Payment Gateway Fraud: Detection & Solutions

Payment gateways and acquirers now offer fraud detection. But there can also be a conflict of interest there.

One way this becomes evident is the rise of what some call the “one-stop-shop”, or the “all-in-one” e-till, which includes fraud detection software along with a whole host of other services.

What Exactly Is a Payment Gateway?

A payment gateway is an essential tool when processing sales as it enables merchants to securely authenticate any customer’s card details when they have made a purchase online.

In the early days of the internet and ecommerce, payment gateways were essentially online payment terminals but instead of competing with the big name processors, they decided to focus on merchant and consumer technologies instead.

It proved to be a smart move. These days, payment gateways are more essential than ever and give online businesses plenty of security and experience-enhancing features.

Payment Processor vs Payment Gateway

Before looking at payment fraud prevention, let’s zoom out to clearly define a few important terms. First, it helps to understand the subtle differences between payment gateways and payment processors.

  • A payment processor analyzes and sends transaction data (card number, issuing bank info, etc..).
  • A payment gateway does all the above and also authorizes the transfer of funds.

The authorization part is the key difference, specifically in the card-not-present world (online stores).

Payment gateways are therefore a good place to implement security checks, whether it’s SSL encryption or a check for fraudulent purchases.

What Is Payment Gateway Fraud?

Payment gateways play an essential role in safeguarding online transactions and making sure they are processed accurately. Virtually every business engaged in online payment processing faces the potential risk of encountering gateway fraud.

Payment gateway fraud refers to deceptive actions that take place within online payment transactions conducted through a payment gateway. This includes activities such as the unauthorized utilization of either stolen or counterfeit card information for illicit online payments.

Given that a payment gateway essentially acts as an intermediary connecting the merchant and its customers, any time a fraudster seeks to commit payment gateway fraud, they must circumvent any installed fraud detection software.

Common Forms of Payment Gateway Fraud

Payment gateway fraud can take various forms, including:

  • Payment gateway identity theft: A cybercriminal gains access to a person’s card information and data to then order goods without the victim’s knowledge.
  • BIN attacks: Fraudsters use software to generate long lists of potential card numbers to accompany the first six numbers of a card (the BIN) and try to find an active card to make orders.
  • Card testing: Similar to BIN attacks, this involves creating long lists of card details to spam orders on websites in the hope that some will be processed.
  • Account takeover fraud: Here, a cybercriminal logs into an existing customer’s account and uses their stored billing details to make purchases, use up their reward points or re-sell the account online.

How Does Fraud Happen via a Payment Gateway?

Since a payment gateway is essentially a middleman between the merchant and its customers, any time a fraudster looks to conduct payment gateway fraud they need to bypass any fraud detection software.

Some of the most common forms of payment gateway fraud are:

  • Payment gateway identity theft: A cybercriminal gains access to a person’s card information and data to then order goods without the victim’s knowledge.
  • BIN attacks: Fraudsters use software to generate long lists of potential card numbers to accompany the first six numbers of a card (the BIN) and try to find an active card to make orders.
  • Card testing: Similar to BIN attacks, this involves creating long lists of card details to spam orders on websites in the hope that some will be processed.
  • Account takeover: Here, a cybercriminal logs into an existing customer’s account and uses their stored billing details to make purchases, use up their reward points or re-sell the account online.
Prevent and Detect Payment Fraud Better

Payment fraud prevention is the key to safer and healthier business growth. We take a look at what systems must be in place for it to work.

Read About It Here

Payment Gateway Fraud Detection

Broadly speaking, each payment gateway gives more options for consumers to pay on your ecommerce site. The more gateways you have, the more you can meet customers’ payment preferences and provide a frictionless checkout experience. It’s no surprise that online merchants favor stacking payment gateway options.

Certain names such as Stripe, Amazon Pay, Klarna, and PayPal have become so synonymous with online payments that they also add a layer of trust for customers

Here are some tools you can use to reinforce this trust and stop payment fraud in its tracks, while also maintaining a frictionless customer experience:

  • Device fingerprinting: Examining user hardware and software is key to understanding how they connect to your site. Device fingerprinting helps you identify browsers, add-ons, extensions and tools designed to get around anti-fraud solutions, spot hidden links between accounts and investigate real-time data with device fingerprinting for enhanced security without slowing down your customers.
  • IP analysis: In addition to verifying geolocation, examining whether a user is covering their connection through a VPN, proxy, or emulator can serve as an indicator of higher risk.
  • Digital footprinting: Investigate your customers’ online identity and behavioral data in real-time by checking for unique digital and social profiles to detect and prevent fraudulent user activities.
  • Email analysis: A single email address can reveal important information, such as being created from a suspicious domain, whether it’s a free or disposable address, or if it has appeared in any prior data breaches, indicating a fraud risk. 
  • Card Verification Value (CVV): The most used form of card verification is the CVV of a user’s card – which is found on the back of a person’s credit/debit card and never stored on the merchant’s database.
  • 3-D Secure (3DS2): A way to do multi-factor authentication for card payments, it requires customers to verify themselves through an extra authentication step often made through the phone or email that is linked with the customer’s bank’s website.

Payment Gateways with Built-In Fraud Tools

Certain payment gateways, such as Stripe, Worldpay and PayPal, offer built-in fraud prevention and detection capabilities that operate similar to those offered by third-party providers:

  1. They look at user card and transaction data,
  2. feed the data through rules, and
  3. automatically approve, decline or send the transaction into manual review

But is this enough to curb fraud?

