Payment Gateway Fraud: How It Works & Solutions

Payment gateways and acquirers now offer fraud detection. But there can also be a conflict of interest there.

One way this becomes evident is the rise of what some call the “one-stop-shop”, or the “all-in-one” e-till, which includes fraud detection software along with a whole host of other services.

What Exactly Is a Payment Gateway?

A payment gateway is an essential tool when processing sales as it enables merchants to securely authenticate any customer’s card details when they have made a purchase online.

In the early days of the internet and ecommerce, payment gateways were essentially online payment terminals but instead of competing with the big name processors, they decided to focus on merchant and consumer technologies instead.

It proved to be a smart move. These days, payment gateways are more essential than ever and give online businesses plenty of security and experience-enhancing features.

Payment Processor vs Payment Gateway

Before looking at payment fraud prevention, let’s zoom out to clearly define a few important terms. First, it helps to understand the subtle differences between payment gateways and payment processors.

• A payment processor analyzes and sends transaction data (card number, issuing bank info, etc..).

• A payment gateway does all the above and also authorizes the transfer of funds.

The authorization part is the key difference, specifically in the card-not-present world (online stores).

Payment gateways are therefore a good place to implement security checks, whether it’s SSL encryption or a check for fraudulent purchases.

What Is Payment Gateway Fraud?

Payment gateway fraud is the act of ordering goods through the use of another person’s funds, personal details, or personal property via card-not-present transactions.

These transactions are processed through the payment gateway. If a person’s details were used to make these purchases, they might request a chargeback.

How Does Fraud Happen via a Payment Gateway?

Since a payment gateway is essentially a middleman between the merchant and its customers, any time a fraudster looks to conduct payment gateway fraud they need to bypass any fraud detection software.

Some of the most common forms of payment gateway fraud are:

• Payment gateway Identity theft: A cybercriminal gains access to a person’s card information and data to then order goods without the victim’s knowledge.
• BIN attacks: Fraudsters use software to generate long lists of potential card numbers to accompany the first six numbers of a card (the BIN) and try to find an active card to make orders.
• Card testing: Similar to BIN attacks, this involves creating long lists of card details to spam orders on websites in the hope that some will be processed.
• Account takeover: Here, a cybercriminal logs into an existing customer’s account and uses their stored billing details to make purchases, use up their reward points or re-sell the account online.

How to Stop Gateway Fraud

Broadly speaking, each payment gateway gives you more options for consumers to pay on your ecommerce site.

The more of them you have, the more you can meet customers’ payment preferences and provide a frictionless checkout experience. It’s no surprise that online merchants favor stacking payment gateway options.

Besides, certain names such as Stripe, Amazon Pay, Klarna, and PayPal have become so synonymous with online payments that they also add a layer of trust for customers. Displaying a payment gateway’s brand logo at checkout can help, even if your customers rarely pay through them.

Let’s look at some techniques to stop payment fraud:

• Card Verification Value (CVV): The most used form of card verification is the CVV of a user’s card – which is found on the back of a person’s credit/debit card and never stored on the merchant’s database.
• 3-D Secure (3DS2): A way to do multi-factor authentication for card payments, it requires customers to verify themselves through an extra authentication step often made through the phone or email that is linked with the customer’s bank’s website.
• Device fingerprinting: This solution tracks how a user connects to your site and raises suspicion based on potential connections through VPNs, proxies or emulators. Learning about the attributes and configuration of any given customer can massively help determine how much of a risk they are.
• IP Fraud scoring system: To make the most modern fraud prevention technology, work with a solution that gives you the opportunity to set parameters that trigger actions, from misalignment of address verification to viewing a user’s IP geolocation against device location or simply flagging higher-value transactions. Setting automatic rulesets will help curb fraud and minimize time spent on manual reviews.
• Data enrichment: Using a single data point, you can create holistic profiles of your customers before they even look to make a purchase in the first place – but also confirm a customer’s identity before shipping.
• Reverse email lookup: Through the use of data enrichment, a user’s social/online presence can be used to help further create profiles on customers as fraudsters will often not take the time to create complete profiles on a range of networks. SEON can now trace over 50 major online platforms.

Payment Gateways with Built-In Fraud Tools

Certain payment gateways, such as Stripe, Worldpay and PayPal, offer built-in fraud prevention and detection capabilities that operate similar to those offered by third-party providers:

1. They look at user card and transaction data,
2. feed the data through rules, and
3. automatically approve, decline or send the transaction into manual review

But is this enough to curb fraud?

It is not easy to answer this question, as it depends on the exact method they use and the risk profile of each sector. That said, the more touchpoints are scrutinized the better, and a third-party solution is usually better to have, considering it’s purpose-built to fight fraud rather than part of wider payment enablement functionality.

