Payment Gateway Fraud: How It Works & Solutions

Payment Gateway Fraud: How It Works & Solutions

Author avatar

by Tamas Kadar

Payment gateways and acquirers now offer fraud detection. But there can also be a conflict of interest there.

One way this becomes evident is the rise of what some call the “one-stop-shop”, or the “all-in-one” e-till, which includes fraud prevention and detection tools along with a whole host of other services.

What Exactly is a Payment Gateway?

A payment gateway is an essential tool when processing sales as it enables merchants to securely authenticate any customer’s card details when they have made a purchase online.

In the early days of the Internet and eCommerce, payment gateways were essentially online payment terminals but instead of competing with the big name processors, they decided to focus on merchant and consumer technologies instead.

It proved to be a smart move. These days, payment gateways are more essential than ever and give your online business plenty of security and experience-enhancing features.

Payment Processor Vs Payment Gateway

Before looking at payment fraud detection, let’s zoom out to clearly define a few important terms. First, it helps to understand the subtle differences between payment gateways and payment processors.

  • A payment processor: analyzes and sends the transaction data (card number, issuing bank info, etc..).
  • A payment gateway: does all the above, and also authorizes the transfer of funds. The authorization part is the key difference, specifically in the card-not-present world (online stores).

Payment gateways are therefore a good place to implement security checks, whether it’s SSL encryption or a check for fraudulent purchases.

What is Payment Fraud?

Payment fraud is the act of a cybercriminal ordering goods through the use of another person’s funds, personal details, or personal property via card-not-present transactions.

These transactions are processed through the payment gateway and if a person’s details were to be used to make purchases, this is when a chargeback would often take place.

How Does Fraud Happen via a Payment Gateway?

Since a payment gateway is essentially a middleman between the merchant and its customers, any time a fraudster looks to conduct payment fraud they need to bypass any detection software.

Some of the most common forms of payment fraud include:

  • Identity Theft: a cybercriminal gains access to a persons card information and data to then order goods without the victims knowledge.
  • BIN Attacks: fraudsters use software to generate long lists of potiential card numbers to accompany the first six numbers of a card (Bank Identification Number) and try land on active card to make orders.
  • Card Testing: Similar to BIN attacks, this involves creating long lists of card details to spam orders on websites in the hope that some will be processes.
  • Account Takeover (ATO): here a cybercrimnals hacks / logins into an an existing customer’s account and uses their stored billing details to make purchase, use up their reward points or re-sell the account online.
Reduce fraud by 60% with the #1 fraud detection software

SEON offers a fully modular fraud solution and the support of a team that are experts in online fraud

Book a Demo

How to Stop Gateway Fraud?

Broadly speaking, one payment gateway = more options to pay on your site. The more of them you have, the more you can meet your customer payment preferences and provide a frictionless checkout experience. It’s no surprise that online merchants favor stacking payment gateway options.

Besides, certain names such as Stripe, Amazon Pay, Klarna and PayPal have become so synonymous with online payments that they also add a layer of trust for customers. Displaying a payment gateway’s brand logo at checkout can help, even if your customers rarely pay through them.

Some ways in which to stop payment fraud include:

  • Card Verification Value (CVV): the most used form of verication is the CVV of a users card which is found on the back of a persons credit/debit card and never stored on the merchants database.
  • 3D Secure (3DS2): requires customers to verify themselves through an extra authetication step, often made through the phone or email that is linked with the customers bank’s website.
  • Device Fingerprinting: this solution tracks a how a user connects to your site and raises suspicion based on potiential connections through VPNs, proxies or emulators. Learning about the attributes and configuration of any given customer can massively help determine risk.
  • Fraud Rule Scoring System: make the most modern fraud prevention technology and work with a solution that gives you opportunity to set parameters that trigger actions, from misalginment of address verification to viewing a users IP geolocation against device location or simply flagging more higher-valued transactions. Setting automatic rulesets will help curb fraud and minimise time spent on manual reviews.
  • Data Enrichment: using a single data point, you can create holistic profiles of your customers before they even look to make a purchase in the first place but also to confirm a customer’s identity before shipping. Checking the validity and domain of an email address, for example, can be one clear indictor of fraud.
  • Reverse Email Lookup: through the use of data enrichment, the tracking a users social/online presence can be used to help further create profiles on customers as fraudsters will often not take the time to create complete profiles on a range of networks. SEON can now trace over 35 major online platforms.

Payment Gateways with Built-In Fraud Tools

Certain payment gateways, such as Stripe, Worldpay, and PayPal, offer built-in fraud prevention and detection capabilities that operate similar to those offered by third-party providers:

  1. They look at user card and transaction data
  2. Feed the data through rules
  3. Automatically approve, decline or send the transaction into manual review

Advantages of One-Stop-Shop Fraud Solutions

One advantage is that there is no integration needed and no extra resources spent comparing fraud prevention tools. This is ideal for companies without a risk team or those who lack a technical understanding of how fraud works. 

