Fraud Prevention in DSE
date: October 1, 2015
In today’s technology driven world, online fraud is one of the biggest problems for online providers. From your local Starbucks credit card machine to the world’s biggest online shops, they all have to deal with fraud. The use of stolen credit cards is by far the biggest contributor to online fraud and the use of mobile devices for financial transactions has increased the risks significantly. Detecting fraud can be difficult and costly; so what can we do to prevent it happening in the first place ? This document will hopefully help you to understand how DataStax Enterprise can reduce a business’ exposure to fraud and potentially prevent it happening in the first place. DataStax Enterprise can handle millions of low-latency transactions per second, which can allow for online algorithms to process transactions in real-time to stop fraudulent transactions before they happen.
Current view of Fraud detection and prevention
Card fraud happens in many different ways and online transactions are often the hardest to detect. The main problem is that by the time it’s been detected, the transaction has already occurred and someone is out of pocket.
Lets quickly look at the people involved in a transaction
- The Consumer - the entity who wants to purchase a (point of sale, online etc)
- The Merchant - the other entity in the transaction (website, cashier etc)
- The Acquirer - a financial institution that handles the transaction for the merchant (eg Worldpay or paypal)
- The Credit Card Network - the credit card service that handles the transaction between the acquirer and the issuer
- The Issuer - the bank or financial institution that provided the consumer with their credit card (e.g. HSBC, Citi)
In terms of preventing fraud, the Acquirer, Issuer and Credit Card Network have all got some process in place to try and stop a transaction before it happens.
- The Acquirer works for the merchant so they may provide some validation checks before sending the transaction on to the Credit Card Network.
- The Credit Card network usually has watchlists and blacklists of card numbers that they want to monitor.
- The Issuer will be required to check if the consumer has enough available credit to process the transaction and check the status and pin of the card.
Here is an overview of a credit card transaction flow, all of which has to happen in less than a second.
Criminals are always looking for devious ways to circumvent this process.To combat this we can give more power to both the acquirers and the issuers. In the process above the credit card company is going to be the bottleneck but there shouldn’t be too much transaction flow for the acquirer and the issuer.
Using DataStax Enterprise, the acquirer can
- Create unique rules for each merchant
- Scan previous transactions to ensure consistency
- Help to stop employee fraud by ensuring that transactions with certain attributes need confirmation by senior staff.
For example if we take a busy coffee shop and 99% of the card transactions that occur are under £20 and 100% are under £50. We can create a rule that if, at any stage a transaction is requested for over £50 that a senior member of staff is notified and a confirmation is required. Also on a given day we can notify the merchant if it has an unusual amount of transactions above £20. This is a simple idea but it requires effort on the part of the acquirer to ensure these requirements are met and that the required people are notified.
Let’s now look at the consumer. They take out a credit card with an issuing bank. They usually have some web interface to see their transactions and pay their bills. With DataStax Enterprise, we can give a consumer more control over the transactions in their account.
For example, giving the issuer the power to :
- Require confirmation for transactions over a certain amount
- Require confirmation for transactions from a merchant not in their history
- Apply rules for certain merchants e.g. maximum of £20 in transactions to the Apple app store per month
- Have notifications for every transaction that has occurred in real time with the option of stopping the transaction if needed.
DataStax Enterprise is a product built to meet these needs and more.
DataStax Enterprise - A transactional database
What is Apache Cassandra ?
Apache Cassandra is an open source distributed database management system designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure (Wikipedia). It’s used in production today by some of the largest transactional companies in the world like UBS, Credit Suisse and Bank of America.
What/Who is DataStax ?
DataStax delivers Apache Cassandra™ in a database platform that meets the performance and availability demands of Internet-of-things (IoT), Web, and Mobile applications. It gives enterprises a secure, fast, always-on database that remains operationally simple when scaled in a single datacenter or across multiple datacenters and clouds. Along with Cassandra, DataStax incorporates complementary technologies like in-memory, advanced security, search and analytics using Apache Spark™. JSON and graph support will be added to that list later this year.
Netflix reinvented its business from DVDs by mail to online media on DataStax Enterprise in the Cloud and now processes 10 Million transactions per second to give users the most personalized viewing experience. Why did they choose DataStax ? Quite simply because nothing else could do what DataStax does. The financial sector is going through a shift in both technology and thinking at the moment, both the open source offerings and the big data requirements are becoming aligned and the time is right to take new projects giving the control to the customers and clients.
Diagram 1.2 DataStax Enterprise global deployment.
Diagram 1.2 shows a typical global deployment with data centers in the US, Europe and Asia. These can be either physical or in the cloud. This allows clients to connect to their local data centers to avoid high latencies in their applications while also providing 100% availability even if a data center was to fail.
Fraud Prevention Architecture
Let’s look at how we could implement new applications for acquirers and issuers to fulfil the requirements that we have above. Beginning with the issuer, how do we address the following important features:
In today’s world any client facing application is a critical one. Not providing certain functionality is one thing but if a system is down when your clients need it, for any reason, it is a failure and will ultimately hurt your business and brand. DataStax provides a database system with 100% up time, continuous availability. So when a server goes down or a network fails, an upgrade needs to occur or even a datacenter is flooded, DataStax can still provide 100% uptime for all requests. Because Apache Cassandra is a peer to peer system, there is no single point of failure, so it is fault tolerant. This should be the number one requirement of any critical system.
To process millions of transactions per second your database has to be fast; really fast. Each DataStax node/server can process 10s of thousands of transactions per second. So by scaling the system to contain a large cluster of nodes together, DataStax can process any amount of transactions; in a persistent and continuously available system. Along with throughput comes latency. To provide the latency requirements that are needed for a query driven system like the one we want for fraud prevention, we need to be able to write and read at incredible speed. DataStax’s data model allows for grouping of related data for low latency reads. This is perfect for both reading and writing transactions for a particular credit card user. So millions of transactions can be processed at the same time without contention .
Where master/slave architectures always suffer from bottlenecks, peer to peer systems work more like web servers. With DataStax, adding servers is as simple as pointing a new server to an existing cluster of servers. Scaling a DataStax cluster from 10 to 100 servers could take as little as a few hours with pre-provisioned servers and all without having to change the client application. The drivers provided by DataStax automatically load-balance and redirect requests to another data center if a client’s local data center becomes unavailable.
DataStax Enterprise inherits the basic security feature set provided in open source Apache Cassandra™ and builds upon it to provide a set of commercial security extensions that enterprises need to protect critical data. For more complex security requirements, our partner Vormetric, offers a comprehensive data security solution for the data stored in DataStax Enterprise and helps organizations comply with PCI-DSS requirements. See Appendix A for a white paper on PCI security.
Financial companies are fast becoming aware of the challenge they face with regards to how they treat their customers. It’s easy to switch credit card providers so new issuers will be creating new and exciting tools and features to lure customers away from traditional cards. Companies like Final (https://getfinal.com) are giving the customer more powerful and user driven features that allow customers to have more control. Existing issuers and acquirers must provide similar features if they are to retain their customers.
PCI Compliance Architecture