Putting Risk on the Radar

J. Prajapathy, an ICICI Bank credit card holder, was shell-shocked when he received a bank enquiry for a Rs 32,000 (US$618) transaction he had never made. His credit card had been deceitfully used for booking airline tickets online and he isn’t alone. Over 60 percent of online credit card fraud occurs while people buy an air ticket online says B. Madhivanan, general manager at ICICI Bank.

Prajapathy isn’t an isolated case. Unconfirmed reports suggest that credit card fraud went up by 28 percent in India in 2008. Online credit card scams are spreading their ugly tentacles in the world of e-commerce, and a beleaguered aviation sector is being pushed to the wall to devise ways of curtailing incidents of fraud.

Another case in point: a 50-year-old Bangkok-based woman of Indian origin was recently suspected of running an e-ticket scam worth millions from India. Many Indian airlines were affected from the fraud estimated at Rs 5 crore.

SpiceJet was one of the victims.

Like every other airline, SpiceJet had equipped itself to screen credit card transactions, but it lacked a foolproof process to verify online transactions. It’s solution came in the form of a four-member Fraud Control Unit responsible for manually screening transactions made on SpiceJet.com.

“We handle around 2,500 online credit card transactions everyday. We screen them round the clock but the fraud rates increased every day resulting in a loss of revenue to our company. We could feel the pressure mounting on us,” says Rahul Kumar, head of Fraud Control Unit, SpiceJet.

Time was running out, SpiceJet knew it had to do something fast.

Transaction Turbulence

Headquartered in New Delhi, the low-cost carrier took to the skies in May 2005. Since it launched, SpiceJet has single-mindedly focused on becoming a key player in the highly-competitive low-margin segment. By its fourth year, its market share had soared. SpiceJet is now India’s second largest low-cost carrier in terms of market share.

However, getting there wasn’t easy given that the airline operates in an increasingly cluttered segment. The landscape was too small for so many players and this had sparked off a price war the likes the country had never seen before.

But their low-fare pricing model ensured that the low-cost operators survived on razor-thin margins, suddenly making losses from fraud significant enough to garner CXO attention.

“We were losing Rs 50-60 lakh per month. And when you operate in a fiercely competitive low-margin segment, such a significant revenue loss can make you bleed. We were looking at ways to reduce that loss, ” says Virender Pal, CTO, SpiceJet.

Worse still, the increasing number of e-ticket scams, combined with the bright light the media threw on it, was beginning to impact the credibility of the airline’s website — its chief source of revenue.

In this fiercely competitive scenario, SpiceJet strove to create a sustainable profit model. Running on a lean mean and focused operating model, Spicejet maintained a laser-sharp focus on margins. It integrated processes and technology to attain operational efficiency. And one of the best ways an airline can do this is by enabling customers to book tickets online. Passengers who purchase tickets directly off the Internet get a cost advantage, ensuring their continued patronage. The airlines, on the other hand, realize a saving from bypassing travel agencies who otherwise have to be paid a commission.

Profitable and innovative as it may appear, this system is not devoid of loopholes. With slim financial margins, budget airlines are primarily vulnerable to revenue loss from e-ticketing fraud.

Flight Plan

An enormous amount of SpiceJet’s business — about 90 percent — is generated through online credit card transactions, making security a formidable challenge.

“There was a steady rise in the number of online fraud incidents,” says Pal.

SpiceJets’ chargeback rate — or the number of incidents of fraud it faced as a percentage of its total transaction — was 1.5 percent. “That’s a huge number when we you look at our volumes,” says Pal.

Alarmed by the increase, SpiceJet decided to put risk on its radar. It was necessary that they enhanced customer experience with real-time verification of credit card transactions to alleviate any security fears. The thrust was on making SpiceJet.com a secure place for credit card transactions.

SpiceJet then approached IT for help.It knew that IT could provide a platform for securing credit card transactions through their website. And IT was quick to respond with an automated, advanced and flexible online risk management solution that could screen online transactions efficiently.

Pal formed a team of four to spearhead the operation. Because the solution they chose would drive 90 percent of their business, they had to be very careful in identifying a partner.

They wanted to deploy the solution from a company that had an established reputation and a credible database. After three weeks of deliberation they finally opted for CyberSource’s Decision Manager, an automated online risk management solution.