It is not easy to answer this question, as it depends on the exact method they use and the risk profile of each sector. That said, the more touchpoints are scrutinized the better, and a third-party solution is usually better to have, considering it’s purpose-built to fight fraud rather than part of wider payment enablement functionality.

Digital Footprint Analysis Against Fraud

Combine advanced device fingerprinting, real-time social media profiling, customizable risk scoring and machine learning insights.

Ask an Expert

Advantages of One-Stop-Shop Anti-Fraud Solutions

One advantage of trusting built-in prevention functionality is that there is no integration needed and no extra resources spent comparing fraud prevention tools. This is ideal for companies without a risk team or those who lack a technical understanding. 

As a merchant, you can usually deploy the built-in fraud prevention feature directly from your standard payment gateway dashboard, whether it’s with Stripe Radar, Worldpay’s FraudSight, or even Shopify’s Fraud Filter app. 

Moreover, the pricing structure is usually based on the number of processed transactions, which makes sense for smaller operations and companies with fluctuating amounts of transactions – for instance, online stores whose traffic spikes during certain season sales.

Another key advantage here is the amount of historical card data they possess.

Stripe Radar, for instance, claims there’s an 89% chance that a card has been seen on their network before, even if it’s the first time someone uses it on your site. 

Disadvantages of One-Stop-Shop Anti-Fraud Solutions

However, the disadvantages can be significant depending on your business, similar to the downsides of shared blacklists: one false flag on one site can hurt all the others too.

1

You’re Locked into an Ecosystem

The first disadvantage should be evident to everyone: The built-in fraud prevention works with your payment gateway only.

This creates a few challenges because:

  • Your custom rules can’t be moved to another payment gateway’s fraud tool.
  • You need to ensure all your payment gateway’s fraud tools offer the same level of sophistication, as they can’t be synchronized between different providers.
  • Relying too much on built-in tools makes it harder to change payment gateways to expand to new markets later, or to benefit from more advantageous transaction fees with competitors. 

In short, with built-in fraud prevention, you are always looking at a compromise between ease of use versus business flexibility and agility

 
2

Featured Are Often Limited

Moreover, you might find that built-in fraud tools aren’t as sophisticated as dedicated third-party solutions. 

This is particularly apparent for fraud teams and businesses who need to dig deeper into the custom rules:

  • Basic data enrichment: These tools usually work with data such as card number, transaction amount, currency and IP address. You won’t get the same depth of investigation as with a full digital footprint analysis, which can include email address, social media profiling and device fingerprinting.
  • Rigid, general rules: The rules you will be given are based on transaction and cards more than user behavior. You won’t get specific preset rules for your vertical, and programming new ones can be challenging. 
  • Blackbox machine learning: If you do get machine learning at all, it will be hard to control or understand how, why, and if it works, because blackbox ML means it is not explainable. This means fewer insights into how fraud detection works in the long run.
 
3

There’s an Inherent Conflict of Interest

Last but not least, you’ll have to understand that payment gateways and acquirers will always err on the side of processing payments.

Their entire business model is built on charging transaction fees, so declining them goes against their purpose. 

In fact, one of our clients, a leading crypto exchange, came to us because their all-in-one payment company and fraud tool still facilitated too many chargebacks. 

The incentive for these companies will always be weighed towards accepting the payment, and you’ll end up being the one having to pay for the consequences, namely in the form of dispute and chargeback fees.

 

Dedicated Fraud Prevention vs Built-In One-Stop-Shops

To recap, let’s compare three fraud prevention tools, including our own, to see when it makes sense to stick with the built-in gateway and acquirer solutions, or when you should use a fraud prevention API.

In short, one-stop-shops are good to cover basic fraud needs, with some caveats.

Built-in fraud tools offered by payment gateways and acquirers do have their use. They require little maintenance, no integration, and can help reduce the most evident cases of transaction fraud.

But for companies with more pressing fraud challenges, they might simply not be enough. A lack of customization options and data enrichment features, and the fact that you can’t transfer rules between different systems means you are locked into a basic service.

Worst of all, they’ll never let you adjust your risk threshold to operate with the safest settings, as this would eventually damage their bottom line.

How SEON Helps Your Fraud Detection in Payment Gateways

There are two good news if you are interested in SEON to reduce manual reviews and chargebacks:

First, the solution can work on top of your existing all-in-one e-till, thanks to our powerful data enrichment plugin and modular approach to fraud prevention.

Secondly, a growing number of payment gateways are integrating our tools directly into their systems – further proof that SEON does help reduce chargebacks at scale.

Whether you use our full end-to-end solution or only select one of our modules as part of a multi-layered approach, we can’t wait to help you start reducing chargebacks and boosting transactions for legitimate users.

FAQ

How secure are payment gateways?

While some gateways offer protection to help your business process more qualified transactions, developing a fraud prevention stack to accompany what’s available will help minimize risk.

What are the benefits of multiple gateways?

If you’re an online merchant, more gateways give your customers more opportunities to pay with their favorite payment method, thus boosting their user experience.

You might also be interested in reading about

Learn more about:

Digital Footprinting | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API

Share article

Speak with a fraud fighter.

Click here

Author avatar
Tamas Kadar

Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.


Sign up for our newsletter

The top stories of the month delivered straight to your inbox