Leveraging the Internet for eCommerce and online marketplaces — selling 24/7 to anywhere in the world — is an unparalleled business opportunity. However, as digital transactions are categorized as card-not-present, there are substantial risks of CNP fraud with the merchant being liable for any costs incurred. Smart merchants are taking the appropriate measures to detect and prevent fraud to protect their business and the bottom line.
The costs of online payment fraud can quickly add up. Generally, in a card-not-present transaction, the full amount of a chargeback is the liability of the merchant plus any additional fees or assessments associated with the chargebacks. If the chargeback rate becomes too high, the merchant might be in risk of having their account terminated altogether.
One study predicts that retailers will lose around $130 billion in digital CNP fraud between 2018 and 2023.
Online payment flows
From the consumer point of view, an online transaction seems fairly straight-forward; the consumer fills in some identifying and credit card information, and a few seconds later (hopefully) they get a transaction confirmation. However, on the back end, there’s a complex payment chain of multiple parties that is in place to provide security and to determine and mitigate risk. Considering the U.S. model, there are six different layers that might be involved in a transaction:
- Acquiring Bank (the merchant’s bank)
- Merchant Account (the bank account of the merchant)
- Issuing Bank (the consumer’s bank that issues a credit card)
- Payment Gateway (a service that sends the merchant’s eCommerce transaction data to their acquiring bank)
- Payment Processor (a service that processes the actual payment between the acquiring and issuing banks)
- Card Association (a payment network such as Visa, Mastercard or Amex)
Of course, other countries have payment systems that can differ widely from this model. Add in cross-border eCommerce payments and the situation becomes even more complex.
Also note that companies can operate in multiple layers of the payment stack. For example, some companies can be both a payment gateway and a payment processor.
Good payment or a chargeback
When the payment system works (as it usually does), all is good; the transaction is quick, the consumer gets their purchase and the merchant gets their money. However, with the speed of online transactions, there are many steps of the process that aren’t instant, that rely on people or real-word interactions.
Consider the billing cycle; a remnant of paper-based billing systems, transactions are often grouped up and processed in batches. While the payment appears to be instant, it’s often just a credit covered by one participant in the system until it is made whole by another party. The credit, the obligation, bounces from one layer in the transaction to another until it’s resolved.
The delay in payment resolution is an opportunity for the fraudster. For example, a fraudulent online charge made on a credit card might not appear on a consumer’s bill for a month. The consumer disputes the charge and, if the charge is fraudulent, there is a chargeback. The credit charge unwinds itself through the system and ends up on the merchant. While there are dispute mechanisms for the merchant, if the charge is fraudulent, it won’t be the responsibility of the consumer. Note, there are other non-fraud-related chargebacks such as billing disputes and broken items, which are often handled directly between consumer and merchant. Or, the chargeback could be a case of friendly fraud, wherein the charge was in fact legitimate but disputed anyways.
Detecting and preventing ecommerce fraud
While stopping fraud entirely would seem to be the ultimate goal, it is neither realistic nor worth it; there are costs associated with fighting fraud and it creates potential friction points with legitimate consumers.
Rather, an effective CNP fraud prevention program is about risk mitigation. By understanding the techniques used by fraudsters, the fraud reduction tools and techniques available, and your organization’s risk strategy, you can develop and operate a program that contains costs while still being consumer friendly.
It’s important to note that a fraud prevention program is not a static system, created once. The best risk mitigation is about understanding the specifics of the situation and dynamically adjusting the parameters of your program to fit the need at hand. Every industry, every business and every transaction is different and therefore every transaction needs consideration on its own and holistically.
Know your customer
Consider the Know Your Customer (KYC) requirements that financial institutions have dealt with for decades; to prevent money laundering, these institutions need to know who they are dealing with in order to assess risk. There are strict rules for identity verification to discover if the person opening an account actually does exist. These same KYC procedures are a significant check to see if the person matches with a real-world identity and is not a synthetic identity.
