While the world of e-commerce has plenty to offer, one of the biggest disadvantages of doing business online is having to deal with credit card fraud. It's a drain on every merchant's revenue and trying to prevent it is a never-ending battle. Cardholders are generally well-insulated from the costs of fraud, especially in the US.
All they have to do is tell their bank that a purchase wasn't authorized and—unless there's clear evidence that they're lying—the charge will be reversed at no cost to them. Unfortunately, the cost of credit card fraud has to go somewhere, and in most cases, it's the merchant that ends up paying for it.
In order to limit the amount of revenue they lose to fraud, it's important for all merchants to have effective fraud detection measures in place. This usually means employing a combination of different tools, from common checks on cardholder information to advanced risk scoring algorithms. Let's take a look at some of the best practices and tools for detecting credit card fraud online.
Payment cards are easy to use because only a few simple numbers need to be transmitted to the bank in order to identify the account and authorize the transaction. This simplicity makes them vulnerable as well. It’s very hard to practice rigorous data security on simple information that must be shared with the parties you’re transacting with.
In the card-present space, EMV chips have gone a long way towards reducing in-person fraud. These chips tokenize account numbers, making them less vulnerable to data theft, and cannot be counterfeited as easily as magnetic stripe cards.
In the card-not-present transaction environment of e-commerce, there is no technological solution equivalent to the EMV chip in terms of widespread use and effectiveness. There are some possible solutions, most notably Click to Pay, but unlike EMV chips, these require action on the customer's part to sign up for the service. That means there's a significant barrier to adoption that wasn't the case with EMV chips.
For now, at least, merchants have no choice but to make use of a wide variety of tools, methods, and operational practices if they want to stay ahead of the fraudsters.
Credit card fraud cost banks and merchants more than more than $33 billion per year according to The Nilson Report, and the numbers keep going up. That’s why it’s so important to have tools and practices in place to detect fraud before it takes place.
Tools for detecting credit card fraud include the Address Verification Service (AVS), Card Verification Value (CVV) checks, 3-D Secure, and risk scoring software.
AVS and CVV checks require purchasers to enter the correct billing address and CVV number associated with the payment card in order to complete a transaction. This prevents low-effort fraud using card numbers gained from data breaches.
CVV information is prohibited from being stored by merchants, ensuring that fraudsters who hack into a database of customer information won't be able to easily bypass this simple fraud detection measure.
Unfortunately, phishing has become an increasingly popular way for fraudsters to steal credit card information, since a successful attempt will give them the complete payment credentials.
Beyond that, third-party fraud detection tools can bolster your defenses by using artificial intelligence and machine learning to identify fraud. Merchants can also adopt solutions like 3-D Secure, which authenticates the transaction with the cardholder's bank, adding an additional authentication step if the transaction seems suspicious.
Risk scoring is one of the most common fraud detection methods offered by third-party tools. With rules-based risk scoring, the merchant sets up rules based on known indicators of fraudulent transactions, each of which assigns a positive or negative score to a transaction attempt. Based on the total score, the transaction can be accepted, rejected, or marked for manual review.
Other risk scoring tools use machine learning to analyze past transaction data and come up with a complex system of rules. The algorithm attempts to determine what rules will result in the greatest level of fraud detection with the fewest false positives, resulting in a more complicated and effective system than anything a human could come up with.
These tools are effective, but they're also expensive, often taking a portion of every transaction approved. Merchants should conduct a cost-benefit analysis before adopting them across all transactions.
Another potential issue is that the risk-tolerance of these tools can sometimes be turned up or down based on the needs of the provider, not the merchant. A provider looking to quickly increase revenue may turn down the sensitivity a notch to allow more approved transactions they can take a cut from.
Velocity checking looks for multiple transactions with one or more pieces of shared information in a short period of time. While it's not uncommon for a customer to forget something and make a second order soon after the first, three or four orders in sequence from the same IP address are often an indicator of fraud.
Friendly fraud is often the hardest type of payment fraud for merchants to detect because the initial transaction isn't fraudulent. Instead, the legitimate cardholder makes the purchase and then falsely disputes the charge later.
Friendly fraud can occur for many reasons. A cardholder may not recognize a billing descriptor, forget about a purchase, misunderstand a return policy, or dispute a transaction instead of contacting the merchant. In other cases, the cardholder may knowingly attempt to recover the payment while keeping the product or service.
Some disputes filed under reason codes indicating an unauthorized or fraudulent transaction are friendly fraud in disguise. The issuer classifies the case based on the cardholder’s claim that they did not authorize the purchase, and it's up to the merchant to prove that the cardholder's claim is false.
That requires reviewing transaction records, customer communications, delivery confirmation, login histories, device data, prior purchase activity, and other evidence that can connect the cardholder to the transaction.
Many merchants partner with a chargeback management company to handle this process. These providers use specialized technology and expertise to analyze disputes, identify cases that appear to involve friendly fraud, assemble the evidence required by the card network, and submit representment packages within the applicable deadlines.
They can also track recurring dispute patterns and help merchants improve policies, billing descriptors, customer communications, and evidence collection practices. Fraud detection tools remain an important first line of defense, but chargeback management is often necessary to recover revenue lost to friendly fraud.
With the right tools and experience, chances are better that you’ll be able to catch the subtle signs of fraudsters in the act and block them from doing business with you. It’s no easy task, but it’s one that every merchant has to take on if they want to protect their customers and revenue from bad actors.