As online channels continue their growth, there’s a parallel growth in fraud. A 2022 payments fraud study found that merchants spend an average of 10% of eCommerce revenue managing fraud. Payment fraud management is critical to prevent losses, protect the organization, and ensure operations are smooth, secure and scalable.
One of the most challenging aspects of fighting payment fraud is the complexity of interconnected networks and all the moving parts that need consideration and coordination. Every step of the transaction chain is a potential attack vector or a friction point for a seamless customer journey. All require effective integration from front-end interfaces, such as websites and apps, to back-end services, such as eCommerce servers and payment systems. Adding in services such as identity verification, authentication, loyalty programs and transaction monitoring makes the technology stack considerations immense.
Considering the constantly changing nature of the technology and fraud techniques and the sophistication of eCommerce solutions, properly handling payment fraud can seem like an overwhelming prospect.
Fortunately, managing payment fraud need not be overly complicated, expensive or time-consuming if you deploy a multi-layered approach, weaving in systems and capabilities to best match requirements. It’s about taking a risk-based approach that considers your specific needs and not the latest hype cycle. Understanding your customers, payment flows and security — all smart business strategies in any case — will provide fundamental tools and insight to create a robust risk-mitigation program.
Knowing your customers
Consider regulated industries; they have always been at the forefront of the battle with fraudulent transactions. Thus, they have well-established procedures to identify customers and understand their risks. These Know Your Customer (KYC) procedures are designed to prevent money laundering and provide intelligence into the nature of the customer. Is this a natural person? Are they who they say they are? Is extra due diligence warranted for that customer?
KYC is best performed during customer onboarding to help ensure that fraudsters cannot even create an account. These procedures mustn’t create unnecessary friction in the customer journey; after all, most customers are legitimate, and introducing intrusive or complex steps can lead to abandonment, resulting in revenue loss.
Implementing seamless, effective identity verification solutions is a fundamental first step to managing payment fraud.
Understanding payment flows
However, every single transaction is potentially fraudulent. Systems to monitor, flag and analyze transactions provide ongoing intelligence and add another level of risk mitigation.
The increasing speed of payments calls for ingesting and analyzing payment information at ever-faster rates. Innovations, such as real-time payments, will require more solutions that push the technology envelope.
Authentication procedures, which prove that customers are who they say they are, connect the transaction to the identity. In the EU, legal obligations require Strong Customer Authentication for many transactions. Having threshold limits, or other rules where an authentication requirement kicks in, improves security and helps avoid the most significant losses from fraud.
Two-factor authentication (2FA), such as confirming a text, email or in-app notification, is an authentication technique that can be deployed in a payment flow. A new standard, 3D Secure 2.0, is backed by major credit cards, so implementation is not especially difficult.
Other dynamic fraud detection tools, including transaction monitoring, can also provide risk mitigation measures. Ongoing payment monitoring can watch for:
- Spikes in activities
- Exceeding thresholds
- Out-of-area or unusual cross-border activities
- Changing purchase patterns
- Consumer alerts
- Credit reports
- IP address discrepancies
- Fraudulent patterns
Many of these techniques have analytics at their core. Numerous data points are available in a transaction; modeling and analyzing data through payment fraud analytics or behavioral analytics can help uncover unusual or high-risk transactions or accounts.
Integrating a security mindset
Managing fraud should not be seen as an add-on, but rather as a holistic measure that permeates throughout the organization. Security is integral to running a successful digital company, from employee hiring, training, and policies to data protection procedures and technologies. After all, any weakness or security lapse can become an advantage for the fraudsters.
There are specific solutions that can help fraud teams, such as:
Instead of keeping valuable credit card data intact, convert the data to a format that is useless outside of a specific transaction and retailer. The tokenization process allows retailers to offload securing the card information to a service provider who can process the transaction using the token. If the retailer is later hacked, the hackers won’t gain access to any useful or sensitive data.
The beauty of this technique is that it is compliant with the PCI (Payment Card Industry) and works with existing POS systems; replacing the actual 16-digit credit card number with a 16-digit token (where only the last 4 numbers are accurate) allows processing as usual, driving down compliance costs and strengthening fraud protection.
For major retailers, end-to-end encryption is an option. As PCI standards do not allow storing credit card information after a transaction, converting that data via algorithm protects the data while still allowing authorized use. Encryption is expensive, though, so not practical for small and mid-size companies.
Currently, address checks for eCommerce via credit card use the Address Verification System (AVS). AVS checks the numbers of the address on the credit card file to the corresponding numbers provided in the eCommerce transaction. So, for example, AVS checks the zip code and the street number of a billing address and compares those numbers to the zip code and street number of the credit card owner. While Visa, MasterCard and American Express widely support AVS in the U.S., Canada and UK, there’s significant work to expand the scope to more countries.
As many consumers perform eCommerce transactions on the mobile device, using mobile ID data points such as device information, geolocation, usage and billing data can disclose if the transaction is questionable. Similarly, device identification can examine the IP address, browser and operating system on desktop systems to see if the profile matches expectations.
Knowledge is power
It’s important to understand that payment fraud is dynamic and ever-changing. Fraudsters will discover new successful techniques and quickly scale up those types of attacks. New payment processing systems, methods, channels, providers and integrators will provide new opportunities and solutions, which might affect your whole payment management outlook.
Having a holistic view of the customer and their transactions provides context for real-time risk scoring decisions. But that requires having a complete set of data and analysis tools to guide your payment workflows. Your payment stack needs to effectively collect and integrate information from multiple systems without getting overwhelmed.
The goal is to maximize consideration of customer journey touchpoints. Innovations in cloud-based systems, AI analysis, machine learning and automated workflows enable an opportunity to better optimize risk controls for the scenario. As Stephen Lazenby of INETCO states, “It is possible to base fraud detection on complete, unaltered, end-to-end network data regardless of where a merchant, issuer, acquirer or processor sits in transaction.”
All these payment fraud detection and prevention measures should not come at the expense of the customer experience. Slow payment processes can seed doubt and frustration for both end customers and merchants. False positives, where a good customer gets rejected unnecessarily, can lead to even worse results; one study noted “retailers stand to lose up to 75 times more revenue to false declines than they do to fraud.”
Being aware of fraud techniques and solutions can help you derive a sturdy fraud management strategy. Enabling that smart strategy will depend on deploying a set of adaptable, interoperable and scalable payment fraud tools.
This post was originally published on February 18, 2020, and updated to reflect the latest industry news, trends and insights.