Payment fraud prevention is the key to safer and healthier business growth. Let’s see what systems must be in place for it to work.
There’s no way around it: if your business accepts payments in a CNP (card not present) scenario, there will be fraud.
Juniper Research forecasts fraud will cost eCommerce $50.5B by 2024, but every other vertical is equally as badly affected.
Following huge data breaches, access to stolen IDs and card numbers are easier than ever to find. Combined with the fact that fraud software is increasingly available, you have a perfect storm brewing – even before we take into account the growth rate of friendly fraud.
Now, if you want a quick answer, transaction risk scoring is the only way to ensure you have a decent payment fraud prevention system in place. But today, we’ll take an in-depth look at all the steps you can take to create a foolproof payment fraud prevention framework at your company.
Understanding Your Fraud Challenges
Payment fraud, or transaction fraud, happens anytime someone pays on your site with a card that’s not theirs.
Card not present fraud (CNP) incurs chargebacks, which can cost you a lot in admin fees, and may put you on card network operators’ risky list.
- Best case scenario: they increase your transaction fee.
- Worst case: they might stop allowing you to accept their cards altogether.
So chargebacks aren’t simply extra cost, you should add to your overheads. Ensuring that you can reduce them is a primordial business decision for any business that sells products and services online.
The Problem of Friendly Fraud
Not all transaction fraud is performed by organized criminal organizations. Sometimes, your legitimate buyer is also to blame for unwarranted chargebacks.
It’s called Friendly fraud, and the problem is growing at a rapid rate. It can be harder to catch since it involves chargeback requests made by the cardholders themselves.
Broadly speaking, there are three kinds of friendly fraud you might come across:
1. Innocent or Accidental Requests:
You might also call it family fraud, because the cardholder often triggers a dispute after a relative purchased something without their authorization. Children buying skins with their parent’s credit card or unapproved in-app purchases fall into that category.
2. Opportunistic Friendly Fraud
Chargebacks are increasingly initiated by opportunistic and dissatisfied customers, especially in the COVID-19 era.
This could be because of a store policy they disapprove (offering travel credit instead of refund), or simply because they express regret after their purchase.
3. Malicious Friendly Fraud
The process, which blurs the line between friendly and standard transaction fraud. This happens when the buyers know in advance that they’re going to request a chargeback.
These bad customers have every intention to have their cake and eat it, by receiving an item, claiming it never arrived, and getting their money back.
The practice can be trickier to discern, but as we’ll see, not impossible with the right monitoring tools. Moreover, this is also a favourite technique of organized crime rings, which means we can discern certain patterns in order to prevent it.
Other Transaction Fraud Challenges
On top of standard CNP fraud and friendly fraud, there are market-specific challenges such as return fraud in eCommerce, or bonus abuse, which is a consequence of multi-accounting (when fraudsters create multiple accounts to exploit your loyalty or referral programmes).
The good news is that you shouldn’t need different tools to fight all these kinds of attacks.
Payment Fraud Prevention: The Basics
With payment fraud prevention, the more data you have, the better. And regardless of the kind of business you run, there are three user actions you should always monitor for key data points.
- User sign up: the first time you’ll be able to log their submitted data. This is important because you can already check if their data matches with your digital footprint analysis (more on that later).
- User login: the point when you can confirm that the user, who signed up, is the same one who is using the account. Checking this stage helps prevent ATO (account takeover), which could lead to transaction fraud.
- User transaction: the checkout stage, when users pay. This is, most likely, the first time they enter their credit card number. There is a wealth of information you can gather here, and check it all against the data you’ve previously accumulated.
It’s not just about checking the card number. The more data you have beforehand, the more secure you can be about who you are dealing with. But there’s even more…
Key Solutions For a Better Framework: Digital Footprint Analysis
When fraudsters land on your page, they immediately leave a trace of who they are. This takes the form of an IP address, and the configuration of software and hardware they use to access your site, which can be analysed with device fingerprinting.
Here’s an example of what can be done:
- Social media lookup: we can see if the cardholder’s details match those of the online social profile. It helps extract extra info such as a profile picture, full name, bio, etc…
- IP analysis: beyond checking geolocation, you can also tell if your user is hiding their connection behind a VPN, proxy or emulator.
- Email analysis: even a single data point such as a phone number or email address can reveal a trove of data. Was it created from a suspicious domain (free or disposable address)? How hard was the authentication process? Has it appeared on any data breaches?
