Online payment fraud management — practical steps to deploy effective fraud prevention tools
A famous bank robber was asked, why banks? His answer: “That’s where the money is.” With an IDC estimate suggesting that 60 percent of the world’s GDP will be digitalized by 2022, the money is now online, and payment fraud management is a critical function to prevent losses, protect the organization and ensure operations are smooth, secure and scalable.
One of the most difficult aspects of fighting online fraud is the complexity of interconnected networks and all the moving parts that need consideration and coordination. Every step of the transaction chain is a potential attack vector or a friction point for a seamless customer journey. From front-end interfaces, such as websites and apps, to back-end services, such as eCommerce servers and payment systems, all require effective integration. Add in services such as identity verification, authentication, loyalty programs and transaction monitoring, and the technology stack considerations are immense.
Considering the constantly changing nature of the technology and fraud techniques and the sophistication of eCommerce solutions, properly handling payment fraud can seem like an overwhelming prospect.
Fortunately, managing payment fraud need not be overly complicated, expensive or time consuming if you deploy a multi-layered approach, weaving in systems and capabilities to best match requirements. It’s really about taking a risk-based approach that considers your specific requirements and not the latest hype cycle. Understanding your customers, your payment flows, your security — all smart business strategies in any case — will provide fundamental tools and insight to create a robust risk-mitigation program.
Knowing your customers
Consider regulated industries; they have always been at the forefront of the battle with fraudsters. Thus, they have well-established procedures to identify customers and understand the risk that they pose. These Know Your Customer (KYC) procedures are designed to prevent money laundering but also provide intelligence into the nature of the customer. Is this a real person? Are they who they say they are? Is extra due diligence warranted for that customer?
KYC is best performed at customer onboarding to help ensure that fraudsters are not able to even create an account. It’s important, though, that these procedures not create unnecessary friction in the customer journey; after all, most customers are legitimate, and introducing intrusive or complex steps can lead to abandonment, resulting in revenue loss.
Implementing seamless, effective identity verification solutions is a fundamental first step to managing payment fraud.
Understanding payment flows
However, every single transaction is potentially fraudulent. Systems to monitor, flag and analyze transactions provide ongoing intelligence and add another level of risk mitigation.
Authentication procedures, which provide evidence that customers are who they say they are, connect the transaction to the identity. In the EU, there are legal obligations in place (or on the way) that require Strong Customer Authentication for many transactions. Having threshold limits, or other rules where an authentication requirement kicks in, improves security and helps avoid the biggest losses from fraud.
Two-factor authentication (2FA), such as confirming a text, email, or in-app notification, is an authentication technique that can be deployed in a payment flow. A new standard, 3D Secure 2.0, is backed by the major credit cards, so implementation is not especially difficult.
Other dynamic fraud detection tools, including transaction monitoring, can also provide risk mitigation measures. Ongoing payment monitoring can watch for:
- Spikes in activities
- Exceeding thresholds
- Out of area or unusual cross-border activities
- Changing purchase patterns
- Consumer alerts
- Credit reports
- IP address discrepancies
- Fraudulent patterns
Many of these techniques have analytics at their core. There are numerous data points available in a transaction; modeling and analyzing data though techniques such as payment fraud analytics or behavioral analytics can help uncover unusual transactions or accounts.
Integrating a security mindset
Managing fraud can’t be seen as an add-on, but rather should be seen as a holistic measure that permeates throughout the organization. Security is integral to running a successful digital company, from employee hiring, training and policies to data protection procedures and technologies. After all, any weakness, any security lapse can turn into an advantage for the fraudsters.
Having said that, there are specific solutions that can help manage payment fraud, such as:
Instead of keeping valuable credit card data intact, convert the data to a format that is useless outside of a specific transaction and retailer. The process of tokenization allows retailers to offload securing the card information to a service provider who can process the transaction using the token. If the retailer is later hacked, the hackers won’t gain access to any useful or sensitive data.
The beauty of this technique is that it is compliant with the PCI (Payment Card Industry) and works with existing POS systems; replacing the actual 16-digit credit card number with a 16-digit token (where only the last 4 numbers are accurate) allows processing as usual, driving down compliance costs and strengthening fraud protection.
For major retailers, end-to-end encryption is an option. As PCI standards do not allow the storing of credit card information after a transaction, converting that data via algorithm protects the data while still allowing authorized use. Encryption is expensive, though, so not practical for small and mid-size companies.
Currently, address checks for eCommerce via credit card use the Address Verification System (AVS). AVS checks the numbers of the address on the credit card file to the corresponding numbers provided in the eCommerce transaction. So, for example, AVS checks the zip code and the street number of a billing address and compares those numbers to the zip code and street number of the credit card owner. While Visa, MasterCard and American Express widely support AVS in the USA, Canada and UK, there’s significant work to expand the scope to more countries.
As many consumers are performing eCommerce transactions on the mobile device, using mobile ID data points such as device information, geolocation, usage and billing data can disclose if the transaction is questionable. Similarly, device identification can examine the IP address, browser and operating system on desktop systems to see if the profile matches expectations.
Knowledge is power
It’s important to understand that payment fraud is a dynamic and ever-changing situation. Fraudsters will discover new successful techniques and quickly scale up those types of attacks. New payment systems, methods, channels, providers and integrators will provide new opportunities and solutions, which might affect your whole payment management outlook.
Being aware of fraud techniques and solutions can help you derive a sturdy fraud management strategy. Enabling that smart strategy will depend on deploying a set of payment fraud tools that are adaptable, interoperable and scalable.