ordered and delivered in 2011 but never paid for. According to the LexisNexis
report, merchants incurred costs of more than $2.33 for every dollar of fraud
committed12
. For example, they absorb the cost of fulfillment and delivery services for
fraudulent purchases. They devote resources to investigating and administering fraud
claims, and all parties in the payment card value chain make significant investments in
preventive technology, services and staff.
10 “2012 Online Fraud Report.” CyberSource. Page 1.
11 “2012 Online Fraud Report.” CyberSource. Page 12.
12 “LexisNexis Study Finds Fraud Rates and Data Breaches Could Increase for Retailers
Next Year.”

4. PAGE 4
–– The major card brands offer fraud-prevention tools for merchants and issuers. The most
familiar are Card Verification Number (CVN), Address Verification Service (AVS), and the
payer authentication services Verified by Visa and MasterCard SecureCode.
–– Merchants and card issuers—using internal resources or working through partners—
deploy an arsenal of automated screening tools and decision systems to evaluate the
risk of incoming orders and improve the accuracy of accept/decline decisions. They
also employ skilled fraud analysts to manually review and dispose of high-risk cases.
–– Acquirers/merchant banks process transactions from multiple e-commerce merchants.
Because they can be de-listed by the card networks if their merchant accounts exceed
acceptable fraud levels, acquirers invest in monitoring and managing the quality those
accounts.
All these investments qualify as “profit leaks” that reduce the bottom line for players in
the payment card ecosystem.
Though it’s impossible to quantify, e-commerce fraud probably has its biggest impact on
the top line. Consumer distrust slows the growth of online transactions, reduces
merchants’ online revenues and cuts into the various transaction-based fees collected by
other stakeholders in the value chain.
Even when consumers are willing to shop online, cumbersome security procedures
increase the rate of transaction abandonment, which Forrester Research estimated to be
75 percent for the first half of 2011. In the U.S. alone, $18 billion is lost annually to
abandoned transactions, with concerns about security being one of several key reasons
cited by consumers14
. (Others included high shipping and handling costs, people not
being ready to purchase the product, and the preferred payment method not being
available.)
ANTI-FRAUD SOLUTIONS: THREE USE CASES
E-commerce fraud causes pain and poses challenges across the entire payment card
ecosystem. However, the direct costs of fraud and the responsibility for stopping
fraudulent transactions fall primarily on two groups: merchants and card issuers. The
following use cases highlight key areas of vulnerability and solutions that are being
deployed to improve fraud detection and prevention.
Use Case #1: Protecting Transactions with Risk-Based Authentication
Once a fraudulent transaction is approved, the resulting loss is almost never recouped.
For this reason, there is a big focus on preventing fraud in real-time at the point of
transaction.
As an early step in this direction, Visa in 2001 developed the Three Domain Secure
protocol (3D Secure) to enhance the security of Internet payments. 3DS was designed to
strengthen real-time verification of cardholder identities by requiring an additional layer
of password authentication.
Services based on 3D Secure are offered by several major card brands: Visa (under the
name Verified by Visa), MasterCard (MasterCard SecureCode), JCB International (J/
Secure), and American Express (SafeKey). With these services, cardholders are
encouraged—and in some countries, required— to enroll through their card issuer, at
which time they create a password. Every time an enrolled user shops at a 3DS online
merchant, the individual must complete an extra step during payment by inputting their
password before their purchase is authorized.
In the U.S. alone, $18
billion is lost annually
to shopping cart
abandonment, with
concerns about security
being one key reason
cited by consumers.13

5. PAGE 5
15 “Advantages of a Risk Based Authentication Strategy for MasterCard SecureCode.”
MasterCard, 2011. Page 6.
16 “Advantages of a Risk Based Authentication Strategy for MasterCard SecureCode.” Page 5.
The Shortcomings of Enrollment-based 3DS
Merchant participation in 3DS services is not mandatory, but merchants who implement
the program benefit from a significant liability shift, as they are no longer responsible for
fraud-related chargebacks; instead, those become the responsibility of the issuing bank.