Advantages of One-Stop-Shop Anti-Fraud Solutions

One advantage of trusting built-in prevention functionality is that there is no integration needed and no extra resources spent comparing fraud prevention tools. This is ideal for companies without a risk team or those who lack a technical understanding. 

As a merchant, you can usually deploy the built-in fraud prevention feature directly from your standard payment gateway dashboard, whether it’s with Stripe Radar, Worldpay’s FraudSight, or even Shopify’s Fraud Filter app. 

Moreover, the pricing structure is usually based on the number of processed transactions, which makes sense for smaller operations and companies with fluctuating amounts of transactions – for instance, online stores whose traffic spikes during certain season sales.

Another key advantage here is the amount of historical card data they possess.

Stripe Radar, for instance, claims there’s an 89% chance that a card has been seen on their network before, even if it’s the first time someone uses it on your site. 

Disadvantages of One-Stop-Shop Anti-Fraud Solutions

However, the disadvantages can be significant depending on your business, similar to the downsides of shared blacklists: one false flag on one site can hurt all the others too.

1. You’re Locked into an Ecosystem

The first disadvantage should be evident to everyone: The built-in fraud prevention works with your payment gateway only.

This creates a few challenges because:

• Your custom rules can’t be moved to another payment gateway’s fraud tool.
  
• You need to ensure all your payment gateway’s fraud tools offer the same level of sophistication, as they can’t be synchronized between different providers.
  
• Relying too much on built-in tools makes it harder to change payment gateways to expand to new markets later, or to benefit from more advantageous transaction fees with competitors. 

In short, with built-in fraud prevention, you are always looking at a compromise between ease of use versus business flexibility and agility. 

2. Featured Are Often Limited

Moreover, you might find that built-in fraud tools aren’t as sophisticated as dedicated third-party solutions. 

This is particularly apparent for fraud teams and businesses who need to dig deeper into the custom rules:

• Basic data enrichment: These tools usually work with data such as card number, transaction amount, currency and IP address. You won’t get the same depth of investigation as with a full digital footprint analysis, which can include email address, social media profiling and device fingerprinting.
  
• Rigid, general rules: The rules you will be given are based on transaction and cards more than user behavior. You won’t get specific preset rules for your vertical, and programming new ones can be challenging. 

• Blackbox machine learning: If you do get machine learning at all, it will be hard to control or understand how, why, and if it works, because blackbox ML means it is not explainable. This means fewer insights into how fraud detection works in the long run.

3. There’s an Inherent Conflict of Interest

Last but not least, you’ll have to understand that payment gateways and acquirers will always err on the side of processing payments.

Their entire business model is built on charging transaction fees, so declining them goes against their purpose. 

In fact, one of our clients, a leading crypto exchange, came to us because their all-in-one payment company and fraud tool still facilitated too many chargebacks. 

The incentive for these companies will always be weighed towards accepting the payment, and you’ll end up being the one having to pay for the consequences, namely in the form of dispute and chargeback fees.

Dedicated Fraud Prevention vs Built-In One-Stop-Shops

To recap, let’s compare three fraud prevention tools, including our own, to see when it makes sense to stick with the built-in gateway and acquirer solutions, or when you should use a fraud prevention API.

In short, one-stop-shops are good to cover basic fraud needs, with some caveats.

Built-in fraud tools offered by payment gateways and acquirers do have their use. They require little maintenance, no integration, and can help reduce the most evident cases of transaction fraud.

But for companies with more pressing fraud challenges, they might simply not be enough. A lack of customization options and data enrichment features, and the fact that you can’t transfer rules between different systems means you are locked into a basic service.

Worst of all, they’ll never let you adjust your risk threshold to operate with the safest settings, as this would eventually damage their bottom line.

Better Payment Gateway Fraud Detection

There are two good news if you are interested in SEON to reduce manual reviews and chargebacks:

First, the solution can work on top of your existing all-in-one e-till, thanks to our powerful data enrichment plugin and modular approach to fraud prevention.

Secondly, a growing number of payment gateways are integrating our tools directly into their systems – further proof that SEON does help reduce chargebacks at scale.

Whether you use our full end-to-end solution or only select one of our modules as part of a multi-layered approach, we can’t wait to help you start reducing chargebacks and boosting transactions for legitimate users.

FAQ

You might also be interested in reading about…

• SEON: Ecommerce Fraud Prevention
• SEON: How to Fight Return Fraud
• SEON: Transaction Monitoring Software: How it Works and How to Use It

Learn more about:

Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API