You can usually deploy the built-in fraud prevention feature directly from your standard dashboard, whether it’s with Stripe Radar, Worldpay’s FraudSight, or even Shopify’s Fraud Filter app. 

Moreover, the pricing structure is usually based on the number of processed transactions, which makes sense for smaller operations and companies with fluctuating amounts of transactions, for instance, online stores whose traffic spikes during certain season sales.

Another key advantage here is the amount of historical card data they possess.

Stripe Radar, for instance, claims there’s an 89% chance that a card has been seen on their network before, even if it’s the first time someone uses it on your site. 

Disadvantages of One-Stop-Shop Fraud Solution

However, the disadvantages can be significant depending on your business, similar to the downsides of shared blacklists – one false flag on one site could hurt all the others too.

Locked Into an Ecosystem

Now the first disadvantage should be evident to everyone: the built-in fraud prevention works with your payment gateway only. This creates a few challenges because:

  • Your custom rules can’t be moved to another payment gateway’s fraud tool.
  • You need to ensure all your payment gateway’s fraud tools offer the same level of sophistication, as they can’t be synchronized between different providers.
  • Relying too much on built-in tools makes it harder to change payment gateways to expand to new markets later, or to benefit from more advantageous transaction fees with competitors. 

In short, you are always looking at a compromise between ease of use versus business flexibility and agility

Often Limited Features

Moreover, you might find that built-in fraud tools aren’t as sophisticated as dedicated third-party solutions. 

This is particularly apparent for fraud teams and businesses who need to dig deeper into the custom rules:

  • Basic data enrichment: these tools usually work with data such as card number, transaction amount, currency and IP address, for instance. You won’t get the same level of investigation as with a full digital footprint analysis, which can include email address, social media profiling and device fingerprinting.
  • Rigid, general rules: The rules you will be given are based on transaction and cards more than user behaviour. You won’t get specific preset rules for your vertical, and programming new ones can be challenging. 
  • Blackbox machine learning: if you do get machine learning at all, it will be hard to control or understand how it works. Which means fewer insights into how fraud detection works in the long run.

An Inherent Conflict of Interest

One of our clients, a leading crypto exchange, came to us because their all-in-one payment company and fraud tool still facilitated too many chargebacks.  Click To Tweet

Last but not least, you’ll have to understand that payment gateways and acquirers will always err on the side of processing payments. Their entire business model is built on charging transaction fees, so declining them goes against their purpose. 

In fact, one of our clients, a leading crypto exchange, came to us because their all-in-one payment company and fraud tool still facilitated too many chargebacks. 

The incentive for these companies will always be weighed towards accepting the payment, and you’ll end up being the one having to pay for the consequences, namely in the form of dispute and chargeback fees.

Dedicated Fraud Prevention Vs Built-In One-Stop-Shops

To recap, let’s compare three fraud prevention tools, including our own, to see when it makes sense to stick with the built-in gateway and acquirer solutions, or when you should use a fraud prevention API.

agnostic fraud prevention vs built-in

Summary: One-Stop-Shops are Good for Basic Fraud Needs, with Caveats

In conclusion, we can see that built-in fraud tools offered by payment gateways and acquirers have their use. They require little maintenance, no integration, and can help reduce the most evident cases of transaction fraud.

But for companies with more pressing fraud challenges, they might simply not be enough. A lack of customization options, data enrichment features, and the fact that you can’t transfer rules between different systems means you are locked into a basic service.

Worst of all, they’ll never let you adjust your risk threshold to operate with the safest settings, as it would eventually damage their bottom line.

Better Payment Gateway Fraud Detection

There are two good news if you are interested in SEON to reduce manual reviews and chargebacks: first, the solution can work on top of your existing all-in-one e-till, thanks to our powerful data enrichment plugin and modular approach to fraud prevention.

Secondly, a growing number of payment gateways are integrating our tools directly into their systems, proof that it does help reduce chargebacks at scale.

Now whether you use our full end-to-end solution or only select one of our modules as part of a multi-layered approach, we can’t wait to help you start reducing chargebacks and boosting transactions for legitimate users.

Data Enrichment Analysis Against Fraud

Combine advanced device fingerprinting, real-time social media profiling, customizable risk scoring and Machine Learning insights.

Book a Demo

Frequently Asked Questions about Payment Gateways

How secure are payment gateways?

Whilst some gateways offer protection, to help your business process more qualified transactions developing a fraud prevention stack to accompany what’s available will help minimise risk.

What are the benefits of multiple gateways?

More gateways give your customers more opportunities to pay with their favourite payment method, thus boosting their user experience.

You might also be interested in reading about:

Learn more about:

Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API

Share article

See a live demo of our product

Click here

Author avatar
Tamas Kadar

Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.

Sign up to our newsletter