Despite this incentive, adoption of enrollment-based 3DS services has been much slower
than expected. Where enrollment is voluntary, a large percentage of cardholders opt
out15
. Among enrollees, users report being locked out of valid transactions or having their
card rendered useless, necessitating time-consuming help desk calls. More than 10 years
after the launch of 3D Secure, consumer frustration is still evident in an ongoing stream
of tweets devoted to the topic. (A typical complaint from May 2012: “Constant confusion
and mistrust when prompted for extra info.”)
All this is bad news for merchants and card issuers. If consumers are sufficiently annoyed,
they’ll abandon the sale, causing the merchant to lose revenue. Or worse, they may
choose to shop with another merchant or card issuer altogether. In many cases,
merchants have elected to absorb e-commerce fraud losses rather than risk the high rates
of transaction abandonment that can result from an inconvenient shopping experience.
Who, But a Thief, Buys Six Large-Screen TVs All At Once?
In response to these shortcomings, stakeholders began to explore a risk-based approach
to 3-D Secure authentication that would improve detection while eliminating the need for
passwords and the associated enrollment process. Rather than relying on a few pieces of
static data to validate the cardholder, risk-based authentication (RBA) uses a risk engine
and decision tools to evaluate a wealth of transactional, behavioral, and cross-
institutional data in real-time before authorizing or blocking a transaction.
For example, comparing the user’s transaction history to known fraud patterns—such as
buying multiples of the same big-ticket item in one transaction—can help spot likely
fraud (Who, but a thief, buys six large-screen TVs all at once?). IP geo-location data,
device fingerprinting and the currency being used in a transaction can flag suspicious
purchases originating in foreign countries or from an unfamiliar device. (If you ordered a
bathing suit online two hours ago from your home computer in Ohio, who’s using your
card right now to buy an expensive camera from a smartphone in Eastern Europe?)
Based on this kind of dynamic assessment, risk-based authentication assigns a risk
score (low, medium or high) and only challenges transactions determined to be
suspicious. In those cases, the transaction may be declined and terminated, or the
cardholder may be asked to answer a challenge question or provide a different payment
method before the transaction is approved.
Fast Results from Risk-Based Authentication
RSA played an early role in developing risk-based authentication for e-commerce. The
company had already launched a risk-based transaction monitoring solution for online
retail banking, which is now called RSA®
Adaptive Authentication. This capability was the
industry’s first cross-institution fraud network for tracking and sharing fraud-related data
among members.
By integrating its existing technology into the 3D Secure system, RSA was able to quickly
bring these same resources to bear on e-commerce fraud. Card issuers who were early to
adopt the RSA solution achieved dramatic results. A pilot program in the U.K. saw an 85
percent reduction in checkout time, a 70 percent reduction in transaction abandonment,
and only caused an interrupted shopping experience for five percent of customers. These
improvements were achieved without the fraud rate increasing at all16
.
Many merchants choose to
absorb fraud losses rather
than risk the high rates of
transaction abandonment
that can result from an
inconvenient shopping
experience.

6. PAGE 6
Similarly, Indue of Australia quickly cut its fraud losses at 3D Secure merchants by 90
percent and lowered its abandonment rate to roughly three percent, well below the
industry average at the time. Germany’s Deutsche Postbank Group reduced fraudulent
transactions by 85 percent and eliminated support costs associated with enrollment-
based 3D Secure.
Reducing the Burden of Helpdesk Calls
Risk-based authentication has also helped dramatically reduce 3-D Secure-related help
desk calls at a dozen U.K. and U.S. issuers. Those using a risk-based approach received
an average of 58 percent fewer calls related to account lockouts and password resets,
compared to those using the enrollment-based system. One top-10 global issuer saw 3-D
Secure customer service activity drop nearly 97 percent after eliminating enrollment17
.
The results further suggest that improving the accuracy of fraud detection can reduce a
major element of fraud management cost: the manual screening of flagged transactions
that turn out to be legitimate and ultimately are authorized. More accurate screening also
reduces the incidence of “customer insult” by ensuring that far fewer valid transactions
are declined or challenged.