“Decision Manager was selected for its proven flexibility, reliability and scalability in addition to CyberSource’s established reputation in the e-commerce payment industry. The company has a huge dynamic and real-time database of credit cards and this solution is being used by over 20,000 organizations (like Jet Airways and the Future Group) across the globe. We got the benefit of sharing the same database,” says Pal.

Ticket to Security

With Decision Manager on board, SpiceJet can now automatically evaluate credit card transactions in real time. Based on a combination of rules framed by the airline and a set of over 150 parameters, the system decides whether a transaction should be processed further or sent for a review.

SpiceJet formulated these rules after analyzing its experience of fraudulent credit card transactions. It studied the various strategies employed by fraudsters and mapped out its own security requirements accordingly. One such rule was that they would review every transaction made for booking a ticket five hours before the departure of a flight.

“If there is a transaction for a Delhi-Mumbai flight which is to depart in the next five hours and customer’s IP address indicates that he or she is in China, we raise a red flag. So we made a rule that we will check the difference in the booking time and flight time. If it is less than five hours then we do not accept the transaction,” says Kumar.

By running Decision Manager, SpiceJet.com is now able to almost singlehandedly estimate whether an online purchase should be accepted, rejected, or reviewed. But, the application was not given veto power. “We did not want to reject any transactions because this would impact customer experience. If a transaction seems suspicious, we review it. All this happens within two seconds ensuring that customer experience is not impacted,” says Ganesh Raje project manager-IT, SpiceJet.

The project went live in October 2007 and effectively handled the gravity of the situation. But management had certain apprehensions about the implementation. “In case there is a five or 10-minute outage in the system, then during that period you can’t really do business. This was a critical concern for our management,” says Pal.

Another concern was that after implementation, business via SpiceJet.com would decrease because some valid transaction could be rejected. That’s why, says Pal, “Initially, we implemented the system mildly, like an anti- virus. We started from a low level and worked our way up.”

Tight timelines were another tricky issue, especially because fraud rates and chargebacks were escalating with every passing day. And with the competition hounding SpiceJet, it was under tremendous pressure to get its online credit card system in place.

Once the system was up and running, SpiceJet did have some cases of false positives when even a valid credit card transaction was declined. Customers called up the airline to enquire why their transactions were rejected. “Based on that information, we had to further tweak our rule set. Within the last year, and in over a million transactions, we have not had more than 50 to 60 false positives,” says Pal.

Welcome Aboard

The solution brought with itself a whole set of benefits. The automatic screening of credit card transactions reduced the organizational burden of manual intervention. “Post-implementation we screen only those transactions that need to be reviewed. We don’t have to deal with accepted transactions. So now we handle only about 400 transactions in a day as opposed to about 2,500 prior to the implementation,” says Kumar, the head of the fraud control unit.

The solution has definitely impacted customer experience but only in a positive way. “Nothing has changed for the customer except that our website has become a more secure place to transact. Now he knows that his credit card can never be misused at SpiceJet.com. The solution has not only enhanced the sales effectiveness of our website but has also inspired confidence in our customers,” says Raje.

Within two months of the deployment, SpiceJet’s chargeback rate, according to Pal, “plummeted from 1.5 to 0.002 percent” — the lowest chargeback rate among low-cost carriers in Asia, claims the company.

Plus, it makes it easier for SpiceJet to go international. “Our system is now equipped to handle both international and domestic credit cards. We might have to look into our rules and modify them if we want to use it for international transactions,” says Pal.

This highly robust system is capable of handling immense traffic. “When we launch low-fare schemes on SpiceJet.com, the number of transactions increases. By about 10-15 percent in a day. But even then we haven’t faced any performance issues with the system. We didn’t pay upfront for this solution. We pay on a transaction basis — about Rs 10 per transaction for each credit card screening,” says Pal.

As SpiceJet plans to expand its market reach in the international arena, it plans to leverage CyberSource’s global coverage, assessing their expertise and knowledge of fraud trends in the international market. This solution would lend support to its expansion plans in future.

“I think we did it the way we wanted to. A different method could not have been better,” says Pal.

A robust and flexible system that ensures secure transactions and a step a few feet above competition — Pal couldn’t have asked for more.