Other checks on the identity provided by customer can further determine if they are legitimate:
- Search the email address
- Call the phone number
- Confirm the person on social media
These manual methods are valid but can be time consuming. There are other automatic methods to check various identity data points, including email address, IP address and mobile phone number, to see if all the information correlates. All these identity verification checks are typically done at the customer onboarding stage, but they can also be performed on an ongoing basis, either on a set schedule or events-based, such as when an account status or information is changed.
A 2018 Experian report found that 84 percent of businesses said that the burden of fraud risk mitigation would be reduced if they were certain about the identity of a customer.
Legitimate consumers and fraudsters have different agendas and therefore can produce different transaction patterns. Understanding how consumers typically interact and transact with your services —which is good for business in any case — helps provide insight into spotting fraudulent patterns.
Monitoring your transactions is vital. For small businesses, the typical suggestion is to look at all your transactions at least daily. For larger businesses, a dedicated transaction monitoring program and a fraud detection expert might be in order. Some things to watch for:
- Is the customer new?
- Is the purchase unusual?
- Is the transaction amount significantly higher than normal?
- Is there inconsistent information in the order?
- Are there multiple orders?
- Is a different shipping address being used?
- Are the orders coming from a different IP address?
One effective technique to prevent higher-cost fraud cases is to put in transaction limits, or at least flag higher-cost transactions for manual review. These transaction limits can be set on a per-transaction basis or a cumulative threshold.
Security mindset and toolset
Fraudsters are always looking for security loopholes or lapses; because online perpetrators can attempt their fraudulent acts from virtually anywhere at any time, every transaction and every part of the eCommerce system requires protection. It’s imperative for merchants to have the necessary tools in place, as well having a security mindset permeate the company culture.
Any merchant selling online needs to meet the Payment Card Industry Data Security Standard (PCI). According to a page on PayPal, “businesses that collect credit card information to process online payments are required to:
- Build, maintain a secure network to protect payment card information
- Protect cardholder information
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
- Pass quarterly remove vulnerability scans and more.”
If you’re already accepting credit cards through your own system, you’re probably well aware of these stipulations. Many merchants needn’t get involved in the intricacies of these requirements, as their payment gateway handles the PCI security. In any case, being aware of these factors helps create a holistic security program.
There are additional security measures in credit cards that should be used, if available:
- Address Verification System (AVS). AVS checks the numbers of the address on the credit card file to the corresponding numbers provided in the eCommerce transaction. While Visa, Mastercard and American Express widely support AVS in the U.S., Canada and the UK, there’s significant work to expand the scope to more countries.
- Card Verification Value (CVV). An additional security feature comprising a three or four character number.
Balancing the risk
As noted above, there’s a risk of being too heavy handed when it comes to fraud prevention.
There’s the significant issue of false declines, wherein legitimate transactions are declined. A 2019 report by the Aite Group “predicts losses due to false declines will grow to $443 billion by 2021 – dwarfing the losses from fraud itself.” It’s not only the dramatic actual value of the losses that is of concern; the fact that the consumer was declined could very well lead to customer abandonment.
There’s also the issue of creating sales processes that are overly complicated and slow. In a recent Consumer Account Opening 2020 report, First impressions count: optimizing online account creation for the 2020 consumer, 73 percent of consumers are intolerant of poor experiences when opening new online accounts and will switch to other providers if they encounter a sub-optimal process.
The report also discovered that “security is the most significant aspect of account creation.” Consumers want, and need, security but they also want online processes to be reasonably quick and seamless.
Implementing measures to help prevent CNP fraud and reduce online chargebacks will protect an organization and their customers. Those companies that are able to provide both security and a good experience will be the ones that gain market share, keep their customers happy and make the most of the digital opportunity.
Learn how your brand can deliver innovation and compelling digital experiences to online users, while protecting customers against fraud and identity theft.