- Phone analysis: likewise, a phone number can be checked against a number of records to get a clearer idea of who you’re dealing with. Is it a landline or mobile? Is the carrier location close to the shipping address? Is your user relying on a disposable phone number?
All these extra data points will help you connect the user with the card number information, and make a more intelligent decision when accepting or rejecting their payment.
Multi-Layered Fraud Prevention
When it comes to business payment fraud detection, it’s rare to find a one-size-fits-all solution. Which is why you might sometimes need to mix and match your tools to create the perfect risk tech.
We like to call this process multi-layered fraud prevention. It’s a useful term because it implies that all the tools are working on top of each other, and not creating bottlenecks within your framework.
For instance, you could have:
- On-site payments fraud prevention, with external data enrichment tools.
- Outsourced end-to-end solution.
- External end-to-end solution combined with third-party data enrichment from another provider,
- and many more options…
Bonus points if your fraud solution offers modules that you can enable or disable as needed. This will give you more control over how much information is processed, but also pricing if you are buying a pay-per-API call system (more on that below).
In true SaaS fashion, most modern fraud prevention software will be completely cloud-based. So how do you integrate their tools into your company’s system? One answer is to use API calls.
- Benefit from prevention in real-time.
- Get regular updates and fixes without downtime.
- Scale your operations without bottlenecks.
- Tailor the system to your needs with customization options.
More importantly, all the technical IT is taken care of from the vendor’s side. And with well-written API documentation, your own developers should have all the information they need in self-serve mode, so you won’t need to ask for extra support.
We’re now getting on the topic of fraud rules and transaction risk scores. This is the core of your fraud engine, and will allow you to gauge how safe a customer login, checkout, or signup is for your business.
Risk rules can be customized manually, of course, but your payment fraud detection software can also suggest these rules for you. More often than not, this is done by analyzing your historical data and feeding it to an ML (machine learning) engine.
The problem? The rules you will get aren’t always insightful. That is unless you ensure your system is whitebox, meaning it will show exactly what is happening with the score calculation.
This gives fraud and risk managers more control over the solution, helping them accept, reject, or even tweak the rules offered by the system.
In today’s business landscape, friction is the battleground where the customers will win or lose. Put too many obstacles between your users and your site, and they’ll quickly go find a less stringent competitor.
This is particularly damaging when it comes to authentication checks for KYC or AML purposes. Fintechs succeed or fail based on their user experience, which is why you want to block payment risk, without slowing down legitimate purchases.
The best framework to employ is what we call dynamic friction. A good way to think about it is to split verification into light and heavy KYC checks (know your customer).
Here is what happens: after analyzing the user’s digital footprint, your system will deliver a risk score. You can automate what happens based on it:
- If it’s low enough, your user can continue to the next payment stage immediately.
- If too many red flags are raised, you can proceed with additional authentication such as a selfie ID, 2FA, OTP, or document upload.
While even these extra steps aren’t foolproof against hardened fraudsters, they are certainly enough to deter casual and opportunistic cybercriminals.
A quick system integration is essential when deploying an anti-fraud system, but you can go one step further by adapting it to your business productivity needs.
For instance, you could combine payment analysis with another workflow to reduce the risk of money laundering. We’ve seen examples of businesses, who trigger alerts when a purchase is above a certain threshold, so the risk team can manually have a look at it, for instance.
Last, but not least, you should carefully weigh different options when it comes to your transaction fraud system’s pricing model.
Many vendors operate on a chargeback guarantee model, which means they essentially pay back your chargeback fees if a request goes through.
However, it creates a strong incentive for the fraud management company to be as conservative as possible. If you’d rather leave the headaches of managing chargeback fees to them, it can work well.
But if you want a bit more control over how you mitigate risk to accept more conversions, it could be in your best interest to look at other pricing models, such as pay-per-API-call.
This will let you control your ROI based on the number of transactions your process monthly, which is great for scaling your operations and for seasonal upticks in payment processing.
Business Transaction Fraud Detection – Key Takeaways
Transaction fraud shows no signs of slowing down. Curbing your chargeback rates isn’t simply a matter of boosting profits any longer, it’s now a primordial business decision and competitive advantage. The good news is that fraud detection software has evolved in leaps and bounds over the years. You now have increased flexibility when it comes to integration, pricing model, and how your business chooses to mitigate risk.
Learn more about our products
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.