Are High-Security Checks Worth It?

by Tamas Kadar
Payment fraud prevention is the key to safer and healthier business growth. Let’s see what systems must be in place for it to work.
There’s no way around it: if your business accepts checkout via a CNP scenario, there will be cases of card not present fraud.
Juniper Research forecasts fraudulent transactions will cost ecommerce $50.5 billion by 2024, but every other vertical is equally as badly affected.
Now, if you want a quick answer, transaction fraud scoring is the only way to ensure you have a decent payment fraud detection system in place. But today, we’ll take an in-depth look at all the steps you can take to create a foolproof payment detection framework for your company.
Payment fraud refers to transactions made without the cardholder’s consent. The majority of cases happens after credit card details are stolen and appear on the dark web. Other payment methods – such as virtual checks or direct debits, phone payments – can be defrauded as well, as long as the attacker has acquired the proper information. From the criminal’s point of view it’s just a means to an end: to make legal money out of illegally acquired money as quick as possible.
Payment fraud happens when a fraudster has acquired the credit card details or personal information of the victim that’s needed to complete a transaction. While amateur criminals (or card testers) will be caught by most anti-fraud systems, sophisticated attackers will try to make the transaction data – such as the IP address or the browser language, the name on the card, registration email etc. – appear legit in order to fool the system. If they succeed, you will lose the item / service you are selling, and are now liable for the cost of a chargeback should the cardholder file a claim at their bank.
There are three user things you should always monitor for payment fraud detection:
SEON offers a complete set of fraud fighting tools that grow with your business
Book a Demo
It’s not just about checking the card details. The more data you have beforehand, the more secure you can be about who you are dealing with. Also, with a fraud detection software the more data you have the better.
The main challenges in payment fraud are not just telling good transactions from bad ones but in differentiating between what needs a human to review it and what doesn’t. Ideally, you should be accepting as many transactions as possible automatically, reviewing only a relatively small number. If your team is fast and well equipped, you can do more manual reviews faster.
Telling a good transaction apart from a bad one is simple, in theory. You know your ideal and typical customer profiles, and whatever deviates from that should be considered risky. Most fraud transactions will seem irrational from a user story point of view: shipping address too far from an IP address, mismatches in the machine settings compared to the cardholder information, and so on. But advanced fraudsters will try to cover these gaps, and you have to be vigilant in checking for any discrepancies that could be a giveaway for fraud, and set your transaction rules accordingly.
Not all transaction fraud is performed by organized criminal organizations. Sometimes, your legitimate buyer is also to blame for unwarranted chargebacks.
It’s called friendly fraud, and the problem is growing at a rapid rate. It is near impossible to catch as the transaction is by all means legitimate at the point of purchase.
Broadly speaking, there are 3 kinds of friendly fraud you might come across:
You might also call it family fraud because the cardholder often triggers a dispute after a relative purchased something without their authorization. Children buying skins with their parents’ credit card or unapproved in-app purchases fall into that fraudulent category.
This could be because of a store policy they disapprove of (offering travel credit instead of refund), or simply because they express regret after their purchase.
The process blurs the line between friendly and standard transaction fraud. This happens when the buyers know in advance that they’re going to request a chargeback.
These bad customers have every intention to have their cake and eat it, by receiving an item, claiming it never arrived, and getting their money back.
All these extra data points will help you connect the user with the credit card information, and make a more intelligent decision when accepting or rejecting a purchase.
For instance, you could have:
When it comes to risk management services for business payments, it’s rare to find a one-size-fits-all solution. This is why you might sometimes need to mix and match your tools to create the perfect risktech.
We like to call this process multi-layered. It’s a useful term because it implies that all the tools are working on top of each other, and not creating bottlenecks within your framework.
Bonus points if your fraud solution offers modules that you can enable or disable as needed. This will give you more control over how much information is processed, but also pricing if you are buying a pay-per-API call system (more on that below).
Most companies start out by building their own risk stack on top of the transaction system – and the more advanced tools come in via API-s.
In true SaaS fashion, most modern detection software will be completely cloud-based. So how do you integrate their tools into your company’s system? One answer is to use API calls.
This is important because you can:
More importantly, all the technical IT is taken care of from the vendor’s side. And with well-written API documentation, your own developers should have all the information they need in self-serve mode, so you won’t need to ask for extra support.