In evaluating six leading providers of risk-based authentication solutions used in the
financial services industry, Forrester analysts wrote this about the risk-based
authentication capabilities that underlie RSA®
Adaptive Authentication for eCommerce:
“RSA dominated this Forrester Wave because it has a huge customer base that dwarfs
other vendors and has been striving to provide customers with a wide selection of
authentication methods and tokens and well-rounded case management. RSA also offers
a leading data aggregator’s data sources for identity vetting and proofing for out-of-wallet
security questions.”18
Use Case #2: Protecting Consumers by Tokenizing Credit Card Data
Where risk-based authentication protects online transactions by detecting and blocking
high-risk activity, tokenization protects consumers from payment card fraud and
merchants from payment card data breaches by safeguarding payment card data.
The connection between credit card theft, e-commerce fraud and related identity crimes first
came to wide public attention in 2003, when Citibank produced a series of commercials that
depicted fraud victims “channeling” the people who had ripped them off. In one famous ad,
a middle-aged man sits in his paneled den and speaks in the nasal voice of a Valley Girl who
has used his identity information to buy herself a $1,500 leather bustier.
Nearly 10 years later, consumers are more knowledgeable and wary about credit card
theft and fraud, but the problem remains largely beyond their control. Millions of
cardholder accounts are compromised annually as a result of data breaches at
organizations that retain card data.
A Problem That Won’t Go Away
E-commerce merchants, traditional retailers and other businesses struggle with how to
protect the cardholder data entrusted to them. In many settings, the challenge is made more
difficult by the fact that the data is duplicated across multiple systems, applications and
databases—where it is stored unprotected. Securosis, an independent research and analysis
firm, has pointed out that, historically, credit card numbers have been used as a primary
identifier in retail environments, even when there is no need to access the actual number.
“As the standard reference key, credit card numbers are stored in billing, order
management, shipping, customer care, business intelligence, and even fraud detection
systems. They are used to cross-reference data from third parties to gather intelligence on
By eliminating the
enrollment requirement
for 3D Secure services,
risk-based authentication
ensures an uninterrupted
shopping experience
and lower abandonment
rates.
17 “Advantages of a Risk Based Authentication Strategy for MasterCard SecureCode.” Page 8.
18 Cser, Andras and Maler, Eve. “The Forrester Wave™
: Risk-Based Authentication, Q1 2012.”

7. PAGE 7
consumer buying trends. Large retail organizations typically store credit card data in every
critical business processing system.”19
Forrester. February 22, 2012.
Added to these, unprotected card data may also be archived on backup tapes and disks,
replicated for disaster recovery, and downloaded to employee laptops for analysis. Even if
some of these points are well defended, others remain vulnerable, with access controlled
by nothing more static passwords that can be easily defeated by hackers or malicious
insiders. Once these protections are breached, the data can be stolen, transmitted or
misused by anyone with access to it.
The Mandate: Protecting Data from End to End
Due to the evolving nature of today’s threats—and the stringent requirements of the
Payment Card Industry Data Security Standard (PCI DSS)—merchants need to protect all
this data from end to end: at the point of capture in the application layer (where many
damaging breaches now occur), at rest in databases across multiple locations, and in
transit between diverse applications and systems.
With its strong protection mechanisms, encryption has been the preferred method for
safeguarding cardholder data. However, tokenization has rapidly gained acceptance as
an alternative because of its many compelling benefits. First and foremost, rather than
trying to protect cardholder data from theft or exposure, a tokenization solution removes
it altogether from any systems and applications that don’t specifically require it.
This is a major game changer: Thieves can’t steal what isn’t there, so business risk is
drastically reduced. Merchants don’t need to protect what they no longer store, so related
security costs are reduced. Furthermore, by shrinking the footprint of sensitive data across
the environment, tokenization can significantly reduce PCI compliance costs. Some RSA
customers have achieved reductions of 30 percent or more in PCI compliance costs.
How Tokenization Works
With tokenization, a consumer’s card data is protected at the point of capture,
transmitted to a central repository and encrypted in a secure vault. Only those few
applications that require the actual card number are authorized to access the vaulted
data. For any other application, the system provides a randomly generated substitute
value, called a token, which can be seamlessly passed between applications, databases
and business processes without risk.
Tokens are analogous to the chips that are issued by a casino: You exchange your cash
for chips, which are then accepted as a form of payment throughout the casino. However,
if they’re removed from the environment, they have no cash value and cannot be used for
payments. Similarly, credit card token values are useful to the merchant but have no
value to the attacker. If tokens are stolen or exposed, the information is useless in
perpetrating e-commerce fraud.
