The eCommerce environment can be a dangerous place for merchants. Unfortunately, it doesn’t seem likely to get better any time soon.
Fraudsters shifted their attention onto card-not-present transactions following the EMV liability shift back in late 2015, viewing it as a the “path of least resistance,” and online merchants immediately began feeling the impact. According to the 2016 LexisNexis True Cost of Fraud study, the average merchant lost 1.47% of their total revenue as a result of fraud over the previous 12 months. That’s compared to 0.68% in 2014—a 116% increase in just two years’ time.
What Tools Do I Need?
Merchants can’t afford to go on without at least basic fraud protection; however, identifying the necessary tools and strategies tends to be a major roadblock.
The key to choosing which fraud prevention tools a merchant will need varies somewhat depending on the industry in which they operate. For example, some industries including online gaming, auctions, electronics and digital goods are considered “high risk,” meaning those products are known as common targets for fraudsters. At the same time, some tools may be more effective in one vertical than another.
Regardless of the organization’s specifics, there are a few key antifraud technologies which should be more or less universally helpful:
1. Card Security Code
Each payment card comes with a card security code—typically a three-digit sequence stamped on the card’s back next to the signature (American Express is a notable exception, using a four-digit code on the card face). The code is also commonly known as either a card verification value (CVV) or a card validation code (CVC).
Card security code verification should not be considered foolproof, nor conclusive. CVVs can still produce false positive results, and a valid entry does not necessarily mean that the person making the purchase is authorized by the cardholder to use that card.
Despite the technology’s shortcomings, it’s still worthwhile to utilize CVV verification. A valid CVV at least reassures the merchant that the person making a purchase is probably in physical possession of the card. Think of it as a “first line of defense”—something which is most effective in conjunction with other tools.
2. Address Verification / Geolocation
Address Verification Service (AVS) is a process initiated by the cardholder’s issuing bank during the checkout process.
AVS verifies the billing information submitted by the customer against the address on-file with the bank. If the two are not similar, the issuer will flag the transaction as potentially fraudulent; however, that result will not have any bearing on whether the issuer authorizes the transaction. The merchant is left to review the order and use their best judgement. Given the relatively low cost of AVS (usually just a few cents per transaction), it’s a wise idea to utilize this tool.
A similar technique is geolocation, which cross-references the customer’s billing and shipping information against the IP address from which the order was received. To demonstrate, let’s assume that a merchant receives an order with a shipping address in Eastern Europe, but the billing address is in the US and the order was placed using an IP address located in Southeast Asia. Geolocation would identify this sale as needing additional review.
Any time a transaction is flagged by AVS or geolocation, that transaction can be manually reviewed.
3. Fraud Filters
A fraud filter is an automated tool designed to screen each individual transaction based on a set of predefined characteristics commonly associated with fraud. A very versatile tool, the merchant defines the rules, thereby allowing for strict or lax critique.
Of course, this also leads to problems—if merchants set their logic too strictly, they will lose valid sales due to false positives. At the same time, setting their rule threshold too low will allow fraudulent transactions to slip through.
Merchants may need professional assistance defining their fraud logic, though this help will eventually pay-off with the benefits of more efficient and effective fraud scoring. PayCertify and Kount are two examples of providers of such services.
4. Customer Identification
In contrast to other technologies like CVV and AVS that verify the card and address, respectively, customer identification refers broadly to practices and technologies aimed at identifying individual customers. One such example is 3-D Secure, a protocol designed to function essentially as a “card-not-present PIN code.”
This program is available through different card networks under various names including Verified by Visa, Mastercard SecureCode and American Express SafeKey. Customers who enroll in a 3-D Secure program are asked by their bank to designate an online security code. From then on, the customer will be prompted to enter their code any time they check out with a merchant who utilizes 3-D Secure.
However, while 3-D Secure offers significantly greater online security, it also has a downside: checkout friction. Given that roughly three out of four customers abandon their order without making a purchase as is, many merchants are hesitant to add extra friction to the process.
Fortunately, there are alternative methods of online customer identification. As Gary Cardone explains, it is possible to manage risk without sacrificing revenue or increasing friction for the user. This gives merchants the power to conduct business with greater confidence that their customer is who they claim to be.
5. Delivery Confirmation
This may seem a little simplistic, but few tools are as effective at identifying friendly fraud as delivery confirmation. With friendly fraud representing up to 86% of chargebacks, that could mean billions in revenue recovered each year overall.
If a customer were to place an order, receive the item, then file for a chargeback claiming that the goods never arrived, delivery confirmation would be a useful tool to challenge that claim.
As a supplementary method to add additional security, most experts suggest merchants ask for signature confirmation upon delivery of high-ticket items. Merchants should notify customers during checkout that any orders above a certain price threshold—maybe more than $200, or whatever makes sense for the individual business—will be subject to signature confirmation. This kind of full disclosure gives customers better awareness of their order status, and ensures that the customer will not receive their goods without providing positive identification.
“How Does This Tool Fit into My Strategy?”
To fit into a proactive fraud prevention strategy, a tool must be completely adaptable and dynamic. Before merchants consider adopting a new technology, they need to ask themselves the following:
- Does this tool allow you to create manual rules? Can you dial-in the parameters to address your business’s specific needs?
- How many data points can it identify and monitor? The more data points it can identify, the more capable it is of adapting uniquely to your business.
- Does it generate useful KPIs? Tracking key performance indicators (KPIs) is essential to ensure that you get the most out of each element of your strategy.
Of course, there is no “one-size-fits-all” answer to fraud detection and prevention. Merchants need to carefully examine their needs and vulnerabilities, and keep up-to-date with new and developing fraud trends.
In the end, deploying antifraud tools in an effective manner can mean the difference between profitability and disaster.