Whitebox machine learning systems sometimes need more manual tinkering, but they come with the advantage that your team understands what it does and why. The learning curve is a bit more steep, but when it comes to communicating with your customers or between departments, you want to know what’s under the hood.
We’re now getting on the topic of fraud rules and transaction risk scores. This is the core of your fraud engine, and will allow you to gauge how safe a customer login, checkout, or signup is for your business.
Risk rules can be customized manually, of course, but your payment fraud detection software can also suggest these rules for you. More often than not, this is done by analyzing your historical data and feeding it to an AI data science process, or ML (machine learning) engine.
The problem? The machine learning rules you will get aren’t always insightful. That is unless you ensure your system is whitebox, meaning it will show exactly what is happening with the score calculation.
This gives fraud and risk managers more control and insights into the solution, helping them accept, reject, or even tweak the rules offered by the system.
We want our user journeys to be frictionless as possible. Security would rather have everyone IDd on signup. Dynamic friction is a balancing act in between the two: doing most of your security checks in the background, and only triggering ID checks on very risky transactions. It’s the best of both worlds.
In today’s business landscape, friction is the battleground where the customers will win or lose. Put too many obstacles between your users and your site, and they’ll quickly go find a less stringent competitor.
This is particularly damaging when it comes to authentication checks for KYC or AML purposes. Fintechs succeed or fail based on their user experience, which is why you want to block risk, without slowing down legitimate purchases.
The best strategy to employ is what we call dynamic friction. A good way to think about it is to split verification into light and heavy KYC checks.
Here is what happens: After analyzing the user’s digital footprint, your system will provide a risk score. You can automate what happens based on this:
While even these extra steps aren’t foolproof against hardened fraudsters, they are certainly enough to deter casual and opportunistic cybercriminals.
At the end of the day, you want your fraud fighting tools to enhance the analyst’s decision making ability. Your system needs to integrate with your other systems, it must present information in a clear and concise manner, and it shouldn’t just dump data at you, but highlight what’s important and why.
A quick system integration is essential when deploying an anti-fraud system, but you can go one step further by adapting it to your industry productivity needs.
For instance, you could combine payment analysis with another workflow to reduce the risk of money laundering. We’ve seen examples of businesses, who trigger alerts when a purchase is above a certain threshold, so the risk team can manually have a look at it, for instance.
When it comes to risk management, the pricing model can make or break a solution. Beyond the price tag there lies different incentives that define the relationship between you, your customers and your vendor. It quite literally can change your organization’s risk appetite.
This is why you should carefully weigh different options when it comes to your transaction fraud system’s pricing model.
Many vendors operate on a chargeback guarantee model, which means they essentially pay back your chargeback fees if a request goes through.
However, it creates a strong incentive for the fraud management company to be as conservative as possible. If you’d rather leave the headaches of managing chargeback fees to them, it can work well.
But if you want a bit more control over how you mitigate risk to accept more conversions, it could be in your best interest to look at other pricing models, such as pay-per-API-call.
This will let you control your ROI based on the number of transactions your process monthly, which is great for scaling your operations and for seasonal upticks in payment processing.
Transaction fraud shows no signs of slowing down. Curbing your chargeback rates isn’t simply a matter of boosting profits any longer, it’s now a primordial business decision and competitive advantage. The good news is that fraud detection software has evolved in leaps and bounds over the years. You now have increased flexibility when it comes to integration, pricing model, and how your service chooses to mitigate risk.
SEON offers a fully modular fraud solution and the support of a team that are experts in online fraud
Book a Demo
Have proper risk scoring in place so you can block or review suspicious transactions before approval.
Have your CS team informed about past customer behaviour and their connections to other users who have requested refunds multiple times.
Generally speaking, you should be screening signups, transactions and logins, but you can screen other critical actions as well, like address or password changes.
It depends on the context. A social media lookup performed on the registration email address can tell you if the customer is indeed who they say they are on the card or not. But if you are required by the law to do this, you might need to ask for additional documents, such as a passport or driver’s license.
Simple: Verify your customers in the background and only require IDs from suspicious users via dynamic friction.
Depends on your risk appetite. Though they seem appealing, chargeback guarantees in essence mean that the system will be more conservative and block more good transactions that appear risky. This appears as a cost on your end as your support will have to deal with it, or the customer will turn to a different service out of spite.
You might also be interested in reading about:
Showing all with `` tag
Click here
Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.
The top stories of the month delivered straight to your inbox