One of the primary benefits of tokenization is that it enables a merchant or payment
processor to consolidate payment card data from dozens or hundreds of systems down to
a few points, and then focus security resources on safeguarding those high-risk points.
This consolidation makes it easier and far less costly to protect this sensitive information.
The RSA Approach
Believing that tokenization should be a core component of any layered security strategy,
RSA incorporated comprehensive tokenization functionality into the RSA®
Data Protection
Manager platform, combining it with application encryption, data-at-rest encryption, and
comprehensive key lifecycle management.
In collaboration with First Data, the largest payment processor in the industry, RSA
also created the industry’s first secure payment solution to offer both encryption and
tokenization of cardholder data as a hosted service. The hosted model frees merchants
19 “Tokenization vs. Encryption: Options for Compliance.” Securosis. July 2011. Page 3.

8. PAGE 8
from the cost of building and maintaining this component of payment processing
infrastructure. And by shifting cardholder data from the enterprise to the payment
processor environment, it also shifts much of the risk and cost of PCI compliance
to a trusted third party.
The wide adoption of tokenization within financial services has inspired other industries
to follow suit, using the technology to protect other sensitive personal information, such
as birth dates, account numbers, Social Security numbers, and even elements of an
individual’s electronic health record.
To understand how tokenization and risk-based authentication work together to protect
payment card data, please refer to Appendix A “End-to-end Protection for Payment Cards.”
Use Case #3: Protecting Brands (and Their Customers) from Cyber Attacks
The collective impact of technology-based protections has certainly helped to slow the
growth of e-commerce fraud. Unfortunately, as these safeguards become more pervasive
and robust, humans constitute one of the weakest links in payment card security. That’s
why phishing and Trojan attacks continue to be employed in eCommerce fraud and other
forms of cybercrime. Through these methods, cybercriminals attempt to extract sensitive
information by exploiting trusted relationships (respected brands, friends and colleagues,
social networking contacts) and routine behavior (such as opening email received or
clicking on links when directed to).
For example, despite its lack of sophistication and low response rates (a result of
consumers becoming more educated), phishing still remains popular in fraud circles
because of its low execution cost, easy-to-use attack tools, and access to new
distributions channels via poorly defended social networking sites. Cybercriminals today
can buy phishing kits for just a few dollars, and each month, tens of thousands of unique
phishing attacks are launched all around the world. In June 2012 alone, RSA identified
51,906 unique phishing attacks targeting global organizations.
The Menace Concealed by a Familiar Face
The most effective attacks are carefully crafted to establish credibility and trust. They
appear to come from a reputable brand or an individual who is known by the recipient
(see Figure 1). Unlike the crude efforts of the past, which often contained telltale
grammatical errors and simplistic visuals, today’s phishing attacks use “scraping” tools
to closely mimic the legitimate brand, down to the correct type fonts, color palette and
business jargon. In the case of spear-phishing attacks, which target high-level individuals
with access to extremely valuable information, the email will often allude to details
(gleaned from research) that an outsider is unlikely to know.
Tokenization enables
merchants to consolidate
payment card data from
dozens or hundreds of
systems down to only a
few points that require
protection.
Figure 1: An example of a real
phishing attack that mimicked a
leading consumer brand with the
promise of easy financial rewards to
manipulate people into disclosing
payment card data and other personal
information.

9. PAGE 9
Thusly convinced that the communication is authentic, the recipient is directed to an
equally authentic-looking website where they are lulled into disclosing the sought-after
information. Or they may click on a link in the email or be sent to a website that
transparently installs malware on their system.
Eroding Trust in Respected Brands and Everyday Tools
These attacks undermine the brand that has been hijacked to deliver the attack, and they
erode trust in the everyday tools and interactions on which businesses rely. Email marketing
is now so tainted that consumers are rightfully wary of messages from their bank, insurance
agency or favorite retail stores. Users worry if they are being directed to a legitimate website
or whether they may be downloading a malicious Trojan capable of stealing their credit card
numbers, e-commerce login credentials, or online banking credentials.
For merchants whose brand is being tarnished by phishing and Trojan attacks, the most
effective defense is to monitor the Internet for threats that target one’s own brand and
shut down the offending sites in the shortest possible time. Toward this end, leading
vendors have developed sophisticated anti-fraud capabilities that can identify and short-
circuit many attacks in a matter of minutes and stamp out advanced attacks in just a few
hours. RSA has been a pioneer in this realm; the RSA®
FraudAction™
service offers a
template for what a comprehensive solution might include such as:
–– Monitoring and detection. Billions of URLs are scanned daily to identify and analyze
suspicious sites and detect phishing attacks that specifically target the customer’s
brand or sub-brands.
–– Around-the-clock analysis. Trojan attacks are studied to identify new threats and fast-
changing variants, detect methods of operation on infected systems, and extract
triggers, communication points, drop and update points.
–– Alerts and updates. Once a new threat is confirmed, customers are immediately
notified and fraud data is updated within the RSA®
eFraudNetwork™
.
–– Site blocking. An extensive network of blocking partners prevent end users from
accessing confirmed phishing and malware sites, reducing their risk of exposure to
fraudulent sites.
–– Rapid shutdown. Through relationships with more than 14,000 hosting authorities worldwide,
“cease and desist” notices are issued and offending sites are quickly shut down.
–– Credential recovery. This feature allows merchants to proactively notify customers
whose credentials may have been compromised so they can monitor their account
activity. Recovery of stolen credit card data allows merchants to decline transactions
made with a stolen card.
RSA’s approach has been highly effective. For example, RSA analysts have shut down
more than 650,000 cybercrime attacks, the highest shutdown volume for any provider in
the industry.
CONCLUSION
With e-commerce sales guaranteed to grow over the next 10 years, the growth of fraud is
sure to follow. All stakeholders in the e-commerce value chain are hurt by fraud and all
share responsibility for detection and prevention. While it will never be possible to
completely eradicate e-commerce fraud, experience shows it is possible to slow its
growth by implementing protections at critical points of vulnerability.
Those brands that are early in deploying the best tools and strategies for fraud detection
and prevention—and ensuring their partners in the value chain do as well—will gain
critical advantages as a result. These include increased consumer trust in online
commerce, higher transaction volumes, lower fraud rates, reduced fraud prevention
and mitigation costs, and greater profitability.
RSA analysts have shut
down more than 650,000
cybercrime attacks: the
highest shutdown volume
for any provider in the
industry.

10. PAGE 10
The combination of tokenization and risk-based authentication includes these steps.
1. Checkout: Shopper enters credit card data, which is protected during checkout.
2. Tokenization: Merchant encrypts, vaults card data for later transactions. Token issued
to replace card number in subsequent uses (order management, shipping, etc.)
3. Risk score: Risk engine dynamically analyzes transaction/behavioral, known fraud
patters from eFraudNetwork and data from many sources in real time, assigns risk
score.
4. Authentication: Access Control Server (ACS) transparently approves low-risk
transactions, challenges or declines high-risk purchases.
5. Authorization: Issuer digitally signs receipt, returns authorization to merchant.
6. eFraudNetwork: Known threats, fraud patterns are updated and shared to improve
accuracy of fraud detection.
ACS
Checkout Risk Score
Fraud
Patterns
Authentication
3
3
1
4
4
5
Authorization
Acquirer
Token Server
Vaulted
Card Data
Merchant
Cardholder Issuer
5
eFraudNetwork6
2
FFFFrFFrFrFrFrFrauauauauauddddd
Patterns
Risk Engine
Authentication
History
Appendix A
End-to-end Protection for Payment Cards

11. RSA, the RSA logo, EMC2
, EMC and where information lives are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. All other trademarks used herein are the property of their
respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA.
ECOMM WP 0712
About RSA
RSA is the premier provider of security, risk and compliance solutions, helping the
world’s leading organizations succeed by solving their most complex and sensitive
security challenges. These challenges include managing organizational risk,
safeguarding mobile access and collaboration, proving compliance, and securing
virtual and cloud environments.
Combining business-critical controls in identity assurance, data loss prevention,
encryption and tokenization, fraud protection and SIEM with industry leading eGRC
capabilities and consulting services, RSA brings trust and visibility to millions of user
identities, the transactions that they perform and the data that is generated.
www.emc.com/rsa